Equifax. Yahoo. Marriott. Large scale data breaches only affect large, well-known, for-profit organizations, right? Unfortunately, as The Utah Food Bank and Save the Children can attest, malicious actors can and will target nonprofits.
You may expect that nonprofit status would deter cybercriminals, but, like the “sticky bandits” of the Home Alone franchise, thieves are drawn to vulnerable targets – whether they’re children, Salvation Army kettles or a nonprofit’s unsecured information. If your nonprofit stores financial details, sensitive personal information or healthcare data, it could be targeted by cybercriminals looking for an easy score.
Assess the Risk
Concerned that your nonprofit may be targeted by cybercriminals? Ask if your nonprofit:
- Accesses or stores privileged information (financial or personal), or user credentials?
- Processes digital transactions?
- Provides services or uses systems that could be held ransom?
If the answer to any of the above questions is yes, it’s worth considering the ways in which cybercriminals may attempt to compromise your systems or access sensitive information.
Common Means of Cyberattack
The most common attack method involves a malicious link or web portal that captures log-in credentials or infiltrates a computer or network by disguising itself as something safe and familiar – for example, an attachment that appears to have been sent by a colleague, a website that’s nearly identical to a frequently used portal, or an important message seemingly from a trusted vendor. Often, the only way to discern the true nature of these Trojan Horse-like attacks is a small discrepancy. Maybe the email address or web URL is slightly off, for example, ending in .co instead of .com, or the messaging itself features atypical spelling mistakes.
Cybercriminals are becoming more sophisticated every day, and malicious intrusion attempts are increasingly convincing. Often, the out-of-place or idiosyncratic detail that identifies you’re interacting with a cybercriminal isn’t noticed until it’s too late, if at all.
Mitigate the Risks
How can you combat these bad actors? Vigilance and consistency are key. Anytime you’re asked for sensitive information, double check that it’s OK to release in this context, and ensure the person you’re speaking with is really who they say they are. Changing venues – moving from email to phone, for example - is one way to disrupt an attacker. They may be able to “spoof” an email to make it appear to be coming from a colleague – but lack the ability to make a phone call look like it’s coming from within your organization.
Keep your applications and software programs up-to-date. Publishers will regularly release updates to patch vulnerabilities as they are discovered.
If your system does get compromised, you won’t want to lose access to your most essential data. Keep a backup – whether online or off – and make sure it’s secured (offline, or on a different network).
Require that users accessing your network remotely use multi-factor authentication and passwords. While not foolproof, multi-factor authentication and password protection will provide additional layers of security that could slow the unauthorized access of protected data, or stop it entirely.
Understanding cybersecurity risks and limiting them are essential and inexpensive first steps on the potentially costly road to securing valuable digital assets. Fortunately, sources of public and private funding are available to help nonprofits strengthen their cybersecurity capabilities.
Funding Nonprofits for a More Cybersecure Future
Most notably, the Fiscal Year 2019 Homeland Security National Training Program National Domestic Preparedness Consortium has allocated up to $79,000,000 in funding for disaster prevention training benefitting public and state controlled institutions, as well as nonprofits with 501(c)(3) status, that deliver “core capabilities” in service of the National Preparedness Goal. The National Preparedness Goal touches on a broad range of areas addressed by nonprofits, including housing, environmental and social services. Under this program, your nonprofit may be eligible for assistance relating to the protection of digital assets from “damage, unauthorized use and exploitation.” For more on this grant, visit https://grants.gov/web/grants/search-grants.html and search for funding opportunity number (“FON”) DHS-19-NPD-005-00-03.
The Federal government is also allocating significant resources to fund technologies and initiatives that will better protect valuable digital information and essential systems in the future. Nonprofits in the field of R&D can explore several grants incentivizing the exploration of novel cybersecurity measures. One such grant offered by the National Energy Technology Laboratory, FON DE-FOA-0002065, seeks to fund advancements in cybersecurity solutions that apply specifically to the energy sector. Another, The National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers grant, FON 19-572, seeks to fund “new ways to design, build and operate cyber systems, protect existing infrastructure and motivate and educate individuals about cybersecurity."
The Federal Trade Commission maintains an online information resource helping small businesses better understand and preempt the threats of the digital age. To access the FTC’s cybersecurity insights and recommendations, visit: https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity.
To connect with a representative of CyZen, our dedicated cybersecurity group that helps organizations of all sizes design, implement and test their information security capabilities, click here.