CyberSecurity for Nonprofits and Small Businesses: Best Practices to be CyberSmart
While October was “National Cybersecurity Awareness Month,” awareness of cybersecurity should be an ongoing, year-long activity. This year’s theme - Own IT. Secure IT. Protect IT. - focusses on personal accountability and encourages everyone to take proactive steps to enhance cybersecurity at home and in the workplace.
In this blog, we are sharing some of the best practices and actionable tips on how you and your nonprofit can Own IT. Secure IT. Protect IT.
Why Should You Care?
There is a common misconception among nonprofits that hackers only target for-profit businesses or larger organizations. But, many nonprofits collect and store sensitive personal data of donors, confidential client emails, records of volunteers and employees. If your organization captures any form of personally identifiable information then there are real risks to your nonprofit's data security.
Cybersecurity should be a concern for all organizations irrespective of size and industry, individuals or government agencies. Anyone using a smartphone, computer, or any device with internet access can be the next victim of a cyberattack. If you need more convincing then check out this article for some eye-opening cyber statistics for 2019 -> https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/
Own IT: Understand your digital profile
Know what devices are owned by your nonprofit and take responsibility for data that gets accessed, downloaded or shared on these devices and on third parties’ devices.
- Create an asset management list of all the hardware devices that are owned by your nonprofit. All the devices such as laptops or desktops owned by an employee, or a contractor, or a volunteer should have a barcode for tracking. Other assets such as printers, scanners, hotspots should also be listed and tracked.
BYOD(Bring Your Own Device) policy: It is a common practice for employees to bring their smartphones, tablets, or laptops to work. Organizations need to be mindful of how these devices are connecting to their wifi network. Therefore, having a clearly defined policy about what information can be accessed on each type of device is critical. For instance, you can restrict employees from downloading the organization's financial data on their mobile devices or set criteria on viewing donor's sensitive data on personal devices.
- Take ownership of data that gets accessed and shared through enterprise applications such as Microsoft Office Suite, G Suite or your donor management solution. It is a good practice to use access management to limit the visibility of sensitive data and modify privacy settings when sharing critical data online. For instance, when two or more team members are using a Google Doc to collaborate on a project online, please ensure the sharing settings allow only the team members to access and publish information.
Secure IT: Secure your digital profile
For your nonprofit organization to be CyberSmart, you have to think about securing everything that you own. You have to secure all the endpoints that include workstations, laptops, computers, smartphones, apps, website logins, wifi and so on.
Create Strong Passwords
Well, this might seem like an obvious choice to stay secure but surprisingly a lot of accounts fail to follow this simple practice. Research shows that passwords like “password”, “12345678” or “qwerty” are still being used. The good news is that companies like Google are trying to help out users to create strong passwords. Check out their new feature called “Password Checkup” which will be able to guide you better to increase your password strength.
Use Passphrases instead of Passwords
Cybersecurity experts are now suggesting something called Passphrases instead of passwords to stay secure. Passphrases are a unique combination of words and numbers that make it difficult for hackers to crack. For example “Sam loves cooking shrimps google 2781” or “Sam loves cooking on weekends Wells Fargo 1267”. It should be easy enough for you to remember but complex enough for hackers to decode it.
Pro tip: No two accounts should have the same password.
Download Password Vaults
Stolen passwords or weak passwords remain a concern for organizations. An easy solution to address that is Password Vault or Password Managers. They save your passwords in an encrypted vault which is protected by a master password. Password managers such as LastPass, Keeper, 1Password are some of the tools that are proven effective in securing passwords.
Pro tip: Passwords should be changed every 60 days but if that’s not possible the next best is 90 days. It is also suggested to set up an auto-reminder for changing passwords at an organizational level.
Multi-Factor Authentication (MFA)
Password theft is constantly evolving as hackers are using methods like keylogging, phishing, and pharming. This has forced online service providers to adopt mobile-based tools to authenticate users. For instance, banks send a code via text message or a phone call to users to verify their identity.
Multi-factor authentication is defined as a security process that requires more than one method of authentication from independent sources to verify the user’s identity. Nonprofits who have a lot of remote workers as employees can utilize this to increase a layer of security to their systems. MFA allows you to observe login behavior patterns, geo-location, and type of login system to ensure safety.
Protect IT: Maintain your digital profile
If you own it, you must protect it.
Every organization must understand, secure and maintain its digital assets. Cybersecurity is not an IT problem, it is the responsibility of every single person working in an organization.
Build your Human Firewall
Periodically train and educate employees at every level about best practices of cybersecurity. Make it an ongoing learning process and not just a one-time thing. Conduct simulation workshops on phishing attack emails.
Software Updates & Safe Browsing Practices
Updating and downloading the latest software is one of the best practices against malicious attacks. It is critical that your organization either prompts users to update the latest patches or pushes an auto-update across workstations.
Educating and enforcing safe browsing practices is another best practice followed by organizations to protect their assets. Under an unencrypted HTTP connection, any information that you send across the web can be intercepted by a hacker or other bad actor. Therefore to make your organization's information less vulnerable to attacks, you need to educate everyone to use websites with a secured connection such as HTTPS.
WebServes in partnership with a Meetup group called Nonprofits that Code recently conducted a Cybersecurity workshop where our partner, Eminent One Solution, gave a talk on Remote Worker Cybersecurity. If you would like to receive a copy of his presentation, please reach out to us or leave a comment below.