It may not be pleasant to think about, but even nonprofits fall victim to cybercrime.
According to numbers published in 2017, we know that in just two years, cybercrime incidents rose by 270 percent and cybercriminals seem to be targeting smaller organizations and businesses. Why? Because they’re less likely than big companies to have taken extensive security precautions.
That means even nonprofits are at risk online. If you’re the owner or manager of such an organization, you can’t rely on goodwill or flying under the radar — here are five suggestions for making your organization, and the people who represent it, more secure against cybercrime.
1. Take Stock with an Honest Risk Assessment
You can’t begin to make your nonprofit organization secure until you’ve fully audited what you need to protect. It’s possible you’ve only just begun the process of inventorying all the applications, data systems and devices your nonprofit uses to carry out its operations.
There are some very thorough digital inventory walkthroughs available online — and if this is your first time carrying out an online risk assessment, it’s probably a smart strategy to use one. Here’s a partial idea of the questions you’ll need to answer:
- What types of data does your organization collect and need to function?
- Where do you store this data?
- Who has access to this data and when was the last time their credentials were reviewed?
- What kinds of software applications do you use to interact with this data?
- Is the data you store and transmit subject to any regulations?
The answers to each of these questions will help identify weak spots in your data management policies and help you communicate more effectively about your needs with any third party cybersecurity professionals you may end up doing business with.
2. Split Your Local Networks
Your nonprofit almost certainly uses a local area network for all kinds of administrative, data handling and outreach purposes. Perhaps you rely on social accounts or network-connected storage devices to perform basic functions. You’re probably regularly emailing prospects and engaging in online networking.
Employees, volunteers and guests are likely generating lots of internet traffic on their devices — and that makes it a good idea to separate your network traffic by type, priority and sensitivity. Your approach could vary, but here’s the general idea:
- One network for guests
- One network for in-house personnel using web applications and internet telephony
- One network for “sensitive” information, including HR functions and accounting
By restricting access to each tier of your local network, you ensure your most sensitive information isn’t passing through the most well-trafficked part of your network.
3. Insist on Unique, Strong Passwords for Every Online Account
One reason cybercrime has become so pervasive is that many of us continue to choose convenience over adequate security. When it comes to creating passwords and logging into online accounts, two best practices should be at the focus of security training in your nonprofit:
- Unique passwords are essential, so data thieves can’t commandeer multiple web properties using the same set of stolen credentials
- Implement strong password policies: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
Now you know more about what to do, and what not to do, make sure each of your additional nonprofit volunteers know too.
4. Don’t Take Email Security for Granted
None of us can take email security for granted any longer. The foundational design of email, as a technology, didn’t take modern privacy and security safeguards into account. We should probably get used to the idea that even encrypting our emails will never be enough to protect our correspondence from potential eavesdroppers.
That’s not to say your organization should stop using email. But let this serve as a wake-up call to exercise judgment when it comes to exchanging information and documents over email.
If your nonprofit uses email regularly — for donor outreach, perhaps — you need to ensure good email security practices are part of your training. No matter how many inbox filtering rules we write, we all get suspicious-looking emails from time to time.
And if it looks suspicious, it probably is. Look out for conspicuous misspellings in any emails you receive — especially if the sender is making claims about your online accounts being “locked” or inviting you to participate in a survey for a reward. The point of these emails is to encourage the target to click a link, which might install malware or provide another way in for cybercriminals.
Make your employees and volunteers aware of phishing techniques like these so they don’t get blindsided and end up putting your whole organization at risk.
5. Consider Cybersecurity Liability
Cybersecurity liability is a relatively new area of expertise for insurance companies but given how many types of threats exist across the digital landscape, it’s probably here to stay.
To be clear, the “security” delivered from cybersecurity liability isn’t about preventing the loss of data — it’s about insulating yourself against the financial fallout of a cyber incident. A cybersecurity liability policy will cover monetary damages from lost data, as well as costs incurred as a result of ransom and extortion.
The price of having your data held for ransom can be high enough to ruin smaller businesses and nonprofits. Cybercriminals who lifted data from the Indiana-based nonprofit Little Red Door ordered the organization to pay $43,000 to ensure its safe return.
Cyber liability insurance is probably not your priority as a nonprofit manager. Instead, start with the basics listed in this article, then work on making cybersecurity an integral part of your organization’s culture. With the fundamentals covered, you can turn your attention to more advanced tools.
Kayla Matthews is a productivity and technology journalist with interests in big data, cybersecurity, IoT and other technologies. Aside from her tech blog, Productivity Bytes, you can read more of her work on CloudTweaks, Malwarebytes and IT Security Guru.