Cybercrime poses an increasing threat to all organizations, and nonprofits can be more vulnerable than most. To keep your organization and clients' information safe, it's important to be vigilant and proactive in defending your data from cyberthreats. Cyberattacks can disrupt your operations and prevent you from fulfilling your mission.
We've gathered some key information on cybercrime, how it works, and some important practices to help you protect yourself from it.
A wealth of information is available to help us understand the scale and nature of cybercrime. We know for certain that it is an extremely widespread phenomenon: more than half of all consumers have fallen victim to a cybercrime (PDF), and that number is expected to increase. Nonprofits are far from exempt from cybersecurity attacks, and in fact, 50 percent of nonprofits and NGOs faced ransomware attacks in 2021.
Cybercrime most commonly takes the form of a ransomware or malware attack. There are a growing number of ways that hackers can execute these, but the most frequent is through a malicious link sent via an email. In 2020, likely due to the massive shift to remote and online operations imposed by the COVID-19 pandemic, there was a 20 percent rise in ransomware attacks. Other forms of cybercrime include phishing, spyware, and identity fraud. Regardless of the method used during the attack, the goal is often to steal information, encrypt data, or monitor or influence activity in order to disrupt operations and force a payment from the victim.
Cryptocurrency is fast becoming a buzzword both inside and outside the tech industry. It comes with both opportunities and risks, but some nonprofits have begun taking advantage of the rise by accepting donations in cryptocurrency. Unfortunately, this rise has also contributed to the changing landscape of cybercrime. From late 2020 to early 2021, there was a 35 percent increase in ransomware attacks requiring payment in cryptocurrency. We have also seen an increase in cryptojacking, a form of malware that enables hackers to gain access to someone's cryptocurrency wallet in order to steal their cryptocurrency.
Many nonprofit leaders believe that their systems are not worth hacking, and this can lead to a lack of investment in robust cybersecurity systems. In fact, nonprofits may have an increased risk of cyberthreats because they possess sensitive information on clients, volunteers, and donors. Only 20 percent of nonprofits have a cybersecurity policy in place (PDF), and 59 percent do not offer any regular cybersecurity training, which in itself can highlight them as an easy target for hackers.
The term cyberattack refers to any activity that gains illicit access to data or systems, usually with the intention of stealing or encrypting data or harvesting information. It is a very wide-reaching term, and perpetrators can have many different reasons for committing these crimes. For many, the objective is purely financial. Hackers will use ransomware to encrypt and withhold organizations' data and demand a ransom. Or they could gain access to victims' cryptocurrency wallets. The aim can also be to steal personal information in order to sell it on the dark web or commit identity fraud. Larger-scale cybercrime can aim to infiltrate financial systems, take control of networks, or harvest data from government organizations.
The most common method used to execute a cyberattack is malware, usually planted in the form of a suspicious link in an email or application. One common form of malware is ransomware, which encrypts data before demanding a ransom in order for the victim to regain access. Others include spyware, which harvests information from the target system, and Trojans, which perform illicit activities on the affected files. Formjacking can be used to obtain banking information, while a DDoS (distributed denial of service) attack causes the target site to crash by flooding it with requests.
Cyberattacks most commonly succeed by exploiting human error. They use social engineering techniques to encourage someone inside the target network — such as a staff member or volunteer — to click a malicious link, usually sent by email. Social engineering methods exploit an inherent bias in the target user, causing them to click without checking the sender's credentials. For example, they may use the "halo effect" by designing the email to look like it comes from a recognized and trusted sender. Alternatively, they could exploit the user's "authority bias" by addressing the email from a CEO or someone higher up in the organization. They may also find other vulnerabilities in your network, software, or hardware and infiltrate a system that way.
The consequences of a cyberattack can be devastating. Many businesses close after suffering an attack because of information loss or financial devastation. Victims of a ransomware attack who do not have proper backups of their data may end up paying out large amounts of money for the safe return of their information. Even after paying up, there is no guarantee that hackers will honor the promise to allow you to regain access, and they may well target you again if they know you will pay.
If banking information has been compromised, the relevant accounts may have money stolen. Personally identifiable information like names and addresses may be sold or used to commit identity fraud.
The risks associated with cyberattacks are very real, but you can significantly reduce them by investing some time and resources into protecting your organization.
Nonprofits often overlook the need to train staff and volunteers on detecting the signs of an attempted attack. Since the majority of successful attacks exploit human error, education is an essential tool in preventing them. You can use KnowBe4 or another third-party service to help your team get clued up on how to spot a fake email or the signs that files have been encrypted.
Ensure that your passwords are unique, strong, and changed regularly. Using multi-factor authentication is also a great way of preventing illicit access to employees' accounts, even if a hacker manages to get the password. Tools like Okta can enable you to add an extra layer of protection by facilitating MFA.
There is a wide range of robust software available to help you protect your organization. Spam filters for email accounts help to weed out potential malicious messages. VPNs and firewalls can block malicious links from opening even if they are clicked. Avast, Bitdefender, and Norton can provide wall-to-wall protection from foreign users, viruses, and unwanted activity.
It's also essential to properly and regularly back up your data. By keeping multiple copies of your information in different locations, you can greatly reduce your risk of losing it. This means that if you do fall victim to a ransomware attack or information theft, you can limit the loss you suffer by restoring your data from your most recent backup. Veritas is an extremely robust backup and recovery tool that can work in the background to secure your organization against attacks.
Even cloud storage is not inherently immune to ransomware. Your cloud storage is regularly syncing with local data storage. Ransomware can go undetected for days or weeks, working through your local files and encrypting them. The file sharing engine will sync changes in the local data storage with the cloud copy.
Investing in cybersecurity is one of the best things you can do to protect your operations, clients, and donors. Train your staff on the best practices in saving and backing up their data and use your resources to provide high-quality cybersecurity tools that can help you detect malicious activities, defend against cyberthreats, and help you recover in case you fall victim to one.
Top photo: Shutterstock