If you or your staff have ever been duped by a hacker through email, text, or social media, then you know how easy it can be. In fact, a 2015 study found that an estimated 156 million phishing emails were sent globally each day, and these emails can give hackers access to your most sensitive program and donor data.
"Phishing" refers to a hacker's attempt to gain sensitive information from a user through sneaky tactics, such as fraudulent emails, texts, or messages on social media. What's most concerning about this threat is that it relies on human error to be effective. While firewalls, spam filters, and antivirus software are indispensable components of an IT security framework, all of these measures can be rendered moot if an employee clicks the link to that cute cat video or unwittingly shares his or her password.
In order to raise awareness of IT threats here at TechSoup, Michael Enos, senior director of community and platform, adopted the KnowBe4 Security Awareness Training platform last year.
"I like the automation features, and I like the training content," he says. "It's interactive, and it makes you think. It's behaviorally focused, meaning that it teaches you the different ways you could be the subject of social engineering."
We're also offering a package for TechSoup members that includes the KnowBe4 platform for a year, along with expert setup services for your IT administrator, instruction on how to deploy training programs, and ongoing support throughout your annual subscription to the platform. This training is not just good for your organization. It's also a benefit to any employee who receives it, as it provides them with valuable best practices to implement in their personal online behavior.
But first, let's dig a bit deeper into what Enos means by "social engineering" and learn a bit more about what TechSoup is doing on the training side of things in order to keep our (and your) data and systems safe.
How Hackers Trick People into Giving Them Access to Their Systems
"Social engineering" refers to the tactics used by hackers to trick and manipulate people into turning over information or passwords to gain entry to their personal or business computer systems. They are exceedingly clever and good at creating very authentic-looking communications, and it takes meaningful training to make your staff truly able to identify phishing attempts. And that training needs to make sure that people are truly engaged with the lessons and are not just going through the motions.
"A lot of organizations go to great lengths in order to secure their perimeter to keep the 'evil people' from getting in," Enos says. "But people can get into your network pretty easily through an email and trick people inside your organization into being used as pawns for nefarious attacks."
Thus, in order to keep your organization safe, it's necessary to target problem behavior among staff and educate people on the ways to identify threats such as suspicious emails. And this is specifically what KnowBe4 is out to accomplish.
"It's a platform that focuses on training staff and trying to help change their behaviors so that they're more aware of the ways they can be exploited to cause harm to their organization, their own data, or the data of others," Enos says.
KnowBe4 offers a variety of online training modules ranging from introductory IT security basics, to more targeted, advanced topics that might better fit an organization's specific needs. It also has great automation features and can generate future learning opportunities for employees to engage with a few months after their initial training session.
The learning modules are highly interactive and require more than just sitting through a streaming video. All of this is geared toward getting people to be more actively aware of the dangers their organization may face.
Another interesting feature of the platform is the ability to send "fake" phishing emails to staff members in order to test their ability to recognize and report on suspicious activity. Keeping in line with its behavioral approach to staff training, this tool allows IT administrators to identify weak points among staff and to provide targeted training where necessary.
An Important Piece of a Larger Puzzle
Nonprofits in particular should take IT security very seriously. In many cases, these organizations find themselves as the stewards of sensitive data belonging to some of the most underserved populations in society. And in the case of organizations that deal with things like health and financial data, robust IT training is more than a "nice to have" — it's a legal compliance issue.
A huge component of keeping any system safe is an educated staff that's aware of critical safety measures and best practices when it comes to online safety. That's because no matter how up-to-date security software is, there will always exist "zero-day attacks," or threats not yet recognized by this software.
"In these cases, a fraudulent email can make its way through a spam filter, and all it takes is one click to shut down your entire system and allow a hacker to seize your computer and ask you to forfeit a ransom to regain access to your data," Enos says. Without a disaster recovery plan in place, a situation like this could cause a nonprofit to rebuild its entire business from scratch. It could also expose employee and beneficiary data to cybercrime as well.
But while this reality is no doubt alarming, there are proven measures organizations can take to secure their IT infrastructure as tightly as possible. And an important piece of that larger puzzle begins with changing attitudes and behavior through meaningful employee training and education.
Additional Resources: Nonprofit Security
- Hear more from Michael Enos in the webinar 12 Steps to Stay Safer Online.
- Sign up for TechSoup Courses' Digital Security Bundle.
- Find out how to Increase Your Nonprofit's Security Using the Microsoft Cloud.
- Read blog posts on IT security.