While the COVID-19 pandemic has radically changed the landscape of how we live and work, one constant has remained: Cybercriminals are taking advantage of chaotic situations for their benefit. The FBI, DISA (Defense Information Systems Agency), Department of Homeland Security, and other industry cybersecurity experts have issued strong advisories in the wake of this pandemic. The Department of Defense Cyber Exchange has recently released resources to help protect the public from the increased attack surface of working at home.
These advisories can feel overwhelming for those that might already struggle with providing essential IT services. And existing security problems are compounded (PDF) with a lack of threat assessments, shadow IT, and limited staff.
In this blog post, we explore the ways that nonprofits might be vulnerable in this changing landscape, as well as offer tips and resources to help protect against those vulnerabilities.
Remote Work Can Mean an Increased Attack Surface for Cybercrime
"When companies pivoted to remote work solutions, employees started using untrusted home devices to remotely access internal corporate resources. These potentially unpatched and unsecured devices increase a company’s attack surface," says Joe Hillis, operations director at the Information Technology Disaster Resource Center. With over 2,000 volunteers in the IT industry, ITDRC provides communities with zero-cost technical resources necessary to continue operations and begin recovery after a disaster. "Cyberattacks," says Hillis, "can negatively impact us all just as much as weather-related disasters. Targeted attacks on hospitals, transportation, and governments disrupt critical services, and nonprofit partners that work with these groups are also at risk."
Hillis recounts two cyberattacks on ITDRC partners — one ransomware attack on a municipality and one targeted phishing attack on a nonprofit.
"The impact on the city lasted for weeks. The city's website was down, and some municipal services were paralyzed. The executive director of the nonprofit had to write to their donors and explain that their donation money was inadvertently wired to cybercriminals. Email and stolen user credentials are the primary threat vectors [PDF], with email being the primary way that malware payloads are delivered."
How to Improve Remote Security at Your Organization
Applications are essential to nonprofits' missions and critical to working together, given new shelter-in-place constraints. The COVID-19 pandemic has highlighted weaknesses in the way nonprofits enable application access for employees, partners, and volunteers. With these increased targeted attacks on the rise, what steps can nonprofits take to protect themselves?
- Multi-factor authentication. To make it more difficult for cybercriminals to mount brute force attacks on nonprofit user credentials, nonprofit administrators should add an additional authentication mechanism, such as SMS text or Google Authenticator on smartphones, to their online services.
- Password management. A compromised password from one account is often used to compromise another account using the same password. Password managers such as Dashlane help identify which of their passwords have been compromised by the dark web. Solutions like Okta offer single sign-on, which helps simplify password management across corporate resources.
- Endpoint protection. Anti-malware software on user endpoints protects against known and unknown threats. Two examples are Bitdefender and NortonLifeLock, and TechSoup offers several others.
- Email hygiene. Nonprofits rely heavily on email for communication, and it is imperative to have multiple layers of protection. First, email should be sanitized with a secure email gateway before it arrives in a user's inbox, where it could then be easily clicked and executed. Second, users should have software on their computer that detects when a malicious URL has been clicked. Above all, users should have training on what a phishing email looks like. Be sure to check out the KnowBe4 platform, which is offered through TechSoup. KnowBe4 offers a variety of training modules and allows admins to "test" employees with fake phishing emails in order to better prepare them to spot bad actors in the real world.
- Virtual private networks. VPNs give the ability to make connections to centralized locations secure. These secure connections let nonprofits safely access internal resources as well as ensure that others on untrusted networks — like a coffee shop with open Wi-Fi — do not monitor nonencrypted web traffic. If your organization uses a VPN for secure access to online resources, it is a good practice to turn it on when working remotely to ensure that all your online interactions occur over an encrypted channel.
Also, be sure to check out all of TechSoup's Resources for Nonprofits Impacted by COVID-19. You can also review our page dedicated to Essential Security Resources for Nonprofits.
To continue this discussion, head over to TechSoup's community forums. What new technical challenges is your nonprofit facing? And how are you preparing for the road ahead? Join the conversation today.
And check out TechSoup Courses to learn about Cyber Liability Insurance.
About the Author
Roger Rustad, CISSP, has been a volunteer at ITDRC since 2015. His volunteer activities focus on bringing free Wi-Fi services to communities through an ITDRC program called projectConnect.