It is difficult to go a day without hearing about another cybersecurity incident or data breach. According to Cybersecurity Ventures, cybercrime costs are expected to reach $6 trillion worldwide by 2021. From international Fortune 500 enterprises to small businesses and not-for-profits, any organization with a digital presence is at risk.

Why Not-For-Profits Are At Risk

Not-for-profits (NFPs), in particular, have become prime targets for cybercriminals seeking to exploit the wealth of data NFPs collect. Since NFPs utilize the web for e-commerce activities – such as donations and event registrations – and collect massive amounts of benefactor data for promotions, newsletters and educational activities, they are at increased risk.

In addition to collecting large amounts of data, NFPs also typically have fewer resources with which to implement strategic cybersecurity practices. Many are familiar with the organization Save the Children, which was the victim of a massive scam costing nearly $1 million, but smaller NFPs are victims every day.

While enterprise-level organizations might seem to be the primary targets for cybercrime, smaller businesses, non-governmental organizations, and NFPs are targeted more frequently today than ever before. Unfortunately, according to the Nonprofit Technology Enterprise Network (NTEN)’s State of Nonprofit Cybersecurity 2018 Report, 68.2% of NFP respondents do not have documented policies and procedures for when they are attacked.

“Nonprofits have increasingly adopted technology to improve their effectiveness and to scale their services to extend their reach. Yet many nonprofit organizations have struggled to focus the same attention on their cybersecurity and data protection planning,” according to the Microsoft Philanthropies Nonprofit Guidelines for Cybersecurity and Privacy.

Top Ten Cybersecurity Best Practices For Not-For-Profit Organizations

NFPs can benefit from implementing many basic security protocols that are free or low-cost. Here are our top ten tips around cybersecurity best practices for NFPs.

1. Assess and Prioritize Risks
   “You don’t know what you don’t know,” says Mishaal Khan, Senior Cybersecurity Solutions Architect with Mindsight, a Chicago-based IT services provider. That is why it is key to perform vulnerability assessments to identify a baseline for your organization.

   Security assessments help you discover the most critical gaps in your security posture, which in turn enables you to prioritize your security investments. Every organization has its own unique risk profile. By identifying individual security gaps and the most likely threats, your organization can create a cybersecurity roadmap that strategically mitigates risk. 

2. Identify Data Types
   Not all data is created equal. A social security number is not equivalent to a first pet’s name, nor is an electronic health record the same as a phone number. From compliance requirements to dark web value, the different types of data you collect and store will likely require differentiated treatments.

   The first step in protecting your data is identifying what data you have and categorizing it appropriately. For example, NFPs that collect personal health information (PHI) must understand how HIPAA affects their data security measures. In addition, PHI is incredibly valuable to hackers – in fact, patient records can sell for up to $1,000 on the dark web, while a social security number can be purchased for as little as $1 – and is thus more likely to be stolen.

   One of the first steps in protecting data is identifying what data you have, where that data is stored, and what risks your organization accepts in collecting, storing or transferring that information. Only then can you appropriately prioritize threats and effectively mitigate risk.

3. Security Awareness Training
   Human error accounts for at least 90% of cybersecurity breaches, according to reports by IBM, Watson and Verizon. While there are malicious entities both inside and outside your organization, the unintended actions of users also put your organization at risk.

   Raising awareness with your users around cybersecurity is, therefore, vital. Many organizations utilize security awareness training to mitigate this risk. Unfortunately, not all security awareness training is created equal. Even after a phishing training class, 75% of users still click on phishing emails. It is important to validate the veracity of a chosen security awareness training program and ensure data security becomes a part of your mission.

   Human error will never be completely removed from the equation. NFPs must not only ensure users understand cybersecurity basics (like password hygiene and social engineering) but must also put security layers in place to decrease the ability of humans to infiltrate and damage your organization.

4. Focus On Foundations: Passwords, Email and Multifactor Authentication
   Cybersecurity solutions can get mighty fancy, but NFPs can do a great deal to protect their organization by focusing on the basics. Seventy percent of cyberattacks use a combination of phishing and hacking, and 63% of confirmed data breaches involve bad password practices. By reducing risk in these areas, NFPs will attain the best ROI.

   Encourage (or require) users to use a password manager and ensure you have email filtering in place. Many of these tools are free or are available at significant discounts to NFPs – use these resources to protect your organization. Cybersecurity professionals identified “too many users with excessive privileges” as the largest enabler of risk, according to the 2018 Insider Threat Report. Work with your technology teams to reduce the number of users with access privileges.

   Multifactor Authentication (MFA) is one of the best ways to mitigate basic threats. This additional security layer requires users to have both a key and a device to gain access. MFA ensures that even if a cybercriminal obtains credentials, they cannot immediately infiltrate your network. While there is no single solution that completely protects your organization, focusing on these foundational security practices helps to reduce your overall risk.

5. Document Security Protocols
   By simply documenting your security protocols, you can reduce your risk and identify gaps in your cybersecurity practices. Every 14 seconds a new business falls victim to ransomware, and it takes an average of 279 days for a data breach to be identified. It is critical to respond quickly to a cyberattack so that you can reduce the impact on your organization, your employees and your donors.

6. Design (AND TEST) a Disaster Recovery Program
   Disaster recovery and cybersecurity are closely intertwined. Cybersecurity helps to deter criminals and eliminate as many threats as possible, but even with enterprise-level security in place an organization will likely be attacked.

   Disaster recovery programs ensure that when a security incident unfolds, your organization is prepared to respond and reduce the impact of the event. Design a disaster recovery program that ensures the recovery and restoration of your key data, and test that program regularly. Cyberattacks are not going away. Be prepared for when one comes your way.

7. Backups Are Key   
   Backups of your critical data are integral to facing a cybersecurity threat. Ransomware attacks have increased 97% in the last two years, and smaller organizations, like clinics, villages, schools, and NFPs are now more likely than ever to be the victim of ransomware.

   Ransomware is a common practice by cybercriminals whereby they encrypt your files and data and demand a ransom (typically in bitcoin) in exchange for a decryption key. Organizations that do not have backups either pay the ransom, lose the data or go out of business. However, by ensuring you have backups of your critical files and that those backups are secured off-site and off-network, you are no longer at the mercy of a cybercriminal. Protect yourself from this very real and pervasive threat with a strong backup strategy.

8. Updates, Updates, Updates
   Failure to apply critical security updates and patches was one of the leading causes of the spread of WannaCry ransomware and the Petya outbreak, according to Fortinet. In the case of WannaCry ransomware, which infected more than 300,000 devices across the globe in 2017, criminals used a vulnerability in a Windows server protocol.

   What is distressing is that two months prior to the WannaCry spread, Windows actually released a patch to protect against the very weakness criminals exploited. If organizations had bothered to apply the patch, they would not have been victims.

   The lesson here? Network and device hygiene are integral elements of security today. 

9. Take Advantage of NFP Discounts and Free Tools
   NFPs have an advantage that for-profit institutions and companies do not: A wide selection of free or reduced-cost cybersecurity tools that can help to manage risk. Microsoft and Google both offer security toolkits and discounts NFPs can utilize.

   In addition, Idealware offers a free toolkit on information security that includes worksheets, exercises, case studies and links to additional resources. Bring in security experts to talk with your employees and minimize costs while mitigating risk.

10. Use SaaS Solutions Wisely
    Software-as-a-Service (SaaS) is incredibly valuable, but there are risks involved. SaaS solutions can often help you offload some risk. For example, storing contacts in a web-based email tool versus in an Excel spreadsheet on your network puts more of the security responsibility on the shoulders of the SaaS provider.

    However, it is vital you have a complete inventory of the SaaS tools you use, and you also understand where their responsibility ends and yours begins. While SaaS providers may be responsible for protecting a physical data center or databases, your organization will likely need to properly configure the tools. SaaS solutions can help you save money and reduce risk, but only when used thoughtfully.

Join Us for a Cybersecurity Best Practices Seminar

To learn more about cybersecurity best practices for NFPs, join ORBA’s Not-For-Profit Group and Mindsight on February 19 for an in-person seminar, Is Your Not-For-Profit Organization at Risk of a Cybersecurity Attack?. Mindsight Senior Security Solutions Architect Mishaal Khan will outline the most common threats to NFPs; provide live demonstrations of password hacking, phishing, phone call spoofing, and website defacement; and identify how cybersecurity frameworks and remediation techniques can help you protect your organization and its mission.

About The Author

Siobhan Climer, Technology Writer for Mindsight, a Chicago-based managed security services provider, sees the impact of these attacks daily while working with organizations victimized by cybercriminals.  She writes about technology trends in education, healthcare and business. She writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure and the contact center. When she’s not writing tech, she’s reading and writing fantasy, gardening, and exploring the world with her twin daughters. 

© 2020