hands on a laptop

Managing Cybersecurity Risks at Your Nonprofit

As organizations and society in general have become more dependent on the Internet and access to digital information, attempts to exploit weaknesses in technology systems have increased. The aim of these is to gain access to information, disrupt services, or cause harm to brand reputation and client trust. According to the FY20 Microsoft Digital Defense Report, in 2020, Microsoft blocked over 13 billion malicious emails. The report cites increases in social engineering attempts targeting C-suite employees as well as sophisticated COVID-19 fraud attempts.

Nonprofit 501(c)(3) organizations and those working to improve civil society are especially vulnerable as targets. They often work with the sensitive data of their clients or donors. They can also be targeted for political reasons by groups that oppose their work or mission. In addition, nonprofit and charitable organizations often work with constrained budgets or volunteers and have IT budgets less than those in the private sector.

drawing of a woman sitting on a cloud using a laptop and next to a large laptop showing security symbols such as locks and keys

Nonprofit organizations should consider two broad areas when they think about their own cybersecurity risk. The first is basic threat analysis, protection, and remediation methodologies, including how to understand your organization's threat surface. The second is maintaining systems and practices that protect against threats.

Cyberthreat Analysis: Beyond Antivirus, Spam Protection, and Security Updates

In today's cyber world, an organization needs more than just antivirus, spam protection, and keeping systems up-to-date with security patching to keep its information assets safe. Although these practices are the foundation of safe cybersecurity, an organization also needs to continuously monitor its threat landscape and be diligent in keeping its guard up by employing other practices. However, we cannot stress enough that having your organization (and your data) protected by tools such as Avast, NortonLifeLock, or Bitdefender all available in the TechSoup catalog, is a fundamental first step. Additionally, Veritas is a backup and recovery tool that provides the final layer of comprehensive data protection. 

Adopting a multi-layered cybersecurity strategy, like Avast Content Filtering or Secure Web Gateway, can help with creating policies and system configurations that will prevent attacks before they hit endpoints. These tools block web threats before they hit the network, securing networks and users alike by automatically blocking access to risky websites. They also deploy filtering policies and keep watch over every device and all user activity.


Understanding Your Risks

One of the primary tasks of an organization is understanding the organization's threat surface and risk exposure. A common way to learn what to consider is to use an assessment questionnaire. This methodology can produce a risk score and also help an organization prioritize gaps that are found in the assessment.

An organization may choose to have anything from a simple, low-cost facilitated professional questionnaire to an exhaustive (and expensive) third-party cyber risk assessment. Our recommendation is to consider a self-assessment first and work to remediate critical vulnerabilities as soon as possible. Then you can leverage a third-party cybersecurity professional for assistance in identifying harder-to-spot vulnerabilities through processes such as penetration testing and test phishing campaigns.

There are many free tools available to conduct self-assessments and testing, ranging from lightweight scans that check for common issues with websites to advanced open-source vulnerability scanning systems. The Open Web Application Security Project (OWASP) is a 501(c)(3) organization that provides resources, education, and free open-source tools such as ZAP that help organizations conduct internal testing of their web applications. If your organization requires PCI (payment card industry) compliance, TechSoup offers our members HackerGuardian as a donation from Comodo.

For business productivity systems, more and more, cloud systems such as Office 365, G Suite, and Box are making available built-in tools to help organizations identify risks through the configuration of policies. These can be configured to prevent accidental misuse or to alert administrators when threats occur. Microsoft 365 Security Tips, Security Checklist for Google, and Box Security Best Practices are good references if you use these tools. Other platforms will have similar documentation. This will include practices such as content classification, in which content can be classified as sensitive and be blocked programmatically from being shared or downloaded.

More advanced methodologies for threat analysis involve techniques such as continuous vulnerability monitoring through the use of log analysis tools called SIEMs (security information and event management). These tools work by aggregating data collected via firewalls, installed agents, or server logs and providing smart analysis and reports of cyberthreat activity.

Remediating Your Risks

The process of analyzing and prioritizing remediation is an important aspect of threat protection. When the processes mentioned above identify risks, in most cases, IT staff will need to understand how to address the issues that they find. They then must know how to prioritize the remediation, which often will involve factors such as cost.

Remediation will generally take two forms: remediation based on reducing a potential risk, or remediation based on a security incident that has produced data loss, theft, or damage to brand reputation and client trust.

A common and simple approach is to catalog found risks with a simple scoring system based on the level of risk. Many assessment tools have this built into the assessment system to guide administrators on how to prioritize remediation. A lower-risk threat might be something that is isolated to a single system, with no threat of data loss or breach. Higher-risk threats would be those that present a systemic risk of data loss or theft or business disruption.

Remediation itself will depend mostly on the impacted system or product and the vendor's recommendations. The remediation should be analyzed thoroughly and if possible tested in a sandbox environment before you implement it into a production system.

For example, you might have your Office 365 environment configured to send notifications based on a security policy that watches for login attempts from suspicious locations. If you receive an alert, a process should be in place to investigate, analyze, and potentially remediate the issue, based on the severity of the policy breach. If the investigation proves that the user was not in the locale where the login attempt occurred, we could suspect that the account could be compromised. The remediation would be to immediately force a password reset, ensure that the user's devices have not been compromised as well, and audit the email activity of the account to ensure that no data was compromised.

To take further remediation steps in the example above, the IT staff should enable stronger password policies and MFA (multi-factor authentication). If it had been determined that the device had been compromised, the staff should take steps to improve device security, such as enabling encryption, and check to ensure that other protections on the device are configured correctly.

Another common form of remediation concerns vulnerabilities in website code that could be exploited. Nonprofit organizations sometimes have customized websites created using tools like WordPress or Wix. Hackers use sophisticated tools to crawl the Internet looking for vulnerable sites to exploit. If one of the website scanning tools mentioned above finds a vulnerability, the remediation would be to work with the web developer to strengthen the code to eliminate the vulnerability.

Maintaining Your Cybersecurity System

Approaching cybersecurity in your organization should be more than a one-time consideration, where you push to implement policy and tools and then expect them to perform and function on their own. The systems and tools that support cyberthreat prevention require continuous maintenance and monitoring. Not only does technology change and advance, so do the means by which systems can be exploited.

Daily Checks

It is a good practice in IT to perform a quick daily check of all systems that support the critical infrastructure of an organization The systems that support your IT security should be a priority as part of this process.

Many times, a security threat exploits systems that have been discovered to have a vulnerability. The systems that support cyberdefense need to be always on the ready to receive updates so that they can deal with a potential cyberattack. Organizations need to be confident that their defense systems, such as antivirus and spam filters, are kept up to date. The systems need to be configured to check for updates several times a day. For guidance on how to ensure that your systems are configured appropriately and how to ensure they are receiving updates regularly, seek the vendor's website for documentation and ensure that staff are trained on how to monitor the systems.

Quarterly Checks

An addition to these daily simple checks, it is important that quarterly process and system audits be conducted by your organization. In contrast to the simple daily checks, a quarterly audit serves to take a deeper dive into your cyberdefense system's operational functions to ensure that they are working as expected. These are the critical elements of a quarterly audit:

  • Checking that your security products are up to date with the latest patches and updates
  • Checking that all devices or systems in your environment are being scanned or checked by your cybersecurity applications
  • Reviewing system reports to look for anomalies or issues that may require intervention to resolve
  • Checking to ensure that operating system software security updates are being deployed on all devices and systems
  • Testing backup, restore, and disaster recovery procedures to ensure that data is protected and can be restored in the event of a cyber-related incident that results in data loss

The Return on Investment

Organizations with already constrained budgets may wonder what the investment in security is worth. It is difficult to completely quantify the value. The risk and consequence of data loss or theft, damage to brand reputation, or business disruption in the event of an incident would vary based on many factors. But it is important to understand these implications and what costs or damage would arise in the event of an incident.

One article from CSOonline that discusses cybersecurity and ROI (return on investment) quotes Robert Metcalf, a cybersecurity expert at PwC Switzerland: "Cybersecurity is about risk management and loss prevention, not just earnings and so any investment in security needs to demonstrate to the business that it is focused on defending what is of most value to the organization, its 'crown jewels.' How these key assets are then being targeted by threat actors can strongly indicate where you must invest the most and where your business reputation is also at stake."

As stewards of our constituents' data and information, IT staff working in the civil society sector have an added responsibility to ensure the security of their systems. Our work and missions are critical to advancing the public good, and enabling trust in our systems and technology enables this advancement.

TechSoup is a resource for organizations to help with this effort. For access to technology and education to help drive your mission, please visit techsoup.org.


Additional Resources

Top photo: Shutterstock