How to Keep Your Nonprofit’s Data and Systems Secure
Particularly in the wake of a data ransomware attack at Blackbaud, one of the world’s largest nonprofit software providers, many nonprofit organizations are wondering how to keep data and systems secure and prevent themselves from being a victim of cybersecurity incidents—whether on single-tenant systems (like an instance of Raiser’s Edge 7 or Dynamics GP hosted in your own environment) or on multi-tenant systems (like Office 365 or Salesforce).
In this article, we cover whether you can prevent your nonprofit from being the victim of a cybersecurity attack, some reasonable measures for protecting against threats, why more nonprofit organizations don’t prioritize cyber security, what should be included in a cybersecurity assessment, and how you can get support in your efforts to protect your organization.
Can I prevent my nonprofit from being the victim of a cybersecurity attack?
While there are many good strategies you should deploy (see below), unfortunately there is no solution that guarantees 100% protection.
The nature of most cybersecurity threat prevention available to nonprofits is that they respond to known methods of attack, rather than predictively preventing new methods. In other words, if your organization is one of the first to be hit by a new type of attack, exploiting a new or recently identified vulnerability, you may be compromised because your security systems and policies will not yet be adapted to thwart the incident.
Additionally, no amount of internal precautions on your part can protect your nonprofit against poor security practices at a hosted applications vendor—who could fail to secure portions of their datacenter, or fail to encrypt sensitive information like bank account numbers and personally identifiable information inside their systems.
Here is the good news: your organization can make itself significantly less vulnerable simply by implementing reasonable measures and making cybersecurity a budgetary and policy priority.
Some reasonable measures for protecting against threats, to make your nonprofit less vulnerable to cybersecurity incidents
There are many diverse opportunities for preventing cybersecurity incidents, and in an article of this length we can only briefly cover a selection of the best general recommendations to keep your data and systems secure. Your organization should conduct a cybersecurity assessment (see areas that should be included, below), which may require third party experts, to become fully informed of the necessary measures to protect your specific organization.
- Make sure there is nothing to be gained from an attacker accessing your data. This means doing your best to ensure your data is encrypted both in transit (as data flows between the user device and the server) and at rest (while the data is sitting in the server). This mitigates the chances that an attacker will be able to effectively make use of the data for any financial benefit. This tactic still needs to be paired with good strategies for data backup and recovery to help ensure that the data is recoverable if it is destroyed (deleted or corrupted) during the attack.
- Know what data is in your databases, and where it is located. Closely related to point #1 above: Databases often contain a mix of encrypted and unencrypted information. For example, there can be fields intended to store personally identifiable information (PII) about your donors or program participants, and those fields would be encrypted. But what if your users are storing PII in fields that are not encrypted, such as custom fields, notes fields, or even document attachments? It is important to have documented and consistent standard operating procedures for storing data, and to periodically audit or query your database (using pattern matching or other methods) to determine when data is not being stored where or how it should be.
- Ensure your systems are up to date. Many software security vulnerabilities are corrected with a security update within a reasonable period of time. Consequently, organizations that allow their systems to lag behind the available security updates run a greater risk of exposure.
- Take advantage of tools and information available from your software providers. Vendors are starting to build “security score” tools into their software, which allow your organization to see the security score for your current configuration of the product, and what steps you can take to get a higher score. Such tools are available in products like Salesforce and Office 365.
- Be knowledgeable about what protection your software offers. As an example: Office 365 has built-in anti-phishing protections that can be further enhanced using product advancements like Advanced Threat Protection (ATP) as well as administrator security policy adjustments. But many security experts would say the level of phishing protection provided by ATP is insufficient, and they would recommend applying an additional third-party solution such as Barracuda Sentinel for an added layer of protection.
- Mitigate the risk of deliberate data exposure (such as might be caused by a disgruntled employee). These incidents can be limited in part by proper implementation of security permissions and data access policies across systems (to ensure that a limited, identifiable number of staff have access to valuable data). Data loss (if any) from those incidents can be mitigated through sound data loss prevention policies and practices. Additionally, larger nonprofits should be able to take advantage of security systems that identify suspicious behavior from insiders and either automatically take preventative measures or raise an alert that allows a manual defense.
- Protect against accidental data exposure (such as biting on a phishing attack in your inbox, or leaving a non-passcode protected mobile device unattended). These can be limited by strict enforcement of policies for measures such as multi-factor authentication, password managers/vaults, passcodes for all devices that access organizational data, use of secure VPNs when traveling, and other measures. Still more attacks can be prevented by providing staff with cybersecurity awareness training, to help ensure they are thoughtful when clicking on links or attachments in email messages, or remind them to reboot all devices entirely twice a month. Many basic security practices are quite simple and can be encouraged organization-wide.
- Take advantage of security advice and cybersecurity assessment services offered by your technology service providers. Many of the nonprofit organizations Build works with, particularly in the small-to-midsize range, have managed services providers that provide security policy recommendations and cybersecurity assessment services. However, this advice frequently goes unimplemented, and the cybersecurity assessment that would facilitate the creation of a more comprehensive plan goes unperformed.
Why don’t more nonprofits prioritize cybersecurity?
In my experience, there are four primary reasons why nonprofits don’t prioritize cybersecurity:
- Leadership prioritizes convenience over safety. Studies have shown that a majority of security administrators admit to loosening cybersecurity policies at the request of senior executives, for the purpose of prioritizing convenience over safety. Examples of this include either loosening or removing multi-factor authentication (MFA) requirements due to staff complaints about the additional step needed to access a system, or leaders exempting themselves from security policies they feel are “for employees” such as password complexity or maintaining a different set of login credentials for each system accessed.
- The perceived value is not greater than the perceived cost. Many nonprofits do not invest appropriately in cybersecurity until after they have directly experienced the aftermath of a security incident—whether that be data being stolen from a donor database, the destruction or defacing of their website, losing the contents of a file server, or being the victim of a phishing attack (such as an accounting team member processing a large payment to an external third-company based on a fraudulent email that seemed to be sent from the CEO). Until this occurs, they do not understand the extreme damage that can be done to the organization’s brand, its operational effectiveness, or directly to its finances from such an attack.
- The organization lacks cybersecurity awareness. Information technology, like many other operational areas inside an organization, includes a diversity of knowledge areas, disciplines, and skillsets. It can certainly be the case that an organization lacks cybersecurity knowledge and experience that would provide the awareness necessary to introduce the idea of better cybersecurity, and make a value-based case for cybersecurity investments. In this case, it is important the organization be sufficiently self-aware of its lack of capacity in this area and identify third-parties that can provide the necessary assistance.
- “We don’t have anything that would make us a target.” Some nonprofit organizations take the approach that cybersecurity attacks are rare and something that happens to other organizations that have a greater public profile and/or have more financial resources. However, cybersecurity attacks are extremely common and in most cases are targeted at a vulnerability and not an organization—meaning that malicious bots are scanning internet-attached systems for vulnerabilities and then attacking those vulnerabilities without a human person making a specific evaluation of the value to be gained through a specific attack. Also, you may not be the direct intended victim—for example: your website visitors or email recipients, and their financial information, might be the intended victim of the attack.
What should be included in a cybersecurity assessment?
Any good cybersecurity assessment will provide a thorough view into your organization’s IT and cyber security landscape, and will seek to address any additional specific concerns your organization might have regarding backup, device management, endpoint management, data security, confidential communication, and any other concerns. The assessment would include:
- Device audit/inventory
- Network documentation
- Security awareness training and IT acceptable use policy
- Device security
- Network and boundary defense
- Identity and account management
- Data recovery capabilities
- Data protection
- Email and browser hygiene
- Website and hosted/cloud applications
Any cybersecurity assessment performed for your organization, to be truly effective, will require at least some initial discovery effort to make sure the assessment will meet your needs. Findings and recommendations resulting from this assessment would ideally include prioritized actions for execution and associated costs.
Where you can get support in advancing your cybersecurity
There are many ways your organization can get help for improving cybersecurity practices at your organization and keeping your data and systems secure, but we suggest you start with a no-obligation discussion with a trusted third-party advisor like Build Consulting. This can help you determine, at a high level, whether your organization could benefit from some additional outside support, what form that support might take, and how much it might cost.
For some organizations, it makes best sense to incorporate a cybersecurity assessment into an org-wide technology assessment and roadmap, to create a comprehensive plan for how your organization can make best use of technology to fund, grow, and support its mission and programs. This is also an area where Build can help!
Contact us to start the conversation on addressing your cybersecurity risks.