The post Protecting Mission-Critical Data by Using Cybersecurity Best Practices appeared first on Nonprofit Hub.

When it comes to cybersecurity for nonprofits, the wrong ideas are certainly out there.

Now that we conquered some of the confusion surrounding cybersecurity, it’s time to dig a little deeper. For this blog post, I’m going to start with a short personal confession. When I first began to think about cybersecurity in nonprofit and mission-based organizations, I had a lot of assumptions.   

• Nonprofits don’t need cybersecurity; who would want to attack them anyway?

• Nonprofits don’t have the resources or funding to even think about cybersecurity, so why start?

• Nonprofits are just like other businesses, so why don’t they use the same methods and tools for cybersecurity?

• The technology used in nonprofit organizations is so outdated that it’s too much of an undertaking to secure them.

Looking back, it’s clear that I was wrong. The unique characteristics of nonprofit organizations mean that the approach to cyber and information security requires a different mindset. Unfortunately, discussions with security experts show that many misconceptions about the value of cybersecurity for nonprofits still exist. This is true regardless of the recent uptick in attacks on nonprofit organizations of all sizes and missions. These views are also held by some nonprofit executives, thereby creating additional barriers to overcome.   

First things first about cybersecurity

But let’s start by breaking down some of what we know about cybersecurity in nonprofits and what makes a nonprofit different. First, yes, cyber and information security are complicated, but that doesn’t mean they are insurmountable challenges. Second, we can make it easier by removing hurdles and encouraging better understanding—regardless of an organization’s size, budget, or resources. To do this, we have to start by understanding cybersecurity in nonprofit and mission-based organizations—something that has never been done across all 1.5 million of them registered in the U.S. However, since 2016, we have assessed and collected anecdotes and data to document the true state of cyber and information security in these organizations. 

Here are three examples of some of the myths, plus the facts we are capturing from our nonprofit members.

Myth: Hardware and software are outdated and unpatched.  

Fact: True in some cases, but not all (which are successes to celebrate)!

Many of the organizations in Sightline’s community have actually made significant strides to use current technology. It can be easy to assume that nonprofits are using decades-old technology—and for some, this is the case, sadly. But for many, they know that operating their business efficiently is paramount. Therefore, they make an effort to ensure that the hardware and software they use are modern and up-to-date. Some are also taking advantage of discount programs available through organizations such as TechSoup.

We are continuing to debunk this myth, and while it’s improving, it’s also complicated because many nonprofit organizations now outsource their IT services. Therefore, they have to rely on these vendors to ensure that their software and hardware are up-to-date. This means they also have to trust that the appropriate security controls are in place. 

Myth: Nonprofits do such great work, and no one would want to attack them.  

Fact: False—BIG FALSE! Did we say that loud enough?

In 2017, Save the Children—a large, international nonprofit—reported a cyberattack. This occurred at its Connecticut location where an individual posing as a Save the Children employee “fraudulently induced [via email] the organization to transfer $997,400 to an entity in Japan.” Unfortunately, social engineering continues to be one of the easiest and most effective ways for attackers to gain unauthorized access to privileged systems, resources, and information. As with this cyberattack, the fraudulent email prompting the money transfer appeared to originate from inside the nonprofit and was assumed legitimate.

Unfortunately, attacks (or attempts to attack) are not reserved for large nonprofits. Not only is this actually a historical issue, but it continues to be a substantial and time-relevant threat. We see a considerable uptick in targeted and non-targeted attacks on nonprofit and mission-based organizations of all sizes and missions. Cyberthreats related to the COVID-19 pandemic are also on the rise. According to a recent Interpol report, the creation of malicious domains using terms such as “coronavirus,” “covid19”, and “covid-19” are multiplying. While similar domain names are legitimate, cyber-attackers use false but believable domain names to mask corrupt activities. These include spam and phishing campaigns, website scams, or malware. The bottom line: if you use technology, you are no longer immune to a cyber attack.

Myth: Nonprofits don’t have any money already, so they won’t spend money on cybersecurity. 

Fact: This isn’t always the case.

Nonprofits, by design, operate with highly scrutinized budgets. But, in many cases, this doesn’t mean they aren’t spending money on technology and security. Nonprofits in the Sightline community report significant investments in technology, including hardware, software, cloud applications, and more. Additionally, as technology becomes more complex and necessary to keep things running effectively, many outsource IT to third-party organizations. Unfortunately, as discussed in our first webinar, cybersecurity isn’t only technology. It’s the intersection between people, processes, policies, and technology. We are currently working to help nonprofits understand reasonable spending to improve their cybersecurity preparedness. In turn, this will aid us in helping them choose the best places to spend their valued resources. But to assume all nonprofit organizations don’t have money is entirely false.  Instead, it’s important to understand how nonprofit organizations prioritize their spending.

The quote below from the executive director of a Massachusetts-based nonprofit highlights their position:

“During normal times, nonprofit budgets are stretched very thin and cybersecurity is typically sitting low on the funding priority list. This reality is coupled with the fact that nonprofits lack staff that is trained in how to identify cybersecurity issues. Add in a crisis to the mix and nonprofits become even more susceptible to security breaches as the nonprofit is completely focused on responding to the welfare of its constituents and keeping the business going.”   

And there are many more myths!

Of course, there are many more myths and misconceptions about cybersecurity in nonprofit and mission-based organizations. And even though we understand the unique business characteristics and how these attributes affect cybersecurity within your nonprofit, many organizations don’t. Maybe your nonprofit doesn’t, either. As we continue to gather more insights from nonprofit organizations like you, we promise to keep you updated on what we discover.  

What can you do today about cybersecurity?

Right now, our best advice is to not fall into the trap. Don’t believe the rhetoric about cyber and information security in nonprofits. We have seen it firsthand: if you bring cybersecurity best practices into your organization as a function of your business operations, it is far easier to stay secure.  

In short, don’t think of cyber and information security as a special project, a once-a-year event, or something that you only need an expensive consultant or technology to do or fix. And, please, don’t think of cybersecurity as something that happens to someone else. It is far easier to address security when you aren’t in crisis. So, don’t wait for an attack to spur you into action.

Better cyber and information security is within reach if we debunk the myths and break down the misconceptions. At Sightline, we take a step back from our security-centric viewpoint and consider how nonprofits like yours operate – how you talk and what’s important to you. All so we can align security to what makes you unique and focus on what matters most: your mission and the communities and people you serve.

The post Debunking Myths and Misconceptions About Cybersecurity in Nonprofits appeared first on Nonprofit Hub.

Enjoy this featured blog from Sightline Security

In its most recent report, the National Center for Charitable Statistics stated that more than 1.56 million nonprofits were registered with the Internal Revenue Service in 2015. This contributes an estimated $985.4 billion or 5.4% of the Gross Domestic Product (GDP) of the US economy. Given their significant contribution to the GDP, nonprofit organizations have not been included in the development of best practices for cybersecurity systems. To date, they have been exclusively developed for commercial businesses. Typically, nonprofits have not been viewed as a lucrative market by for-profit security solutions or that they have an immediate need, as observed by the anecdotal response of, who would cyber-attack a nonprofit, what do they have to steal?

• 1.56+ million nonprofits registered the US contribution to U.S. economy = $985.4 billion (2015-2016)
• 36,000 US municipal and township governments, 3,000 county governments, and 38,000 special purpose districts with combined annual revenue of about $1.8 trillion (2015-2016)
• 6,146 US hospitals including 5,198 Community Hospitals of which 2,937 are Nonprofit with 36,353,946 admissions (2018)
• 130,930 US schools serving 50.8+ million public school students (2018)

Ask yourself these questions:

1. Imagine for a moment if these organizations, like yours, were impacted by a cyberattack?
2. What would happen to them if they were forced to pay a high ransom?
3. What vital services would be disrupted due to an attack?

We think about this every day but also realize it’s not that simple to unravel. So, let’s start at the beginning.

Have you ever wondered what the difference is between cybersecurity and information security, anyway?

You may have seen both terms used a lot in the news and often interchangeably, with cybersecurity the front runner. 

At Sightline, when we onboard a new nonprofit member, we begin with breaking down the difference between information security and cybersecurity. We have found that by simply stepping back and breaking down these standard and confusing terms, our members immediately start to see a path forward. Suddenly, they say, “we can improve the security of the information in our organization.” Because they can see it. 

Here’s a quick glimpse of how the conversation goes.

Before we dive into fixing and figuring out what cyber or information security tools, systems, processes, training, etc., you need, let’s start by understanding what we are protecting.

Cybersecurity, which we hear a lot about in the news, is defined as the “prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” With Sightline members, we explain it as a wide-open space, where there aren’t clear boundaries, laws, regulations, systems, and more, where it’s difficult to define and understand, where you can’t put your mind around it.  

So how can we talk about securing it? From the outset, many organizations begin to experience overwhelm even at this state.   

But consider for a moment.

Information security is “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Taking this a step further, think about what information you have in your organizations. Is it captured on paper or in digital form? Information like addresses, names, phone numbers, photos, and more. Information from donors, staff, volunteers, supporters, members, people your nonprofit serves, and more.

There is a common thread in these definitions. And it’s core to how we, as security professionals, look at protecting information.  

Integrity – guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. 

What does that mean? Making sure someone or something does not alter the information, and it remains accurate (un-altered). 

Confidentiality – preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

What does that mean? Only the people who need to see or work with certain information have access.  

Availability – ensuring timeline and reliable access to and use of information.

What does that mean? Making sure that the steps to keep information secure doesn’t get in the way of doing business.

What does this boil down to?

The best way we see for nonprofit and mission-based organizations to address cybersecurity is to not focus on it – but to focus our efforts and time on understanding what information is vital in your organization and taking steps to secure it in a cyber environment.

Could you list out information that you interact with as a part of your job right? 

Try this for one day:

1. Start a list.
2. Jot down all (or maybe what you consider most vital) the pieces of information you interact with during your day, including information you use to log into systems, information shared with you, things you create, capture, store, manipulate, etc.
3. Put a star or marker next to pieces of information that would impact your organization if it got in the hands of an attacker. 

Now that you know the difference between cybersecurity and information security are you ready to start your journey for your organization?  

Excellent!

Join us for the first of three interactive webinar events where we break down the language and complexities of cybersecurity and give you practical business geared approaches you can do today to improve the safety of the information inside your organization. Also, we will provide answers to some of the most critical questions nonprofits of all sizes and missions are asking. We will give you useful next steps to help you balance cyber investments at your organization.

By investing in this time with us, you will walk away with:

• Greater confidence in cybersecurity terminology as it pertains to your organization.
• Insights on how to align cybersecurity best practices with your business operations and your mission.
• A better understanding of how to balance cybersecurity best practices with what makes sense for your organization.
• Knowing what the real cybersecurity threats are, you should be concerned about.
• Inspiration from nonprofit organizations just like you who successfully weaving cybersecurity best practices into their organizations.
• Steps for you to take today to get started with improving cybersecurity in your organization – no consultants to expensive technology required.   

Sightline Security is a 501(c)3 nonprofit organization, like you, missioned to help other nonprofits embrace cyber and information security with confidence. We are excited to share insights gathered through our work with our nonprofit members and break down the myths and misconceptions about cybersecurity in nonprofit and mission-based organizations. If you have any questions about this post or our work, please feel free to reach out.  

The post Breaking Down the Confusion: What is Cybersecurity Really? appeared first on Nonprofit Hub.