“Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there is a key hidden somewhere, they won’t stop until they find it.” — Tim Cook
The COVID-19 pandemic has disrupted many standard policies and procedures for tax-exempt management employees who are working remotely. The pandemic disruption has increased internal-control risks for many organizations. Every organization must have increased focus on the inherent vulnerabilities of technology and related software applications.
After hearing that global criminal enterprises have been focusing on tax-exempt organizations for purposes of accomplishing technology breaches, I asked John Roman from our FoxPointe Solutions information technology division to provide me with his “Top 10” recommendations for mitigating the risk associated with cybersecurity breaches. His response to me was a revelation for me as a technology dinosaur.
“We’re too small to be targeted.” “We have cyber insurance.” “We can’t afford cybersecurity.” Do these phrases sound familiar? These are often the reasons that nonprofit organizations give for their lack of sufficient cybersecurity. Unfortunately, we live in a world where hackers look for vulnerabilities, human and technical. Hackers continually scan the Internet for technical vulnerabilities using automated tools. Hackers take advantage of humans during bad situations, and today, there are many: COVID-19, a recession, civil unrest, and the 2020 elections. Hackers do not discriminate. They will target small and large businesses, educational institutions, government agencies, and not-for-profits alike.
Today, data has become as valuable as gold or oil. Nonprofits, large and small, collect vast amounts of private data of those they serve and of their donors. This is exactly what hackers want. They want to exploit your organization’s vulnerabilities, whether it be through email phishing or a phone call pretending to be your bank. The goal: steal and/or encrypt all of your data unless you pay their ransom.
What is a not-for-profit to do, especially during these times of reduced budgets, donations, and government funding? If you’re feeling overwhelmed or don’t know where to start, consider these no cost or low-cost cybersecurity best practices.
1. Patch all computer systems every 30 days with critical Windows security patches. On a monthly basis, ensure that all of your Windows computer systems are patched. For smaller nonprofits, turn automatic updates on and do not allow users to opt out of the updates. For larger organizations, ensure that your IT department is applying patches on PCs and servers.
2. Enable anti-malware/virus and firewalls on all PCs. Ensure that every computer has active, working, and up-to-date protection. Enable Windows firewalls on all computers, especially laptops.
3. Encrypt data at rest and in motion. Any portable device (laptop, USB drive, tablet, or phone) should have encryption enabled. Since these devices are portable, and easily lost or stolen, you will minimize the need to report a data breach should a device that contains personal information get lost or stolen if said device is encrypted.
4. Strengthen passwords. Make sure your passwords are long and complex. Try using a passphrase that is at least 12 characters long (spaces count) to easily remember your password and ensure that it is “uncrackable”. As an example, “I love my dog spot!” will take over 64,000 years to crack. As a bonus, unless your password is leaked, you will only need to change it once per year.
5. Train your employees on cybersecurity. You and your employees are the firewall. Your best line of defense is you and the employees of your organization. Ensure that you are providing your workers with annual security awareness training. Make it relatable to them and their personal experiences. Look into training programs from LinkedIn Learning and KnowB4. Frequently send emails on the latest and greatest in terms of new threats and ways to avoid them.
6. Comply with the New York SHIELD Act. The “Stop Hacks and Improve Electronic Data Security Act” was enacted on July 25, 2019 as an amendment to the New York State Information Security Breach and Notification Act. The law went into effect on March 21, 2020. The motivation behind the SHIELD Act is to update New York’s data-breach notification law to keep pace with current technology. Every organization that creates, processes, stores, or transmits New York State resident private information must comply. To comply, an organization must have completed a risk assessment, assigned an information-security officer, and created a written information security plan along with accompanying series of administrative (policies), physical, and technical controls.
7. Perform frequent data backups and restores. One of the only ways to recover from a ransomware attack or from someone inadvertently deleting data from a server or PC is to have an up-to-date backup. In the example of a ransomware attack, rather than paying the ransom, which is a bad idea in more cases than not, the data that has been encrypted by the ransomware can be restored from your organization’s backup. Backups must be run daily and tested frequently to ensure that data being backed up is available for restore.
8. Plan for a disaster. It’s not a matter of if you have a disaster (data breach, power failure, pandemic, or your email is down for two hours), it’s when. Those who do not have a documented disaster-recovery plan along with corresponding procedures for recovering systems and data will spend twice the time and money trying to restore systems and data than those who have a plan. Along with your data-backup plan, create a disaster-recovery plan. Remember, “practice makes perfect”. Make sure you are testing your plan annually. Your test could be as simple as choosing one system to simulate being unavailable for a period of time and practicing how long it takes to recover from the failure.
9. Practice good computer hygiene. Do you get your car’s oil changed every 3,000 to 5,000 miles? How about an annual physical? Of course, we all practice good hygiene. So, why not do so from a computing perspective? For example, close, disable, or delete all accounts for those who are no longer employed by the organization. Have a data-retention policy and practice it. There is no reason why you need to keep a document created and last accessed in 1998 unless there is a business or regulatory reason to keep it.
10. Move to the cloud. Cloud providers such as Microsoft, Amazon, and the like have more security controls in place than your nonprofit can afford. Your data is probably more secure in the cloud than it is on your servers. Services such as Office365 are relatively inexpensive for nonprofits, especially those that have subscribed to Tech Soup (https://www.techsoup.org/). Cloud solutions offer anytime, anywhere, any device access to applications and data. During this pandemic, those who use cloud services were able to transition their employees to working from home more easily than those who did not use cloud computing.
The suggestions above are certainly not an all-inclusive best practice list. However, for most nonprofits, these are a good start for or continuation of your cybersecurity efforts. There are numerous cybersecurity providers who can assist. If possible, the provider should have a good understanding of not-for-profits and the intricacies of how they operate. Finally, remember, cybersecurity starts with you. It takes a combination of people, policy, and technology to form a strong cybersecurity foundation.
After discussing the above with John, I was prompted to provide you with inspirational quotes that I found very appropriate, including:
“There is no silver bullet solution with cybersecurity — a layered defense is the only viable defense.” — James Scott
“Passwords are like underwear: you don’t let people see it, it changes very often, and you shouldn’t share it with strangers.” — Chris Pirillo
Please stay safe and healthy.
Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or via email at email@example.com