Cyber crime is a serous threat to organisations across all sectors. Unfortunately for not-for-profits, cyber criminals are opportunists and are indiscriminate in their attacks. Additionally, unlike for-profit businesses, not-for-profits generally don’t have the funds or resources to spend on IT departments or elaborate cybersecurity systems. So we’ve put together this list of useful tips to help not-for-profits increase their cybersecurity…without breaking the bank!
Restrict Access
One of the easiest ways not-for-profits can improve their cybersecurity is restricting access to information. By limiting the number of people who can access sensitive information, not-for-profits can greatly reduce the chances of any cybersecurity breaches and data leaks. As a general rule, every staff member, volunteer, donor, client and external partner should only need to access to the resources pertaining to their individual roles. High-level access to confidential information and essential digital resources should only be granted to a few trusted personnel.
Protect Devices
The best way to protect devices is to only conduct official not-for-profit business on them. That means not engaging in activities such as surfing the net, online gaming, downloading videos, etc. Separate computers, mobile devices and online accounts should be allocated for personal and business use. This is of paramount importance when individuals outside of the organisation have access to the device, especially children or other family members. Sensitive business activities such as online banking and record keeping should only be carried out on organisational devices. Likewise, any confidential information should never be sent to personal email addresses. Therefore, it is best to avoid connecting any untrustworthy hardware into computers, mobile devices or networks. However, if this is not a feasible option, disabling the “AutoRun” feature for the CD, DVD and USB drives can prevent malicious programs from installing.
Install Cybersecurity Software and Encryption Tools
Antimalware, firewalls, network monitors and intruder detection systems are great cybersecurity programs that can help stop unauthorised access to networks, as well as alert users of any strange activity. They are also great deterrents, as they hinder employees and volunteers from misusing not-for-profit devices and networks. However, it is important to do due diligence when installing any software, program or application. Proper research should be done prior to any downloads, especially when using freeware or shareware. Never download from an unknown or suspicious web page. Regular updates are also crucial to ensuring an up-to-date cybersecurity system. Newer versions of software typically include more effective security policies and protocols. Vendors may also release patches to address potential security vulnerabilities within their software. In addition, encrypting data and software applications (especially those that are cloud-based), is an effective method in guarding valuable information. This helps reduce the risks of exposure, manipulation and data theft.
Be Cautious When Using The Internet
Caution should be exercised when conducting any and all online business. A secure browser connection is a must and will be indicated by a small lock icon visible in either the window’s lower right hand or upper left corner. It is also recommended that the web browser cache, temporary internet files, cookies and internet history be cleared as often as possible. Erasing this data (especially when it includes commerce or internet banking details) prevents it from being stolen if the system is compromised by a cyber attack. Also remember to never respond to any suspicious pop up windows! Pop up blockers can halt any harmful pop ups, while still permitting ones from trusted websites to appear.
Use Effective Passwords
User authentication and account security is the first line of defence against cyber attacks. Every member of a not-for-profit organisation should have a unique username and password they use to access devices and applications. Although many devices already come with a default administrator and password, these details are easily discovered by cyber criminals and pose a major security risk. As such, all default passwords should be changed at the earliest opportunity. All passwords should follow best practices guidelines, which are as follows:
- Contains at least 8 characters, including upper and lowercase letters, numbers and at least one special character.
- Passwords should be changed ever 3 months.
- Old passwords should never be reused.
It may also be worthwhile investing in a password management application to create, remember and automatically fill in passwords. However, for some not-for-profits, passwords alone are not secure enough. This is usually the case when accessing highly confidential information such as financial details, health records and government documents. In these situations, a multi-factor authentication (MFA) login method can add another layer of user verification. An MFA requires additional tokens to prove user identity at login (in addition to their regular password). This can come in the form of geolocation, biometrics, or a one-off security code sent to an appointed e-mail account, phone number or authentication app.
Encourage a Culture of Cybersecurity Awareness
The fact of the matter is that the most commonly exploited weakness in cybersecurity is human error. From negligence to an honest mistake, most data breaches could be prevented by fostering a culture of cybersecurity awareness and providing ongoing training. Phishing attacks are one of the biggest cyber threats not-for-profits face, as cyber criminals will attempt to cajole not-for-profit members into revealing confidential information or installing malware through duplicitous means. It is of vital importance that all staff and volunteers be instructed on how to recognise scam emails and other fake communications. Furthermore, every member of a not-for-profit should be educated in cybersecurity best practices, the steps they can take to mitigate risk, and the importance of following data protection guidelines.
Never Disclose Private Information
Beware of social engineering. Social engineering is a type of cyber attack that involves manipulating people into divulging sensitive information, which is then used to gain physical or electronic access to IT systems and private data. The more a cyber criminal knows about an IT system, the easier it is to hack into it. To avoid this happening, never give out information relating to the following; usernames, passwords, operating systems, firewalls, internet browsers, applications, software, programs or anything else that has to do with the organisation’s IT environment.
Regularly Update Your Cybersecurity
According to The Nonprofit Technology Enterprise Network, a shocking 70% of not-for-profits have never assessed their cyber risk profile. Cybersecurity assessments uncover the weaknesses in an organisation’s network and system security. They analyse the potential threats, likelihood of attack and resulting damage. Without knowing the risks, how can you defend against them? For this reason, cybersecurity assessments should be carried out annually. While there are self-assessment resources available to not-for-profits, only an outside expert can give an unbiased perspective. You can read more about cybersecurity assessments here.
Implement an Information Security Management System
Implementing an Information Security Management System (ISMS) can greatly diminish the threat of cyber attacks. A variety of approaches can be taken when implementing an ISMS and will depend on a number of factors including; the risk severity, level of cybersecurity needed, potential fallout caused by a security breach, etc. Once in place, an ISMS can shield information from unauthorised access. ISO27001 is the internationally recognised gold standard for ISMS and is applicable across all business models. Containing 114 controls over 14 sections, obtaining an ISO27001 accreditation can be an arduous task. It requires external auditing and typically takes an internal team many months to achieve full implementation and certification. However, the ISMS.online platform accelerates this process, saving time and money. ISMS.online even offer a 25% discount for not-for-profits.
In 2022, The Department of Education, Skills and Employment’s (DESE) introduced the Information Security Management Scheme, which requires providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk (RFFR) accreditation. Failure to secure these certifications can result in the loss of future tenders and funding. You can read more about Right Fit For Risk here.
Back-up Everything
Maintaining a reliable back up system eliminates the danger of losing data, even in a worst case scenario. It ensures that all organisational information is readily available, even when affected by cyber attacks, accidental deletion, hardware failure and even natural disasters. A cloud-based storage system that secures information outside of a physical location also guarantees that, even if every device onsite fails at once, important data can still be recovered.
