For nonprofits and foundations, the worst approach to cybersecurity is to be so paralyzed by the threat — or the lingo — that you do nothing.
“It’s this huge, scary thing,” says Katie Niemann, director of IT and facilities at the Houston Endowment. “But the one nice thing about cybersecurity is that there are a lot of basic steps you can take to protect your organization.”
Here’s how to start:
Make cybersecurity a priority at the highest levels.
That starts with the board, says Ann Cleaveland, executive director of Berkeley’s Center for Long-Term Cybersecurity. “Nonprofit boards should absolutely be asking their executive director these questions,” Cleaveland says. “Is the organization thinking about their fundraising strategy holistically with cybersecurity incorporated? The board doesn’t need to get hands-on — such as helping set up a VPN — but they need to know the right questions to ask.”
The board’s emphasis on cybersecurity will empower the IT director to speak up about changes the charity needs to make. IT directors in the nonprofit sector used to try to piece together data protection on their own, rather than request greater support from top executives, says Michael Enos, TechSoup’s senior director of community and platform. “That’s the shift I’m seeing,” he says. “There’s more talk up and down the organization in terms of how to address data security, data privacy, and data-loss prevention.”
Put someone in charge.
Even midsize charities may not have the resources to hire a full-time IT security officer. Stand for Children, in Portland, Ore., has more than 125 employees, and cybersecurity is just one of the responsibilities for the charity’s IT infrastructure manager. It’s his responsibility to identify when the organization needs to reach out to a local security company for more “bench strength,” says Emily Phan, the nonprofit’s executive technology officer.
“You may not have a chief security officer,” says Joel Urbanowicz, director of digital workplace services at Catholic Relief Services, “but you need someone whose responsibilities include cybersecurity. It’s got to be somebody’s job.”
Establish a plan for how to respond to an incident.
In its most recent survey on cybersecurity at nonprofits, NTEN found that only about 20 percent of organizations had a written plan for how to respond to a breach. “That’s foundational to being able to understand what to do, no matter what happens,” says Amy Sample Ward, chief executive of the capacity-building organization.
TechSoup recommends using cybersecurity guidance provided by the federal government, including the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, which offers dozens of templates for cybersecurity policy, including one for an incident response plan.
“You can put the best system in place and still have a security event,” Enos says. “It’s really about how you respond. You don’t want to be scrambling around. You need to have a plan in place, listing where the critical data is and a plan for how to recover it.”
Move to the cloud.
More and more charities are moving their data from an on-premises data center to one of the large cloud-commuting providers, such as Amazon, Google, or Microsoft. One reason for making the move is that those huge tech companies have far greater resources to deter cyberattacks.
“Microsoft will always do a better job than random IT guy,” Niemann says.
Jim Fruchterman, founder and CEO of Tech Matters, which helps social-change organizations use technology. says he’s been a longtime critic of the “data-hungry hippos in Silicon Valley,” but he believes the large cloud providers are the good guys when it comes to security.
“They make it harder for you to make stupid security mistakes,” he says, “and they do a lot to nudge you on to a secure path.”
Restrict access to only those who need it.
Nonprofits can reduce the odds of a breach by allowing employees to have access only to the systems they need to do their job. “If you don’t need to access the donor systems or the financial systems or the beneficiary data systems to do your job, then policies need to be drafted so that you can access what you need for your job but not everything else,” says Justin Spelhaug, Microsoft’s vice president of tech for social impact.
Likewise, many networks can be set up to flag a log-in from an unfamiliar area, which may prevent a major breach if an employee’s email gets hacked. “If this person normally logs in from Virginia and now he’s logging in from Taiwan or Ukraine, you can set up a policy to block that person until the admin says ‘I want to let that person in,’” Enos says.
Remember the basics.
Require multifactor authentication, especially for top executives, who are most likely to be targeted for hacks, and for anyone seeking to access sensitive files. Regularly back up any important data. Encrypt sensitive data on laptops. Enroll for automatic software updates. Sign up for alerts from cloud providers so you can learn about — and prepare for — any new types of attacks. Consider a single sign-on for each employee to access all the software applications at your organization (email, grants management, accounting, etc.), so that there’s only a single identity to protect.
“Basic security hygiene still protects against 98 percent of attacks,” Spelhaug says.
Provide employees with cybersecurity education.
Stand for Children asks employees to go through cybersecurity training each year — but makes it relatively painless by dividing the education into three online segments, none lasting more than 15 minutes. The charity offers a shot at prizes for those who complete the trainings.
Stand for Children, Catholic Relief Services, and the Houston Endowment all contract with cybersecurity education providers to do simulated phishing — sending unannounced emails to test their employees and see if they are duped. Catholic Relief Services asks employees who are fooled by the simulated phishing to go through a brief refresher on how to avoid falling prey to a scam.
“We try to be positive, not punitive,” Urbanowicz says.
Don’t go too far.
“You need to strike a balance between strong security and reducing friction for people,” Niemann says. “You cannot stop the work. The ultimate cybersecurity control would be unplugging everyone’s internet.”
Be smart if there’s a security breach.
Access Now operates a 24/7 hotline worldwide to help civil-society organizations respond immediately after an attack. Rob Shavell, chief executive of the online-privacy company DeleteMe, says charities should report a cyberattack to the police. “They’re more effective than most people would think in being able to understand where the attack is coming from and the nature of the threat,” he says.
Organizations should consider disposing of a computer infected with malware if fixing the problem is too labor intensive, says Phan, of Stand for Children. She also advises restricting the access rights for several weeks of any employee whose account has been hacked. For example, if a staff member in the accounting department is hacked, don’t let the employee continue to transmit checks to the bank. Get another employee authorized to do that work until you’re sure the breach has been fixed.
“When you operate from that perspective of ‘I’m not here to catch the criminal — I’m here to protect myself,’ then you say, what’s that next level of protection?” Phan says. “It’s prevention.”