Nonprofit (or not-for-profit) organizations operate by paying employees a fair wage but utilize donations, volunteer work and government support to fulfill their mission. In many cases, they have slim budgets and little funding for the cybersecurity solutions that many businesses take for granted.
Since nonprofits might not have the funding to implement the latest cybersecurity defensive technology, they can become a ripe target for threat actors looking to steal sensitive information or create a beach head for future attacks. For nonprofit executives and volunteers, this problem may always exist, but there are a few ways to keep your defenses up and avoid elementary cyber attacks:
1. When trying to procure security solutions, ask if the vendor has nonprofit licensing for solutions or will support you pro bono to help offset the costs of traditional professional services or support. You may be surprised how many companies will agree to discounts or free work in exchange for using your nonprofit logo in marketing material or on their corporate website.
2. Adopt a cybersecurity posture of least privilege and limited access to sensitive data housed by the nonprofit entity itself. Nonprofits sometimes have a myriad of volunteers and staff who are transient in nature. These staff members should not have access to any business systems nor be given a nonprofit email address unless warranted. If someone does need access, only grant permissions and privileges for the subset of data and applications they need instead of taking the easy route of making them an administrator of a resource.
3. Since computers can be potentially an expensive investment for a nonprofit, consider using hardware and software that is free, more secure by design and has a longer life than just commercial laptops. Chromebooks, Google Docs and operating systems like Ubuntu Linux LTS (Long Term Support) have a lower risk profile than Microsoft Windows and are potentially supported for a much longer period at a lower cost. While they may lack some features commonly required for a corporate environment, they are suitable for most local nonprofits and a harder target to compromise by a threat actor.
4. While most mature organizations have a data-retention policy and purge emails and files after an established period of time, most smaller businesses and nonprofits do not have the expertise or policies to manage data in this manner. If a threat actor does succeed in breaching your environment, they could potentially have access to years of sensitive information, including donor records and transactions. Based on your local laws, determine how long you need to keep sensitive information and purge anything older periodically. You can sanitize portions of them to glean potential future donors, for example, but you can severely lower your risk by reducing the information a threat actor could steal.
5. Ransomware and malware target every business, person and entity with an internet presence. Nonprofits are no exception. The best protection from these threats is to remove all administrative rights from end-users, ensure security patches are being applied automatically by the individual application like for Microsoft Office or Adobe, and never share or reuse credentials and passwords across assets and applications. These steps may sound simple, and they are simple. It takes a little IT discipline to deploy assets with only standard user accounts and to turn on auto-update for your installed applications (including the operating system). These steps alone will block the vast majority of ransomware and malware even if a user mistakenly clicks on a phishing link.
Nonprofit organizations provide a world of hope in these troubling times, and the value they provide to a community could last for generations. Unfortunately, like any other business, they are susceptible to a cyberattack. Nonprofits potentially have a higher risk surface due to the lack of funding, expertise and security discipline. With a few basic steps and a few properly placed questions to other businesses, nonprofits can improve their security postures to defend against some of the most basic and troubling attacks.
Given how the past year progressed, we all could use a little giving. Hopefully, these recommendations will help nonprofits succeed and not become the next victim to cowardly cyber attacks.
Source – Forbes.com