The popular myth for a non-profit organization executive is to ask, “Why anyone would want to hack us”? The nefarious nature of cybercriminals makes non-profits easy targets because they often invest less in employee training and IT security.
According to the Hackmageddon site, the non-profit sector compared with other sectors represented 19.5% of cyber attacks in 2015. In October 2016, they reported a jump to 42.9% for the non-profit sector. The firm NetDiligence, published the annual cyber liability insurance called the Cyber Claims Study 2016. It showed that 87% of cybercrime claims come from organizations with less than $2B in revenue. 10% of all insurance claims are made by non-profit organizations. The main reasons include hacking, lost of stolen computers and devices and malware and virus attacks.
One of the fastest growing types of cyber crime is ransomware, where small and medium-sized organizations with fewer resources are targeted. Ransomware is defined as malware or malicious software, designed to take control of computer systems. The attacker kidnaps or encrypts the victim’s data and demands payment in exchange for a key that decrypts or makes the data visible again. Typically, ransomware spreads through email attachments, infected software programs and compromised websites. In March 2016, The Ottawa Hospital confirmed four computers were hit with ransomware. The criminals encrypted all information and made all four computers inaccessible to hospital staff. According to the Cyber Threat Alliance, the ransomware campaign, using a virus called Cryptowall 3, successfully collected $325 million US in ransom payments in 2015. When a non-profit experiences a security breach, the damage to their reputation must be contained as soon as possible.
There are five simple things your non-profit organization can do to protect against cyber threats.
1. Perform regular software and security updates
All software has bugs and vulnerabilities. The vendors who create software regularly release software and security updates for your operating systems, computer programs and apps. Some of the more popular applications used by criminals are browsers, plug-ins, media players, Flash and Adobe Acrobat. Always keep automatic updates turned on for computers and mobile devices to minimize a breach. This allows for automatic updates to all devices as soon as they become available.
2. Use complex passwords
Passwords should be long and contain a mix of upper case, lower case and symbols. Each website, app or account should have a different password. According to Instant Checkmate, nearly three out of four people use the same password for more than one site, while more than three out of five smartphones users do not use a passcode to protect their device. One-third of people use the same password for every website with weak passwords like ‘12345.’ Do not use the same password more than once and use a password manager to help you remember all your passwords.
3. Encrypt information at rest and in transit
The Bring Your Own Device (BYOD) policy is popular with employees and organizations since it cuts cost. However, this opens other risks. Data should be encrypted while at rest and in transit across the Internet. Both Mac and Windows computers include free programs to encrypt all information on a hard drive. This means others cannot read the contents if the information is lost or stolen. Set up a virtual private network to encrypt your Internet traffic when working from remotely and from public Wi-Fi networks at airports, universities, conferences and coffee shops.
4. Train employees and use good judgment
Employees need to be careful about clicking on a link or opening an attachment, even if it looks like it came from someone they know. Get into the habit of reviewing email message headers for fake emails. Criminals use generic names like “First Generic Donor” to avoid the time it takes to send customized emails. In other cases, the sender may look authentic with the same font, color and logo of a company you recognize. However, upon closer inspection, for example, you may notice www.uniteedway.org (two e’s is fake) instead of www.unitedway.org. You may observe unitedway.accountupdates.com is fake (accountupdates.com is the real website operated by criminals). When in doubt, do not click on any suspicious message and ask a technical professional.
5. Turn off computers
A computer that is turned off cannot be hacked. The act of turning off a computer when not being used, at home and at work, reduces external threats. For mobile and tablet devices, employees should turn off services and connections like NFC, Bluetooth and Wi-Fi. Criminals access services and other security vulnerabilities to hack a device to spread malware and steal data. A good tip is to only turn on services only when needed.
Technology is a means to an end for non-profit organizations. It gives them an effective and efficient way to communicate to employees, clients, donors and other stakeholders. However, with the growth of security breaches against small, medium and large non-profit, government and private organizations, decision makers and employees need to remain vigilant in a unified manner with robust security plans. Employees need better training and access to technical professionals for questions. Non-profit organizations need trusted partners, who can provide thoughtful guidance when making technology decisions to minimize risk for their employees in the short and long-term.