Cyber Security 101: Basics for Nonprofits
How long do you think it would take a bot to crack your password? If it’s long and complex enough, it could take a lifetime!
Strong cyber security practices, like secure password requirements, are essential to your nonprofit. Information security procedures protect you, your employees, your constituents, and your data. However, it can feel overwhelming when you don’t know where to start. Let’s explore cyber security basics for nonprofit organizations to help your organization identify ways to become more secure.
Understanding the Threat Landscape for Your Organization
You don’t have to look far to read about a cyber attack. Organizations large and small can and have fallen victim to bad actors with bad intentions. Nonprofits and private K–12 schools are particularly appealing to threat actors because of the populations they serve, the type of data they collect, and their lack of financial resources to invest in protections.
According to research by NTEN, the Nonprofit Technology Network, 80% of nonprofits don’t have a policy to address cyberattacks. A good place to start building a policy (if you don’t already have one) is to assess your organization’s risk with our checklist.
To reduce your organization’s risk for a cyber attack, it’s important to understand the threat landscape and identify areas of potential risks from cyber security threats affecting users, organizations, and specific industries. Let’s look at a few potential threats that your team may encounter.
Many social engineering terms have funny names, but there is nothing funny about them. These techniques are used by threat actors to influence unsuspecting individuals into acting or sharing information that can be leveraged for a cyberattack. Make sure your organization’s users are aware of the various types of behaviors to look out for:
- Phishing is using email for malicious intent. Phishers often include malicious links, request credentials, or include attachments with malware embedded.
- Vishing is using phone calls or voicemail for malicious intent. These are often prerecorded messages/robocalls and can even make the caller ID look like a legitimate business.
- Smishing is using text messaging for malicious intent. Examples include fake messages from government entities (like the IRS), support requests, or account recovery requests.
- Spear Phishing is like phishing, but targets specific people instead of casting a wide net. Attackers often use information gleaned from the internet to specifically target victims.
Another attack that uses elements of social engineering is spoofing, when a cyber criminal masquerades as a trusted entity or device to get you to do something beneficial to the hacker but detrimental to you. For instance, in a URL spoof, hackers create a fake website that looks like the real thing; a GPS spoof sends fake location signals so the scammer can send you anywhere they want.
|Type of Spoof||Your Best Protection|
|Email spoofing||Use “throwaway” email accounts when registering for sites such as Etsy|
|Website/URL spoofing||Look for the lock symbol indicating the site is secure before providing any sensitive information|
|GPS spoofing||Switch your smartphone to “battery-saving location mode” so only Wi-Fi and cellular networks can determine your location|
Social engineering attacks can be crafty, so use these tips to avoid them:
- Don’t trust display names. Confirm the email address before you open it.
- Consider typos a red flag. Spelling errors indicate that something’s off.
- Hover before clicking. Don’t open a hyperlink without knowing where it leads.
- Be suspicious of urgency. Any message designed to instill fear (“contact us immediately to resolve this matter”) should be flagged.
Password cracking involves using various methods (computational and otherwise) to break through password authentication to gain access to an account. Common methods of password cracking include brute force, dictionary attack, and credential mining.
Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. Brute force attacks use a tool to test many combinations of letters, numbers, and special characters. Every password is vulnerable to this type of attack; however, as the complexity of the password increases, so does the amount of time to crack the password. If the password is long enough, it could take years!
This strategy involves using a list of words with the hope that the user’s password is a commonly used word or password seen on previous sites. Keep in mind that these words can be in any language and include common phrases, like “letmein.”
Despite the perils of hacking, people keep using risky, guessable passwords. In its annual research on the most common passwords in the world, NordPass found predictable patterns. No surprise (even to the laziest hacker), the word “password,” is used almost 5 million times across the globe. Common passwords are likely to include fashion brands, musicians, swear words, sports teams, cars, video games, food, and movies—“Batman” showed up 2.5 million times!
Bots make quick work of these weak passwords. Hackers take less than 10 seconds to crack seven of the most common password choices worldwide.
|Most common (crackable) passwords||How to make it more secure|
|Password||Use 12 uppercase and lowercase letters|
|123456||Include a combination of letters and numbers|
|123456789||Never recycle an old password|
|qwerty||Use a password generator|
|111111||Don’t use any words or numbers hackers can guess from social media (birth year, pet names, initials)|
Credential mining is when an attacker collects stolen credentials, typically lists of usernames, passwords, and/or email addresses, then uses the credentials to gain unauthorized access to user accounts. Credential mining attacks are possible because many users reuse the same username and password across multiple sites.
Why Cyber Criminals Target Remote Workers
According to U.S. Census data, the number of people primarily working remotely tripled between 2019 and 2021, and those numbers don’t account for workers who work remotely part-time.
While there are many benefits to working remotely, the range of cybersecurity risks and vulnerabilities that remote workers are exposed to is significant.
Regardless of where your team is working, it is important to ensure that users are connecting to secure Wi-Fi and are using a VPN regularly. At home, users should ensure that their home network requires passwords to connect. When you are away from home, be cautious with public Wi-Fi. Unsecured Wi-Fi creates an opportunity for hackers to connect to unsecured devices on the same network. This means that a hacker can intercept every piece of information you are sending out on the internet: emails, credit card information, credentials—you name it, they can get it. And once they have it, hackers can access the systems as if they were you.
Why Cyber Criminals Target New Employees
Attackers scour social media sites like LinkedIn for joyous posts about accepting a new position at a company. Why? New employees are easy targets!
- New employees are always more than eager to help
- They don’t know what they don’t know
- They are unfamiliar with fellow employees’ names
- They often are not well-versed in company policies and procedures
Therefore, an eager-to-assist employee is often an easy win for a cyber criminal: “Hey, this is John in accounting. Welcome to the team! Can you help me with this file…”
Cyber Security Basics to Keep Your Nonprofit’s Data Secure
It’s not all bad news. Your organization can take immediate steps to mitigate risk and help prevent cyber attacks.
Sometimes the simplest actions can make the most impact. Just being aware of the threats we encounter and taking steps to mitigate them can improve your organization’s security posture.
If you are somewhere that doesn’t have secure Wi-Fi, consider using your phone as a hotspot, or ask if there is another Wi-Fi network with a password.
It’s also important to protect your hardware when working remotely. Here are some things to take into consideration to protect your hardware:
- Use your work computer for work-related activities only
- Always lock your computer when you are not using it or walking away from your workspace
- Don’t leave your computer unattended in a public place
- Pay attention to “shoulder surfers,” people looking over your shoulder to steal your personal and confidential information
When working remotely, it is also important to only use approved devices for work. Security controls are often weaker on personal devices, and files should not be shared between your work network and your personal devices.
Here’s a quick list of Do’s and Don’ts for cyber awareness.
|Lock your devices||Leave your computer unattended or unlocked|
|Connect to only approved networks||Use unsecured Wi-Fi (public networks)|
|Validate strange emails and voicemails||Follow malicious or suspicious links|
|Be aware that social engineering attempts are becoming more sophisticated||Share passwords with others|
|Change the password on your home Wi-Fi router to make it personal||Reuse passwords for multiple sites|
|Use only approved devices||Use your work computer for personal activities|
|Reboot often to install updates and patches||Share files between your work network and personal devices|
Enabling multifactor authentication (MFA) is another easy way to make it more difficult for bad actors to gain unauthorized access. MFA requires using two or more factors to authorize a user when logging in, such as:
- Something you know, for example, a password or PIN
- Something you have, a one-time code from a separate app or a text message
- Something you are, which means biometrics, like facial recognition or fingerprints
MFA should be enabled whenever available. Cyber safe organizations choose software with this security measure already in place.
Single Sign-On (SSO) is another authentication method to manage and further secure user access. This method allows users to use one set of credentials to access multiple systems, rather than requiring separate passwords or authentication methods for each system.
Think of it like this: SSO is the master key that allows you into a building. You can get in the front door AND open all the rooms. SSO can be used in combination with MFA, making it one of the most secure ways to authenticate and authorize user access. And it reduces the need for creating multiple complex passwords, making it a win for both users and system administrators!
Develop a Cyber Security Strategy
If your organization doesn’t have a strategy to deal with cyber attacks, .you can start with some small steps that can make a big impact. Begin building a culture focused on security by:
Training Your Staff
Don’t underestimate the importance of having cyber-savvy staff. There is a human element (think social engineering or user error) in 82% of data breaches against businesses. Your staff is the first line of defense against threats to your organization, so it’s important that they understand how to protect themselves and your organization from a breach. Consider creating annual security training for users alongside opportunities to learn about and identify phishing attempts.
Implementing and Enforcing Policies
Written policies are a critical component of shaping a security posture within your organization. Involve your staff in the policy-writing process. You will learn more about the systems your organization uses, and including the staff in the conversations helps them learn about how and why particular practices reduce risk. Working together on the policies develops clear expectations of security best practices that your staff can understand and implement and that you can measure and enforce. Policies can include anything from how your organization approaches physical security to password requirements for your users.
One of the easiest and most efficient ways to protect data is to limit who can access it. When access is restricted to only those individuals who need it to do their jobs, the risk of data falling into the wrong hands is reduced.
Use the security settings within your fundraising database to restrict access to specific functions within the application. Create user roles based on job requirements with granular access, then assign your organization’s users to the roles.
How to Select a Secure Fundraising Platform or CRM
In an ever-evolving threat landscape, you need a trusted security partner who can help keep your focus on what matters—your mission. Not all platforms are equally rigorous in their security practices. It’s imperative to choose a vendor that offers a strong enterprise security program in addition to strong security options within the software. Partner with your software providers to learn about the measures taken to protect your data. Some things to look for:
- Aligned with industry frameworks
- Industry-leading tools (intrusion protection, etc.)
- 24/7 monitoring
- Incident drills
- Tabletop exercises
- Threat modeling
- Threat hunting and intelligence
- Source code analysis
- Third-party penetration testing
- Proactive relationships with law enforcement
- Community engagement and collaboration with industry partners
Protecting Your Donors and Your Data in the Future
Defending your organization against ever-evolving cyber threats is a marathon, not a sprint. Focus first on creating a cybersecurity strategy that focuses on training staff, restricting access, and implementing policies based on best practices. From there, partner with your vendors to assess your organization’s risk and consider additional technical measures to harden your systems.