SoftwareOne logo

8.2 min to readIndustry Solutions

6 ways to strengthen your nonprofit’s approach to cybersecurity

Joe Morley
Joe MorleyTechnical Evangelist
A woman's finger is pointing at a colorful screen.

When thinking about the average victim of a data breach, the image of a large, enterprise organization comes to find. After all, many headlines focus on the massive monetary losses afflicting companies that are household names. However, cyber criminals do not limit their attacks to these entities. Verizon’s 2020 Data Breach Investigations Report noted that 250 respondents with less than 1,000 employees reported 407 incidents with 221 confirmed data disclosures.

Cyber criminals don’t solely target household names – they will attack any organization that is easy to exploit. For this reason, nonprofit organizations (NPOs) that don’t follow modern cyber  security best practices are putting themselves at massive risk. And when you’re an NPO on a mission, you don’t have time to be set back by major threats and costly breaches.

To protect your data, your nonprofit can bulk up your cyber security programs by considering some best practices. Let’s take a closer look at 6 ways you can strengthen the security of your NPO.

6 ways to strengthen your nonprofit’s approach to cyber security

Continuously optimizing a cyber security strategy requires dedicated planning and an investment in expertise, which makes putting this initiative on the back-burner seem tempting. However, a mature approach to security is absolutely critical to nonprofits’ social and financial missions. By employing a few of these best practices, your NPO will be able to stay out of harm’s way and focus on the true task at hand: your mission. Let’s dive into a few tactics:

1. Engage in a risk assessment

All cyber security is based on risk. Most security professionals recognize that no matter how well they secure their IT ecosystem, malicious actors are waiting to find a weakness. Even organizations with the most resources find themselves constantly focusing on potential new risks and ways to mitigate them.

When considering the risks facing your nonprofit, you need to consider the types of data you store, collect, transmit, and process, as well as the devices, users, and applications that connect to your network. All of these areas provide vectors of risk but gaining visibility over every aspect of your network is exceedingly difficult.

Most smaller organizations have a basic understanding of their cyber security risk but little visibility over exactly where the risks are. However, to prevent data breaches, they need to know all potential areas where a cyber criminal can find a vulnerability. Creating a focused risk assessment helps identify sensitive information, high-risk users, and potential weaknesses in the organization’s IT ecosystem.

2. Establish a third-party risk management process

As your IT supply chain continues to become more complex, malicious actors will find more vulnerabilities to exploit. According to IBM’s 2020 Cost of a Data Breach Report, third-party software weaknesses were the initial attack vector for 16 percent of malicious breaches in 2019, and another report from Verizon found that web applications were involved in 43 percent of all breaches in 2019.

Almost all organizations use third-party technology services providers. Some of the most ubiquitous third parties include:

  • Google Suite
  • Microsoft Office 365
  • GoToMeeting
  • Salesforce
  • Microsoft Azure
  • Google Cloud
  • Oracle Cloud

Nonprofits should engage in third-party risk assessments to evaluate the potential weaknesses in this ever-growing aspect of their IT ecosystem. When engaging in these assessments, some things to consider include:

  • Criticality: How critical is the vendor to the organization’s ability to conduct daily operations?
  • Data: Does the third-party vendor access, transmit, store, process, or collect sensitive data like personally identifiable information (PII) or financial information?
  • Access: Does the vendor have access to sensitive cloud resources or databases?

3. Provide employee cyber security user awareness training to reduce cyber risks

While your employees want to do everything they can to keep your company safe, malicious actors use a variety of methods to exploit their knowledge gaps and goodwill. To reinforce security, you need to make sure that your employees have the appropriate cyber security awareness training. Here are a few important areas to increase cyber security awareness in your organization:

Be careful when providing personal or business Information

Organizations tend to share a lot of sensitive information without realizing it, and nonprofits are no exception. In fact, since the organizations, employees, and volunteers within a NPO seek to do good in the world, they may naturally be more likely to share information. Malicious actors often spend time doing reconnaissance about an organization before engaging in an attack. Unexpected emails or phone calls requesting personal or company information may be part of their background research.

As part of the cyber security awareness training, you should make sure to remind your employees to:

  • Never share nonpublic information in an email or over the phone without confirming the sender.
  • Always verify requests for money transfers independently.
  • Report any suspicious requests to the IT team immediately.

Use strong passwords

Another important cyber security awareness training lesson is password strength. Often, malicious actors use software to crack potential passwords using overused passwords, dictionary words, and predictable strings of letters and numbers. A good password policy will protect you against these brute force attacks, and could even protect your organization if an employee is involved in a data breach.

When establishing a password policy for your nonprofit, you should keep the following password best practices in mind:

  • Use a mixture of numbers, letters, and special characters in all passwords.
  • Avoid using dictionary words in your password – instead use abbreviations, a string of words, nonsense words, or a random string of numbers, letters, and special characters.
  • Length matters – use at least eight characters in your password but preferably many more.
  • Never reuse a password across different services.
  • Regularly reset your password.
  • Use two-factor authentication whenever possible.

Additionally, you may want to provide password management tools so that your employees can more easily remember these complex passwords.

4. Monitor for misconfigured cloud resources

As more nonprofits move their work to the cloud, they need to make sure that they appropriately configure all cloud resources. The Verizon Data Breach Investigations Report noted that the top error leading to data breaches was “misconfiguration,” mostly arising from system administrators who accidentally left cloud storage locations open to the public internet.

With more of your data moving to the cloud, traditional security may not protect sensitive information. Instead of storing data on a hard drive, your organization now relies on disparate servers to create storage locations. When the user setting up a public cloud deployment makes a mistake, it can leave your organization’s data at risk.

Some examples of misconfigurations include:

  • Incorrect access to storage buckets
  • Overly permissive security group policies
  • Undetected, unused, or leaking internet connectivity paths

Many nonprofits may look to a managed security services provider (MSSP) to help them reduce risk by implementing security management systems that mitigate misconfiguration risks.

5. Conduct online business more securely

Many nonprofits now conduct business on the internet. From fundraising event registrations to accepting online donation payments, nonprofits collect, transmit, store, and process a wide array of sensitive information.

Nonprofits need to ensure that they use secure browser connections when engaging in online business activities. Some considerations for ensuring a secure browser connection include:

  • Making sure the site uses a Secure Sockets Layer (SSL) Certification
  • Establishing secure firewalls policies
  • Using encryption

6. Stay up to date

Nonprofits need to stay updated both from a technical and regulatory perspective. Cyber security risk management is a continuous process because malicious actors are constantly evolving their methodologies. There are three essential perspectives to consider when assessing your nonprofit’s security: compliance, intelligence, and technology.

From a compliance standpoint, you need to be aware of new privacy laws, industry-specific security regulations, and updates to technology standards like National Institute of Standards and Technology (NIST) Special Publications. This will help you stay in the good graces of regulators while ensuring your organization meets minimum security requirements.

From a threat intelligence standpoint, you need to make sure you stay up to date on the latest data breaches, specifically which vulnerabilities have been exploited in the wild and which attack methods were used. For example, did a malicious actor use a certain kind of malware, social engineering methodology, or exploit a vulnerability in third-party software? Then, ensure your network is protected against the most common attack methods.

From a technology perspective, you need to make sure that you install security updates. Research has found that approximately a third of all software breaches can be attributed to organizations not patching their operating systems, software, or hardware in a timely manner. Ensure your IT team has dedicated processes in place to ensure your employees don’t skip any crucial updates.

Final thoughts

Nonprofits use technology to streamline business operations that help them achieve their social and civic goals. Unfortunately, despite their positive impact on society, they aren’t immune to attacks levied against them by cyber criminals.

At SoftwareOne, we believe that nonprofits are important to making the world a better place. That’s why we are committed to building affordable, accessible tools that empower nonprofits on their digital transformation journey. SoftwareOne’s ONEImpact service enables nonprofits to access enterprise-grade technology and services at low or no entry cost, giving them the resources they need to protect their organization and build more resilient IT infrastructures.

A person walking down a hallway with a rainbow colored wall.

Transform your nonprofit to enable better security

OneImpact is designed to help nonprofits become more secure, helping them fully focus on achieving you’re their missions.

Transform your nonprofit to enable better security

OneImpact is designed to help nonprofits become more secure, helping them fully focus on achieving you’re their missions.

Author

Joe Morley

Joe Morley
Technical Evangelist

Nonprofit sector | ONEImpact