What’s the risk? The basics of understanding your cybersecurity needs
by Kate Hayden
For any organization thinking about cybersecurity, it’s hard to think about the risks.
Since the Business Record first ran our story “What’s the Risk?” in December 2019, businesses and nonprofits have shifted to an even heavier reliance on digital tools to support remote work and remote services during the pandemic. In the 2019 Business Record Leaders Survey, readers overall were hesitant about business and government preparation in the event of a cyberattack, with about 30% of respondents reporting they perceive Iowans as somewhat prepared.
What should nonprofits know today to stay vigilant against cybersecurity threats? We asked security experts in Iowa last year to share best practices for understanding cybersecurity needs for nonprofits.
The experts:
Antoinette Stevens
Detection and response engineer, Cisco Meraki
Megan Howard
Director of security services, Pratum
Aaron R. Warner
Founder/CEO and lead security strategist, ProCircular
What kind of cyberattacks are not-for-profit organizations most at risk of experiencing? Why would people target these organizations?
Stevens: “Without too much thought to highly motivated threat actors (someone is actively trying to attack an individual organization for their own purposes), most smaller NPOs would likely be at risk of two things: data breaches stemming from misconfigurations in their database and websites, and a lack of available resources to find and fix those issues; [and] malware delivered via phishing due to a lack of available training around email security. I don’t think most organizations are specifically targeted; rather, they’re caught in a larger net that was cast and ended up getting caught with everyone else.”
Warner: “Non- and not-for-profit organizations are frequently targeted due to the high transactional volume of credit cards and the presumably low cybersecurity budget.”
Howard: “Not-for-profit organizations are susceptible to many of the same cyberattacks as any other organization or company. Not-for-profit organizations often operate on a tight budget, and cybersecurity is not always a line item within it. Hackers know this and take advantage of the lack of security controls in place.”
What are the most common risky cyber practices you have seen in not-for-profit organizations?
Warner: “Mass-emailing leads to risks both from replies and spoofing. People can look like their potential clients as well as present themselves as the source organizations.”
Howard: “Many not-for-profits do not have proper access controls in place to help limit the exposure to their sensitive data (credit card numbers, email addresses, home addresses or other personally identifiable information). Once a hacker is in, they most likely have access to everything due to the lack of internal segmentation and access controls.”
Stevens: “Third-party plugins used on websites. … A lot of people use third-party plugins on their websites, and if a plugin isn’t secure, it can be used to exfiltrate important user data, deface the website and more.”
What type of training is most effective for volunteers or part-time staff members in not-for-profits?
Warner: “In-person cybersecurity training is the best way to really bring people to the defense of their organization. There is also a need for more frequent reminders, which is where a tool like KnowBe4 can be effective. The combination of the two makes for a strong approach towards educating employees.”
Stevens: “Phishing training. A fairly large amount of malware gets delivered via email. Really good training for how to spot phishing could save a lot of money in the long run.”
Howard: “Unfortunately, fraudulent emails are looking more and more realistic and can be very difficult to detect. Ongoing training and awareness is essential to keep this top of mind. Volunteers or staff members should be trained to always verify. … Most people want to do the right thing, but if they lack awareness and training, their actions could result in undesirable consequences.”