It seems like each day we hear about the next big and scary IT security threat. WannaCry. Spectre. Meltdown. These names are frightening, and for good reason — it can take months for your organization to fully recover from a cyberattack.
You may have wondered: Is there anything more I can be doing to protect my own security, and is there anything more that I can do to help protect my nonprofit's security?
First, it can be helpful to understand what motivates most hackers. Matthew Eshleman, our instructor for TechSoup Courses on Digital Security, explains the laws of "Hackernomics" that he learned at a recent RSA Conference. The RSA Conference is an IT security event held several times a year across the world.
Hackernomics is a social science concerned chiefly with the description and analysis of attacker motivations, economics, and business risk. Hackernomics is characterized by four laws that can help us think through how we can best protect ourselves.
Law 1: Most Attackers Aren't Evil or Insane; They Just Want Something
Most attackers aren't like Hannibal Lecter. They're more like "smash and grab" car thieves who see that you left your expensive camera on the front seat. The majority of cybercriminals will look for weaker targets, and simple steps can help you be strong enough to avoid most attacks. For example, it's relatively easy to use a longer password (14 characters or more), which significantly reduces your security risk.
Law 2: Security Isn't About Security. It's About Mitigating Risk at Some Cost
It's easy to think of security in binary terms — either you are secure or you are not secure. But it's more helpful to think of security in cost-benefit terms. It might be about finding the very low-cost things you can do that protect you from most threats. Or depending on the sensitivity and importance of your data, it might make sense to invest more time and money.
Law 3: Most Costly Breaches Come from Simple Failures, not from Attacker Ingenuity
Hackers trying to hit an extremely valuable target can be quite clever. But most costly breaches can be traced to very simple, very preventable mistakes that didn't require a prodigy to exploit.
Law 4: Hackers Target Careless Employees, not Impenetrable Security Measures
Sometimes effective security practices aren't intuitive. Or maybe they require some effort. For example, how many people do you know who have used a simple password like "1234567890" or "password"? (Maybe this is you!) Systems should be set up to ensure easy adoption by their users.
Imagine an office building with a sophisticated retina and fingerprint scanner that employees had to use to open the front door. To get in the building, most attackers wouldn't try to defeat the scans. Instead, they'd just ring the doorbell and say they were a pizza delivery person.
These laws are a good start to understanding what you can do to protect your organization's security from most hackers. If you want to develop better security habits, sign up for our TechSoup Courses on Digital Security.
Additional Resources: Nonprofit Digital Security
- Browse all of TechSoup's security software options.
- Get some tips for selecting software that can help your organization comply with HIPAA rules.
- Find out What Nonprofits Need to Know About the Computer Chip Vulnerabilities.
- See How to Protect Your Identity After the Equifax Data Breach.
