Getting started with a cyber security for NPOs: 5 simple steps

Nonprofit Organizations play a vital role in making a difference in our local communities and across the world. Like any other business, charities are increasingly reliant on IT and technology – to stay in touch, to collaborate, and to track projects, programs, and critical information.

Losing access to this technology, having funds stolen or suffering a data breach through a cyber-attack can be devastating, both financially and reputationally.

In our last post we highlighted the threat that nonprofits face, and how attacks take place. In this post, we hope to identify a few simple steps to help you mitigate and protect yourself against cyber-attacks.

We know through our work with smaller nonprofits that time and cost are significant concerns and oftentimes technical knowledge causes barriers as well. These steps are low cost and low effort but high impact in protecting yourself from and mitigating against the effects of an attack.

1 - Backup your data

Think of all the data you use or have stored about your cause. The critical data, your supporter details, beneficiaries, key documents and project plans. Now imagine how you would run without them.

Regardless of your size, or the work you do, you should take regular backups of your essential information.

You’re ensuring you’ll still be able to run after the effect of a system malfunction, theft or a flood – but you’ll also have backups that you’d be able to quickly return to in the event of a cyber-attack.

We know that backups are not the most interesting thing to do (and we know you have much more important tasks that you feel take priority), which is why we provide different back solutions for Nonprofits, BackupSimple for instance; a low-cost and low-effort solution that helps backup and take care of your most critical data. We take care of the configuration and setup too.

2 - Protect your charity from malware

Malware (Malicious Software) is software or content designed to harm your systems and your nonprofit, with common attacks such as WannaCry. Often, they take the form as replicating viruses that infect your systems before spreading further – and can encrypt entire devices or servers before requiring a ransom to be paid.

The most obvious step is to ensure all your devices have up-to-date antivirus installed and running. Most operating systems come with one pre-installed (so it’s just a case of making sure it’s turned on). Services such as Microsoft Defender for Endpoint provide further features to help you protect your devices and users at point of attack and use more intelligent detection methods as attacks continue to evolve.

You should also ensure the software you use on your PCs and mobiles and your servers is kept up to date. Vendors and suppliers often supply updates or patches to add added features and importantly, remediate security vulnerabilities. Software can update automatically, so where available and sensible, ensure this is enabled.

Sometimes old software is no longer supported. This poses a risk when security updates are no made available, and you should consider replacing or upgrading with modern solutions.

To prevent these problems, SoftwareOne provides a complete overview of software that will no longer receive support in the near future, enabling you to be proactive. Anticipating the situation makes the risk more controllable, and potentially avoidable.

3 - Keep your smartphones and tablets safe

Mobile devices are now critical in our professional and personal lives. It’s how we stay connected to our colleagues and volunteers or how we access data. There is an ever-increasing amount of data stored or accessed by tablets and smartphones – and because you’re carrying them with you, they require additional protections to stay secure.

First – ensure all your mobile devices and tablets have a passcode. The longer the better, but at least 6 characters is good (though try to avoid using your birthday as your code). If your mobile phone or tablet supports it, using finger or face recognition in place of a password is good too.

Trustees, staff and volunteers are often in the field, and it’s more likely that they lose their device (via theft or … just misplacing it) whilst out of the office or their home. Both Android and Apple devices have free tools that can help you:

• Track the location of your device.
• Remotely lock access to the device.
• Remotely erase the data on the device.

These all help in the instance when a mobile device that may have critical data goes missing in the field.

Finally, just like with your PCs and Laptops, ensure your mobile phone software, and your apps are kept up to date. Where possible, allow your device and apps to update automatically so you don’t have to spend time to do this manually.

Whilst these actions for phones and tablets might seem like a daunting task, you can use services like Microsoft Intune available with Microsoft 365 to help implement and enforce these small steps.

4 - Using passwords

Your computers, mobile devices and online services like your email or file shares all hold important and sensitive data such as information of your supporters and beneficiaries. This data should be accessible only to you, and not unauthorized users.

Passwords, when used correctly, are free, and a critical line of defense to prevent unauthorized users accessing your devices and information.

There are guides available online on how to create a good password (such as Three Random Words from the UK’s National Cyber Security Centre). Many devices now support fingerprint or facial recognition to sign in too, so you might not need to enter a long password as often.

Next, Multi-factor Authentication (MFA) (or Two-Factor Authentication (2FA)) is a simple but efficient way to secure your accounts. In fact, MFA can block over 99.9% of password compromises.

MFA requires two or more different methods to “prove” your identity – often something you know (your password), coupled with something you have (like a mobile phone or a card reader). Many online services including Microsoft 365 or Salesforce support Multi-factor Authentication.

Good password practice also means using a different password for each site or service you use. Password reuse is unfortunately a common attack method, and one that is mitigated through good password discipline.

But we also know that you might use lots of different systems to run your nonprofit – from online services to work together, financial systems, and your relationship management tools.

Password Overload is a real thing, so using a password manager is helpful, as is making sure that passwords are easy to reset (as people will forget them!). If you need to write down passwords, keep them separate from the device, and locked somewhere secure.

Finally, don’t burden your staff with overly complex requirements or frequent password changes. This will lead to people creating simple passwords to meet the requirements (P@55W0rd!) or simply incrementing numbers (P@55W0rd!1) – both of which are easily bypassed.

5 - Avoid phishing

For untargeted Phishing, or targeted Spear Phishing, attackers send fake messages or try to trick users into showing sensitive information such as financial data, or usernames and password. Attackers might try to trick you into sending money, steal your details to sell on, or they may have political motives for accessing your nonprofits’ information.

In the first post, we talked about how social engineering and phishing are extremely common forms of cyber-crime that often lead onto more serious and damaging attacks. First – ensure that your users only have access to the data they need to, so if an attack is successful, the damage is reduced. Protect critical services like your email or finance systems with multi-factor authentication too, this again just means that if a password is taken, there is a second layer of protection.

Many phishing attacks happen via email – so it’s important to protect the most common form of attack. There are many email security services available, and most online provides such as Microsoft also offer email protection as part of their advanced suites. Whilst technical solutions help mitigate some messages, other forms of phishing, such as via text message or social media are still common and require a more proactive people-focused approach.

Consider how someone might target your organisation and make sure that your trustees, staff and volunteers all understand ways of working so that it’s easier to spot requests out of the ordinary. Attacks are often simple – an email attachment that looks like an invoice, that when opened installs malware on the device, or a request to transfer money to someone pretending to be from your organisation.

Spotting phishing is a critical skill that everyone in your organisation should have – these are three methodical steps to see if a message is genuine:

It’s in the detail

Many scams are generated overseas and have poor spelling or grammar. Others will try to copy the colours, logos and fonts used by official organizations.

Does this message look like one you have received in the past – is the quality what you would expect of the organisation that sent you the message? Is the email addressed to you by name? Oftentimes language like ‘valued customer’ or ‘friend’ is used instead because the sender doesn’t know you and is an indicator this could be a phishing message.

Authority and urgency

Attackers want you to act fast, or without questioning. Does the message ask you to send details within a certain time, or to visit a website at once? Do they want to access your systems because of a virus and need you to act now?

Alternatively, is the message pretending to be someone high-ranking in your organisation, or a large beneficiary? Does the sender sound legitimate? What is the purpose behind the ask, and can you verify the request through another means, such as contacting their management directly?

If it’s too good to be true, it probably is.

A large donation to be made or promises of sponsorship if you sign into a website they’ve sent, or if you provide your banking details.