Nine Ways To Better Protect A Nonprofit From Cyber Attacks

     Cyber attacks can have a huge impact on the financial, reputational, and operational health of a nonprofit. In RipRap Security’s combined 20+ years in the cyber security field, we’ve found the most cost-effective and efficient ways to protect our clients and partners from cyber attacks. Here are the top ways to make your nonprofit more secure:

1. Enable Multi-factor Authentication

          Usernames and passwords can be stolen or guessed by an attacker, giving them access to your data and IT environment. By enabling Multi-factor Authentication (MFA), you can cheaply and easily add an additional layer of security to your logins. MFA typically involves installing an application on a mobile device or having a physical token that will provide the user with a one-time PIN code that expires after a short time, limiting the usefulness of any stolen user credentials. The user enters this PIN code after entering their username and password. The effectiveness of this additional layer is based on the fact that even if an attacker has access to a stolen username and password, they lack access to this final piece of short-lived information that enables access to the account. 

2. Conduct Backups and Test Data Recovery

          Identifying and regularly backing up your critical business data is paramount to getting back to business as usual after a cyber attack. It is important to ensure that the backed-up data really does include all critical data and that the data restoration process is tested. Too often, an organization assumes that their backups have been working great for years - until it’s time to recover from an incident and they find that their backups only provide limited value. RipRap Security suggests speaking with your IT staff and asking them how often and where they back up your business critical information. If tested and validated backups aren't regularly being taken by your organization, ask RipRap Security how to get started.

3. Enable Automatic Updates

          Manufacturers of software and devices regularly provide updates to their products to address vulnerabilities that attackers can use to gain access to your organization. While some systems can automatically update, it is critical to ensure that all devices can and do receive updates. Keep in mind that automatic updates should be enabled for operating systems, physical hardware like laptops and mobile devices, peripherals like printers and smart office equipment, as well as software/apps. Some organizations may be reluctant to enable automatic updating due to perceived risks to business operations associated with updating. Our team finds that most updates tend to be extremely reliable and the security benefits outweigh any risk. If there’s concern about how updates may affect your organization, establishing a vulnerability management program can help ensure that updates are fully tested prior to deployment across your organization. 

4. Take an Inventory and Document

          Taking an inventory of your IT environment, devices and software helps you understand exposure to risk and take precautions to protect the organization. In addition, understanding and documenting your critical data, data flows, and points of integration with partners, clients, and service providers is also important. Full documentation also provides valuable insight to security experts that you may bring on to support you in case of a cyber attack on your organization. There are plenty of applications that can be used to manage an inventory, but an initial inventory in a spreadsheet can be a great way to get started. 

 

          Organizations are increasingly turning to cloud-based services to support their operations. It is important to understand what cloud services are being used by the organization, how those services protect your sensitive information, and to ensure that security precautions are in place to protect against attacks. While shifting data and business operations to the cloud can bring certain security benefits, it also introduces new considerations as the data now resides in someone else's network. RipRap Security can help you think through these considerations and balance security with business.

5. Perform Hardening of the IT Environment

          IT environment hardening involves making configuration changes to software and devices to make them more resilient against attacks. These changes can greatly reduce the risk and impact of an attack by making the attacker’s work more difficult. Organizations like the Center for Internet Security publish hardening guides for various devices and software. If you have a strong IT staff, we suggest sharing the hardening guides with them. If you don’t, bringing in a knowledgeable cyber security firm to perform IT hardening activities is a great idea. As a bonus, experts can help strike a good balance between usability and security.

6. Improve Password Hygiene

          Poor password hygiene is one of the leading causes of cyber attacks affecting nonprofits. Make sure that a strong password policy exists and that there are technical measures in place to enforce the policies. Passwords should be at least 8 characters in length at a minimum, but the more characters, the more secure. By now, many industry experts are aware of the XKCD comic proposing a new way to think about password complexity. By enforcing arbitrary complexity requirements over password length, we've created passwords that are difficult for humans to remember, but complexity doesn't make a big difference to a computer hacking a user’s password. While password complexity doesn't hurt, length will do more for you in making passwords difficult for an attacker to guess.

 

     Users should also be provided a password management tool, which is a powerful way to improve password hygiene. This is because a password manager will generate unique, strong passwords for each service, and store them securely in an encrypted database. 

7. Ensure Security Capabilities Are In Place

          All organizations benefit from having security capabilities in place to defend and respond to attacks. An Endpoint Detection and Response (EDR) tool improves upon traditional anti-virus software to provide additional security protection using artificial intelligence and machine learning. The EDR tools help prevent attacks on the workstations and other commonly-attacked IT assets and support incident response efforts should they become necessary. Working with a cyber security expert to select and configure a firewall for your organization can also reduce the exposure to attacks. More advanced security capabilities, including zero trust architecture, can drastically reduce the organization's vulnerability and keep data secure.

8. Train the Workforce

          An old cyber security adage says that “employees are the weakest link in the security of your organization”. Today, we know that employees who are given the right tools and cyber security knowledge can make an enormous, positive impact on the security of the organization. The cyber security agency NIST has a handful of security awareness courses here, but we suggest working with a cyber security firm to provide tailored training that fits your organization’s needs. We suggest that employee training includes topics on:

  • How to identify and prevent common attacks against your type of organization

  • What employees should do if they think they are experiencing a cyber attack

  • How to keep safe while working online

  • How to handle sensitive information

  • Employee security responsibilities

  • Home office security 

9. Establish Rules of the Road

          Setting clear policies about the proper use of the IT environment provides employees guidance on permitted and not-permitted activities, how to handle sensitive data, as well as what to do in case of a cyber attack. The SANS Institute has published some foundational security policy templates that organizations can use to get started. A security expert can also help devise a custom set of policies for your organization that enable the business instead of hinder it.

 

Getting Started

          Our team hopes this guide helps your organization become more resilient and secure. Have you already implemented a few of these items, but don’t know how to move forward now? Click this link to schedule a free 30 minute consultation with RipRap Security. We’ll discuss your current security initiatives, cyber security goals, and how our team can help you become more cyber secure so you can focus on your organization’s mission.

About RipRap Security

          RipRap Security is a cyber security consulting company focused on bringing decades of experience supporting the US Federal Government in preventing and responding to cyber attacks to nonprofits that make communities a better place. For more information, please visit our website and find us on LinkedIn and Twitter.

Let's Chat

Interested in a free consultation to learn how your organization can improve its security? Please fill out the form and we'll get back to you at lightning speed.

You can also get in touch with us as well as get cyber security tips on Twitter and LinkedIn.

Thanks for submitting!