Top Cyber Security Concerns for Non Profits
Of course there could be a number of items on this list, and many that are important. These are the top cyber security concerns that I see for non profits right now (and any business of similar size). Attackers look for easy targets. Sure it is possible to compromise even the most hardened enterprise systems, but the amount of effort required goes up significantly as the defenses go up. So if attackers can spend less effort focusing on an organization they know is not focusing on cyber security, that is where they are going to go.
What are the issues?
Most large corporations I have worked with have checks and balances in place to prevent fraudulent transactions. However, I have known at least 3 that have fallen victim to fraud schemes even with those checks and balances.
Let’s take this scenario. The Executive Directory of a non-profit organization has a password that is fairly simple. Let’s say the name of the organization followed by the number 1. (Trust that is not uncommon). So let’s say the ED’s email account is accessed by an attacker. That attacker sends an email from the ED to the financial director that says he needs $5,000 transferred to a bank account. It’s for an urgent situation, and he will update the director later. The director initiates a transfer and the organization just lost $5,000.
This isn’t a situation where a phishing email is sent or there is anything amiss. For all intensive purposes this was a legitimate email from the ED, except it wasn’t. The way to solve this is a phone call to the ED to confirm this needs to happen. There needs to be some sort of 2nd confirmation before money is transferred outside the organization.
Email Correspondence with Donors
Let’s take a situation similar to the situation above, but instead of an email to the directory of finance, the attacker sends an email to prospective donors asking for them to send money. This can have costly financial and reputation impact to a non profit. Most often, the most important people in an organization push for relaxed security rules around passwords and other access. They are used to quick and easy access to systems and don’t want to be slowed down by changing passwords regularly or two factor authentication.
Most non-profits have some system to manage their donors. Many use an online system, and there are still quite a few that use in house software as well. Access to these systems should be heavily protected, but often there are lax controls. Usernames and passwords are shared, everyone is given admin rights, people who work on daily finances have access to all donor information, etc. If anyone one of these users is compromised for some reason, then the attacker can gain access to all of the donor information. This can include addresses and financial information, but also personal notes kept about various individuals too. Many times this information is high confidential.
Information about people served
Lastly, many non-profits are serving other people by providing services including counseling, medical treatment, and education among other services. Through these service large amounts of confidential and sometimes legally protected information is gathered and stored. Without proper processes and systems in place to protect this information, attackers can access it causing financial penalties, reputational damage, or even jail time.
How Does Cyber Security Apply to Me?
It’s time non-profits start realizing they are no different than any other business and cyber security is something that needs to be a priority. This includes policies, processes, technical controls and technology. Start with a conversation with the following questions:
- What information is important to our organization?
- What would happen if we lost it?
- What does it take to protect it?
These questions can start the conversations needed to figure out where to focus time and energy with cyber security. Often times, there is little more than someone who tinkers with computers in their spare time on staff. Many of these conversations can produce better results with outside consultants. They don’t have to cost an enormous amount of money, and there are many who are willing to work with non-profits on cost. Ultimately, you will get what you pay for. Find someone who knows what they are doing, shares a passion for what you do, and wants to help. Then figure out the money.
The most important thing is to start talking about cyber security now, and don’t wait until after something happens.