Cybersecurity not just an IT problem? : Tips for Nonprofits

Nonprofit and charitable organizations have to defend themselves from a number of the same digital threat actors that governments and big businesses. The number of attack on nonprofit and charitable organizations has only increased since the beginning of the pandemic. If your organization collects or holds any digital records with people’s private information, you are responsible for protecting that information from cyber threats.

So, what do you need to know?

I sat down with Kathryn Cameron, COO of Beauceron Security to talk about some of the biggest misconceptions about cyber security, and what nonprofits can do to protect themselves. I asked Kathryn what are some of the biggest misconceptions about cybersecurity? She promptly responded: “cybersecurity is not just an IT problem”. And it is so true, according to the Netwrix 2020 Cyber Threats Report,  48% of the organizations surveyed reported phishing attacks during the first three months of the pandemic. Phishing attacks can be easy to spot, but they can also be very targeted, commonly known as spear phishing.

Spear phishing attacks are maliciously clever forms of social engineering, and can be so convincing that even C-level executives can easily fall victim to these manipulative schemes. Kathryn shared with me one story of a nearly successful spear phishing attempt on a nonprofit customer of theirs.

The CFO of the nonprofit had received an email from someone pretending to be the CEO, asking for a transfer of a large sum of money. It didn’t seem suspicious, likely because the attacker had gained access to the CEO's previous communications. They knew exactly how the CEO would sound, and how they would articulate themselves in an email. It was only by fluke that they were able to prevent the transfer, because they bumped into each other in the hallway before the transfer was sent.

“That story highlights just how important the role of people are in protecting the organization”, Kathryn said. One of the most important and overlooked factors in cybersecurity, is increasing the awareness of cyber threats for your whole team.

So I asked Kathryn to give me some tips on how nonprofits can do just that:

1) Make cybersecurity something that your team cares about, and the best way to do that is for leadership to care first, and not just in IT departments. “The more you care about something, the more your team will care about something.”

2) One way to show your team that you care, is to invest proactively in cybersecurity. Sometimes it is difficult to measure the ROI of a security platform if you haven’t had the unfortunate experience of being successfully targeted by cyber attacks.

3) Making sure your security policies are up to date, most experts recommend that policies be reviewed annually. An easy way to ensure a policy review is not forgotten is to build it  into your corporate calendar. Find samples on up to date security policies that you can download for free here!

4) Make sure your team understands that cybersecurity is not just an IT issue, that they also have a responsibility to keep their organization safe. The Janitor may be responsible for cleaning and locking up the office at night, but all employees have different responsibilities when it comes to keeping the office safe, and the same goes for cybersecurity.

5) Recognize good behaviours, like reporting suspicious activity and phishing attempts. Recognition can be as simple as congratulating an employee that reported a phishing email to their manager in a company wide newsletter.

6) Training your team on how to recognize attacks--a big red flag for phishing is if it evokes an emotional reaction or sense of urgency. Here are some free courses on how to avoid falling for a phish, cybersecurity for remote workers, and social media scams you should know!

Prevention is key when it comes to protecting your nonprofit and those who support it.As Kathryn puts it, “we know that the most secure company in the world is the one that doesn’t exist.” With nonprofit organizations taking more of their fundraising and data infrastructure online, and having more employees working from home, try and mitigate potential cybersecurity risks with a whole team approach!