It’s easy to think of a data breach as something that only happens to massive companies like Netflix, Target, and Equifax. The reality is that, more often than not, small and medium-sized businesses are the target of cyberattacks, which makes the nonprofit sector a prime target as well. Here are three ways to protect your nonprofit from a bad actor.
According to the CountyOffice.org website, there are 52 charities and nonprofits in Baltimore County, Maryland. With a population of 828,637 people in 599 square miles, this translates to one charity and nonprofit per 15,935 people. One of the basic tenets regarding cybersecurity is that the weakest link in any organization will be the human element. By that logic, the more people a nonprofit organization comes into contact with, the greater the risk of them being exposed to a cyberattack.
Why are Baltimore Nonprofit Organizations at Risk?
The reason why Baltimore nonprofits are at risk isn't unique to Maryland. The reality is that most nonprofit organizations don't have strong IT security measures in place, either due to a lack of resources or experience with the level of cybersecurity needed to protect their organizations. Cybercriminals know this, as they are often looking for the path of least resistance.
There can be a lot to gain for a cybercriminal to infiltrate your network, and it isn’t always going to be about holding your data hostage. Simple contact records are worth enough to cybercriminals, but attacks could also be politically motivated, or simply done with only the incentive to cause chaos.
Often, nonprofits share data with more prominent and financially rewarding organizations too, and cybercriminals know that it can take a considerable amount of time and effort to gain access to an enterprise-level company. In that case, it may be easier to use techniques such as phishing to gain access to the nonprofit's data and then access the enterprise-level organization's information, using the nonprofit organization's credentials to make contact.
This technique is known as spear (or, if specifically targeting an organization’s leadership, whale) phishing. Cybercriminals create personalized attacks using often authentic credentials, making it easier for them to bypass large organizations' protections and fool C-level executives into sharing high-level sensitive information.
For example, a director at a nonprofit organization could get an email that looks like it is coming from a major vendor or sponsor. It asks the director to log into their account to access something, download a report, or some such thing.
Instead, the director is sent to a phishing site that captures their credentials and grants the cybercriminal access. It can go in other directions as well—a cybercriminal could deliver a payload of malware in the hopes that it will infect the whole organization and possibly spread to its contacts.
Three Steps Baltimore Nonprofits Should Take to Protect Their Data
Two-Factor Authentication
Two-factor authentication, also known as 2FA or Multi-factor authentication, is one of the fundamental methods to control who can access your system. As the name indicates, 2FA relies on requiring two different types of verification to gain access to the system. Verification is usually a combination of a password and a code sent to a device (such as a phone). However, biometric identifiers such as fingerprints and voice can also be used, or physical devices known as security keys. This means that if a password is compromised, it’s still extremely difficult for a cybercriminal to gain access to something while it’s still locked behind the 2FA.
Team Training
As we noted earlier, cybercriminals rarely attack your systems directly; they target your team. The reason why is because your team is easier to fool into sharing sensitive information than your technology ever will be. All it takes is a team member to click on a link in an email to expose your system to ransomware attacks via phishing or other social engineering attacks. This is why it is essential to train your team, particularly your C-level executives, to recognize and, most importantly, tell your IT department when they encounter a suspicious email.
Backup and Recovery
The final step your nonprofit organization needs to implement is ensuring that you can retain control of your data should your organization suffer a data breach. Many organizations don't understand that a cybercriminal's real power over your business is their control of your data. As such, the only way to successfully survive a ransomware attack is by having a backup of your data in place and a way to quickly recover it.
Whenever we read of a business that felt they had no choice but to pay the ransom for their data, it's because they didn't have a backup of their data. What makes this so problematic is that it's not unheard of for cybercriminals not to release the stolen data or only to release incomplete versions of the data, forcing the victim to end up having to recreate the lost data anyway.
Baltimore Nonprofits Can’t Afford To Lose Control Of Their Data
Nonprofits often rely on razor-thin margins and reputation to gain and retain the support their organization needs to thrive. Few things can damage an organization’s reputation and trust faster than a data breach, except hiding that you had one or being responsible for another organization getting hacked due to your lax cybersecurity preparations. This is why it is essential to ensure your data is protected.
With Dresner Group as your IT partner, you won’t risk your organization losing its ability to do its good work. Many nonprofits operate on tight margins and as such may be hesitant to invest in outside IT support out of budgetary constraints. A primary benefit of managed IT is that it offers organizations the ability to subscribe to tech support, as opposed to facing a large unexpected bill whenever something goes wrong with the technology their organization depends upon.
Give us a call at (410) 531-6727 to get our team on your side!