Cyberattacks against small and mid-sized organizations are at unprecedented levels. The differences between large and smaller organizations are the size of the information technology security budget and the resources available. For nonprofit organizations, it can be even harder to secure information technology and personal information because budgets and resources are even tighter than small and mid-sized businesses. Here are three steps your nonprofit can take to improve your cybersecurity.
Step 1: Develop a written cybersecurity program
If you don’t already have a written cybersecurity program, start by identifying your business objectives and organizational priorities. This will include reviewing the information technology systems that your business uses and the types of information processed and stored.
For instance, does your nonprofit organization store personal information, financial account information or email addresses? Once you know what systems you use and what information you process and store, then determine the regulatory rules that apply to your particular situation.
All states have data breach notification laws that govern giving notice and reporting breaches of personal information of their residents. Many states require certain types of businesses that store or process personal information to have a written cybersecurity program. Knowing what information you have and its location is the first step in expediting and lowering the cost of responding to cyberattacks and data breaches.
To assist in developing your cybersecurity program, the Federal Communications Commission website has a free cybersecurity program planner that you can tailor to your needs.
In addition to written policies, your cybersecurity program will require the selection and implementation of physical and behavioral controls.
Step 2: Physical controls
Patch and update regularly
The most damaging and prolific cyberattacks exploit known vulnerabilities. Installing patches and software updates is the most effective physical protection you can employ.
Deploy cybersecurity software
Make sure that you are using a firewall and that it’s properly configured. Use at least one antivirus program and configure it to scan systems regularly. If you have remote employees or allow remote access, use a VPN (virtual private network) to secure access.
Employ multiple redundancies for backups
Backing your data up to the cloud is good, but backing it up to air-gapped storage, a storage device that is not connected to the Internet or other networks, is better. Recent ransomware attacks have encrypted networks as well as cloud backups. To ensure that your business can recover quickly and reduce remediation costs after an attack, employ multiple backups.
Control physical access to your computers and data
Create individual user profiles so that only authorized users can access your systems and data. Consider multi-factor authentication for sensitive systems and data. Restrict administrative access to only those users who require it. Establish rules that mandate strong passwords that are at least eight characters long and contain a combination of randomly selected letters or phrase and a six-digit pin.1
Secure Wi-Fi networks
Set a strong password for your router. Do not use the default password. If you allow guests to access your Wi-Fi, consider setting up a separate router and password for their use.
Ensure that email is protected by DMARC
DMARC is an email authentication protocol that is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Using DMARC can help to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. Ask your email hosting service if they employ DMARC or set it up if you control your email server.
Employ best practices for payment cards
If your nonprofit accepts payment cards, work with your processing provider to ensure that your organization is Payment Card Industry Data Security Standard compliant.
Vet vendors’ cybersecurity
Employing a vendor, such as a cloud storage or security provider, doesn’t eliminate your exposure in the event of a cyberattacks or breach. Nearly every state requires the data owner, not the vendor, to notify affected individuals, and in some cases law enforcement, in the event the vendor suffers a breach of the owner’s data.
Step 3: Behavioral controls
Cybersecurity professionals routinely warn that employees pose the greatest threat to even the most rigorous cybersecurity program. Training is the most effective measure you can take to bolster your policies and program. It’s not sufficient to distribute your policies and ask employees to sign off. In addition to formal training, consider posting security posters, encouraging employees to attend free cybersecurity webinars, and regularly educating them about current threats. Consider exercises such as phishing your own employees to reinforce the best security practices.
Address unauthorized devices and shadow IT
Implement a realistic mobile device policy and reinforce your policy with physical controls and employee training. Control shadow IT, the use of unauthorized devices, software or apps, by employing an approval process for software and hardware purchase and use.
Visit the FCC Cyberplanner to create a free customized Cybersecurity Planning guide for your small business and visit the CISA website to download resources on cybersecurity awareness for your business. The eRiskHub, a free service to our insureds, contains many resources to assist in developing your cybersecurity program and educating your employees about cyber risks and security best practices.
Article written by HSB, Berkley Human Services’ cyber coverage partner.
1See NIST guidance