Nonprofits face the same cyber threats as for-profit organizations, but their risk levels may be much higher depending on the level of resources, investment and training dedicated to this essential, but commonly misunderstood, area.
Two of the industry’s leading cybersecurity experts, James Rocker of Nerds that Care and Adam Weiss of Atlantic Tomorrow’s Office, sat down with Fiona Cheng of Grassi’s Nonprofit team to dispel some of the myths around cybersecurity and explain the cost-effective ways nonprofits can better protect their organizations from cyberattacks.
Q: What are the most overlooked cybersecurity measures that nonprofits are not addressing?
James: Many nonprofits are overlooking the basic tools and practices they need to properly protect the organization. Often, the thought is that they don’t have enough money, and the limited funds they have should not be spent on cybersecurity. This stems from a major lack of education across the sector about just how vulnerable nonprofit organizations are to cyberattacks.
Adam: Typically, nonprofit organizations fail to effectively conduct risk and vulnerability assessments, user awareness training, identity access management (e.g. passwords and multi-factor authentication) and user permissions. There is also a lack of adequate oversight over the management of Active Directory user accounts and deactivation of accounts when people leave the organization. Many also do not make the investment in keeping their software and systems up to date.
It’s understandable why cash-strapped nonprofits might be reluctant to increase these expenditures, especially considering the lack of funding many of them deal with. But ignoring cybersecurity threats can only cause financial burdens down the road, since it’s always more expensive to recover from a cyberattack than it is to prevent it from happening in the first place.
Q: What unique cybersecurity risks do nonprofits face, and how does this change your approach to protecting them?
Adam: Nonprofits are automatically at a disadvantage because cybercriminals can easily research and find more information through the tax filings, staff names, emails and other potentially exploitable information that nonprofits and associations are required to publish online. While their missions may differ from the private sector, nonprofits have to realize that cybersecurity concerns threaten them just as much as the largest corporations in the world. Because so many organizations wrongly believe that they are not as attractive to cybercriminals and can “fly under the radar,” they don’t invest nearly as much money in their cybersecurity defenses and policies as they should.
James: Again, there is a big risk in the sector’s lack of education on cybersecurity in general. Many nonprofits grossly underestimate their potential to be a target of cyberattacks. Because the risks are very much the same as those in a for-profit company, I do not change my approach to protecting nonprofits. But I do incorporate a lot of education to help them and their board members understand its crucial role in the organization’s sustainability.
Q: What are the biggest vulnerabilities that remote work environments have exposed in your nonprofit clients?
James: If a nonprofit did not invest in organization-issued laptops, the sudden shift to remote work forced its employees onto their personal devices at home. This daily access to organizational programs and systems from potentially unprotected devices and connections was a huge threat.
Remote work also exposed vulnerabilities in nonprofits’ people. Given the lack of past investment in cybersecurity training, many employees did not have the awareness to operate independently without falling prey to phishing attempts or suspicious links to malware. In addition, many nonprofit organizations did not have adequately qualified IT staff to effectively manage the transition to remote work.
Adam: Like all organizations, nonprofits were instantly thrust into supporting this “new normal” without having the time to properly plan and prepare their systems, security and policies to enable staff to securely work remotely and support their ongoing operations. Some of the most significant vulnerabilities were: unmanaged, unprotected home devices that lacked up-to-date patches and antivirus software; the sharing of these devices with other family members, which created additional security risks; unsecure wireless devices that exposed the connections and system access to hackers; and poor user email and social media habits.
Q: What should a cybersecurity policy include?
Adam: The cybersecurity policy should confirm the security framework which the organization has developed and lay out the controls to ensure the measures are followed by the responsible parties and users. There should be both internal IT management operational policies as well as general staff/user-facing policies for acceptable use which all employees need to be aware of and periodically reminded of. At a minimum, these should include acceptable use (how the organization’s technology should be used), identity and account management (proper controls that grant and limit access to systems), data protection and management (where data is stored, who has access to it, and how it is backed up), and communications processes for reporting events that may impact the organization’s user or data security.
James: The cybersecurity policy is a robust document. In addition to the ones Adam mentioned, other recommended items include account lockout procedures, change controls, segregation of duties, data classification and collection policies, intrusion prevention, software and operating system requirements, email retention policy, equipment control and cloud security, among many other components.
Q: What are the most cost-effective tools to increase a nonprofit’s defense against cyberattacks?
James: There are many cost-effective subscription-based tools that allow organizations to share the burden of cybersecurity monitoring and response with a third-party provider. This is referred to as endpoint detection and response software and, when combined with co-managed SOC (subscription-based threat detection services), can provide the same benefits and protection without the investment in in-house infrastructure and people.
Cybersecurity awareness training is something all organizations should be doing. Human error is a top reason why cyberattacks are successful. Employees who know how to identify suspicious emails and links, practice password and device safety, and know who to alert when red flags arise can be one of the biggest defenses against cybercriminals.
Adam: Basic cybersecurity measures do not need to be expensive. Organizations have access to some basic security components that can help create a foundation for an affordable yet effective security posture. Some of the most effective are: 1) next generation email filtering/security solutions which can detect more advanced email threats, such as phishing emails and infected attachments with ransomware, and prevent them from reaching users; 2) next generation endpoint protection that detects and defends against today’s sophisticated malware; and 3) active web (DNS) filtering that can prevent users from intentionally or unintentionally visiting restricted websites and mitigate the risk of users clicking on a link to a malicious website.
Q: How often should a nonprofit reassess its incident response plan?
Adam: Organizations should view an incident response (IR) plan as a key component of their risk management process, which involves defining the organization’s sensitive data, where it is, who has access to it, probability and consequences of a breach, and cost to remediate and protect.
The IR plan is a living document and should evolve along with changes in the organization’s technology stack, personnel, services and type of clientele served. At a minimum, we recommend a bi-annual review with all stakeholders and with everyone who is part of the IR process, such as department heads and IT service resources (both internal and external). This review should confirm all critical systems and processes that are needed to continue protecting data and delivering services and include relevant contact information for internal and external parties.
James: Nonprofits should re-evaluate their incident response plans bi-annually or after any major change in the organization. When revisions are made, the new plan should be communicated to all participants.
Q: What percentage of a nonprofit’s budget should be allocated to cybersecurity, and how does this compare to what you are seeing nonprofits spend on average?
James: This will vary by organization, but 15-20% of the IT budget is a good target to shoot for.
Adam: This is highly discretionary based on the size of the organization, type of sensitive data it stores and uses, and the results of their risk management processes. Regardless of the size, however, it is essential to have a budget – with a cybersecurity line item – in place.
Q: How can a nonprofit maximize the investment it makes in cybersecurity?
Adam: Ensure there is complete alignment with the board’s expectations of IT management. Develop a strategy and roadmap that are reviewed regularly to ensure actual security activities are consistent with roadmap benchmarks. Make sure cybersecurity measures are prioritized, managed and adjusted as security threats and the organization evolves. Any solution that is implemented should be “frictionless” from the user’s experience, avoid complexity and minimize any impact to their daily work routine.
James: Cybersecurity needs to be embraced by the entire organization. Employees should receive continual education, reminders and updates on new threats. Even if using a third-party provider, the IT team and management should be actively engaged in the cybersecurity process and remediation of vulnerabilities. Protecting the organization from cybercriminals should become a part of the organization’s culture to ensure its optimal effectiveness. Ongoing assessment of cybersecurity measures and proactive updates are also critical to maximizing the value of this investment.
Q: Who within the organization should be monitoring cybersecurity measures, in addition to IT professionals?
James: This oversight should not fall on the in-house IT department. Larger organizations may have a Certified Information Security Officer (CISO) who can manage this. But it may be more cost-efficient for smaller organizations to hire a vetted outside third party company instead, either an MSP (managed service provider) or MSSP (managed security service provider).
Adam: Ideally, the organization should have a steering committee with one or more participants having some level of IT or compliance experience. This way, not all of the responsibility falls back on one person, unless there is a qualified IT-level resource on staff. Additionally, it is helpful to have outside experienced resources (paid or volunteer) involved to provide complete transparency to the process, since they have nothing to gain or lose from the findings. This team can ensure the intended directives, plans and results are met, and if not, make appropriate recommendations or changes to get back on track.
Q. How can board members be more involved in promoting cybersecurity awareness and success?
Adam: The board must accept that they ultimately are responsible for ensuring a cybersecurity posture and culture that transcends all levels of the organization. There needs to be agreed-upon, documented and measurable alignment with management on what needs to be done, within what timeline and by whom. Board members need to understand the financial, liability, and compliance impact and consequences associated with no or inappropriate cybersecurity action, ensure the necessary financial and technical resources are made available, and hold management accountable for implementation. The board needs to ask questions to clarify threats, solutions and repercussions they do not understand. It is always a good idea to bring in either paid or volunteer cybersecurity expertise to assist the board with this undertaking.
James: It is important to have someone on the board who can walk the walk and talk the talk. Although the board will have the final say on any cybersecurity investment made, they cannot make the best decision if they don’t have the full picture. You can’t protect what you can’t see, so it is important to have factual information about how vulnerable the organization is. A cybersecurity advisor would play a vital role on the board for this purpose. Using the right tools and professionals to get the job done is easy, but understanding it is not. Most boards don’t fully understand cybersecurity, and it’s a large part of why the sector is lagging behind.
James Rocker is CEO of Nerds that Care, a leading provider of IT managed solutions, tech support and cybersecurity services to nonprofits across Long Island and New York City. He can be reached at firstname.lastname@example.org.
Adam Weiss is the General Manager of Atlantic Tomorrow’s Office, where he and his team offer office technology, document management, IT support and other solutions to nonprofits and business across a variety of market sectors. He can be reached at email@example.com.