Top Banner
of the organizations surveyed had no data policy in place. had no multi-factor authentication process. used multiple unsecured networks, such as wireless, webcams, and Bluetooth tools. reported that their staff was allowed to use personal devices to access their systems. The Nonprofit Landscape: What We Know To Be True In 2017, Microsoft conducted a survey of the nonprofit landscape in an attempt to discern how prepared nonprofits were for cyber incidents. The survey reported that: The Cybersecurity Information Sharing Act of 2015 defines a security vulnerability as any attribute, either hardware, software, process or procedure that can enable the defeat of security controls. This is not just an IT or technical issue; it’s a people and process issue that needs to be understood across the organization. 60% 46% 74% 92% CYBERSECURITY FOR NONPROFITS Practical Solutions to Combat Cyber Threats This content was created by the National Cybersecurity Society as an educational aid for nonprofit organizations. All rights reserved.
10

CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

May 27, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

of the organizations surveyed had no data policy in place.

had no multi-factor authentication process.

used multiple unsecured networks, such as wireless, webcams, and Bluetooth tools.

reportedthattheirstaffwas allowed to use personal devices to access their systems.

The Nonprofit Landscape: What We Know To Be True

In2017,Microsoftconductedasurveyofthenonprofitlandscapeinanattempttodiscernhowpreparednonprofits were for cyber incidents. The survey reported that:

TheCybersecurityInformationSharingActof2015definesasecurityvulnerability as any attribute, either hardware, software, process or procedure that can enable the defeat of security controls. This is not just an IT or technical issue; it’s a people and process issue that needs to be understood across the organization.

60% 46%

74% 92%

CYBERSECURITY FOR NONPROFITSPractical Solutions to Combat Cyber Threats

This content was created by the National Cybersecurity Society as aneducationalaidfornonprofitorganizations.Allrightsreserved.

Page 2: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

2

Passwords

One of the biggest vulnerabilities thatnonprofits(andforprofits)have to a security event is that they use weak, shared and/or reused passwords. This is also one of the easiest vulnerabilities to rectify. Employees should be trained on how to create strong passwords, they should employ a good password manager, and should change their passwords often.

Overshared Privileges

Management should evaluate administrative privileges within an organization and restrict these privileges as necessary. It is important to minimize the number of people who have access to sensitive accounts.

No Documentation/ No Policies

The last thing most organizations want to think about is writing policies and documenting how their sensitive information is properly handled. However, these policies are critical for maintaining document security and, in a crisis situation, are critical for holding employees accountable for their actions.

Social Media

It’sdifficulttothinkaboutrunninga business in today’s world without employing the power of social media. But the power of social media also comes with a curse. Social media platforms should be examined for their vulnerabilities and policies should be developed for their proper use.

THE CURRENT NONPROFIT BUSINESS LANDSCAPE

MOST NONPROFIT BUSINESS PLANS DO NOT ADDRESS CYBERSECURITY

THERE IS A FALSE ASSUMPTION THAT THE IT DEPARTMENT IS IN CHARGE OF IT SECURITY

MANY NONPROFITS HAVE NO BUDGET FOR IT SECURITY

MANY NONPROFITS ARE UNAWARE THAT AN AUDIT MAY HAVE A CYBERSECURITY COMPONENT

KNOW YOUR WEAKNESSES

Page 3: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

3

BUSINESS EMAIL COMPROMISE (BEC)

One of the biggest threats that faces both large and small organizations is business email compromise. Business email compromise is when a hacker impersonates a company executive and sends an email to an unsuspecting employee requesting that theytakeaspecificaction,such as transferring money or forwarding sensitive data. Any time an employee receives an email requesting the transfer of funds from a company executive, such as the CEO or CFO, that employee should pick up the phone and call the company executiveandconfirmthattherequest is legitimate. Once wire transfers are completed, there is often very little banks can do to recover those funds.

OTHER THREAT VECTORS

SCAMS IMPACTING NONPROFITS

• Credential Theft

• Credential Misuse

• Social Engineering

RANSOMWARE

Ransomware entails a hacker locking up a company’s website or data and holding it hostage until a ransom is paid. These breaches typically take place because someone clicked on a link they should not have. The best way to prevent ransomware attacks is through good cyber hygiene and training.

ROBOCALLERS

Because robocall scams are becoming increasingly sophisticated, such as by usinglocalareacodesandspoofingcaller IDs, people are becoming increasingly reticent to answer their phones if they’re uncertain of the caller’sidentity.Thisisaffectingnonprofits’abilitytoraisemoney.

THIRD-PARTY WEBSITES

Hackers often use third-party websites, such as a provider of HRservices,toinfiltratelargerorganizations and gain access to sensitive accounts, so it’s important to conduct thorough due diligence on third party service providers to ensure their security measures are in place.

Page 4: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

4

TIPS FOR GOOD CYBER HYGIENECREDENTIAL MANAGEMENT

Credential management is about controlling access to critical assets, such as laptops, online accounts, and other places where sensitive data is stored. One best practice for good credential management is adhering to the principal of least access. This might involve developing a separate infrastructure, or having a designated laptop, for sensitive data that is accessible to a limited number of people, thus limiting the number of access points.

Secondly, it’s important that employees are educated on how to create strong passwords. One way to ensure strong passwords is to use a password manager such as:

• 81% of data breaches are the result of hackers leveraging weak or stolen passwords (Verizon Data Breach Investigations Report 2017)

• 91% of breaches involve a phishing email (PhishME Research 2017)

• 93% of cyber attacks can be thwarted through good cyber hygiene (Online Trust Alliance 2019)

PHISHING PROTECTION

Preventing phishing attacks can largely be accomplished with training. Employees should be trained to recognize fake or fraudulent emails. Another important tip is to use an email authenticationservicethatflagsunusual emails out of your network, such as G-Suite.

TOP GOTCHA’S THAT LURE RECIPIENTS INTO CLICKING ON LINKS:

• Click to learn more

• Sent from your CEO/CFO

• Sent from your bank

• Tax refund

• Refund due to system error

Page 5: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

5

• Click to see your revised salary

• Confirmyouraccount

• Updateyourofficialrecord

• Your account has been suspended

• You missed a delivery

• Restart your membership

• Your emails are being held until you validate by clicking

• Your account has been locked

EARLY WARNINGS OF AN ATTACK

• Email from someone who has sensitive data about you or your operations

• Irate donor calling

• Bank is calling about your line of credit

• Mailboxflooded

• Robocalls

• FBI calling

• IRS calling

• Browser doesn’t work like it should

• New software programs were added

• Antivirus software has been disabled

• You can’t update your system

• Computer runs slower

• Hacker demands money

• Bank account withdrawals

THE BASICS (KEY STEPS)

1. COMMIT AND BEGIN

• Gain leadership support

• Obtain funding

2. ASSIGN RESPONSIBILITY

• Assign someone in charge—track actions/reports

• Consider assigning a Privacy Officer

3. ASSESS

• Conduct a technical and operational assessment

• Figure out crown jewels

• Research where data resides

• Create plan of action to addressdeficiencies

• Test again

4. BUILD AND EXECUTE

• Work the plan, one step at a time

Page 6: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

6

Create a Baseline

• Take the NCSS CARES assessment to learn about your cyber risk and how you compare with your peers

• Sign up for a NCSS membership

• Request a NCSS Insights report—a 12-step remediation guide

Learn

• Educate your employees

• Leverage the NCSS resources

• Circulate phishing exercises

• Utilize online resources

• Improve resiliency

• Implement a cyber best practice

• Test your crisis action plans

SUMMARY

WHAT TO DO IN THE EVENT OF A BREACH

A breach has serious consequences if not handled properly. In the case of abreach,doyouknowhowtorespond?Thereare50differentdatabreachlawsintheUnitedStatesmakingitverydifficulttounderstandthecorrectprocedure. Questions you should consider In advance:

• Do you know whom to call?

• Do you know what to do?

• Are you required to report the incident? If so, to whom?

• Should you involve law enforcement? If so, why and how?

• In the event of a breach, consider hiring an expert. A professional can help you.

• Contact the NCSS — they are there to help!

Page 7: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

7

About Jennifer Harris, PhD Senior Vice President, Graham-Pelton

Jennifer Harris is a dynamic fundraising professional who focuses on major gifts and grants to achieve organizational growth. She has a proven record of developing and harnessing strategic plans, community partnerships, board networks, strong teams, and relationships to drive fundraising outcomes.

Prior to joining Graham-Pelton, Jennifer served as a consultant at NorthwesternMedicineOfficeofPhilanthropy.Jenniferhasalsoservedinnumerous advancement roles, including Executive Director at National Louis University(NLU).Inaddition,shehasprovidedvolunteerleadershiptoseveralnonprofitsincludingthePoetryCenterofChicago,HeartlandAlliance,andDrepung Gomang Monastery. She also founded InSight Collaborative that supported homeless youth throughout Chicago.

Jennifer earned her B.F.A. in Creative Writing from the The University of Arizona, an M.F.A. in Writing from the School of the Art Institute of Chicago, and a Ph.D. in Community Psychology from NLU, where she also served as an Adjunct Professor in addition to her full-time fundraising role.

About Graham-PeltonGraham-Pelton is a fundraising and managementconsultingfirmforleadingnonprofitorganizationsworldwide.Ourmission is clear: elevate philanthropy sononprofitscanflourish.Thesewordsguide all we do and answer the question of why we do it.

Balancing our data-driven approach with a human-centered philosophy, we enable the people and institutions we work with to achieve unprecedented levelsofphilanthropy.Wearerecognizedgloballyasaleadingnonprofitconsultingfirm,knownnotonlyforourextensivefundraisingexperience,but also for the transformational experience of working together with Graham-Pelton.

Find out more at grahampelton.com.

Page 8: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

8

About Mary Ellen Seale Founder, National Cybersecurity Society (NCSS)

Mary Ellen Seale is the founder and CEO of the National Cybersecurity Society. A leader in national cybersecurity strategy and cyber operations, she has held several executive level positions with the federal government.

She retired with nearly 31 years of federal service and continues her public service by contributing to the cybersecurity needs of the small business community.

Previously Ms. Seale was Deputy Director, Cybersecurity Coordination, DepartmentofHomelandSecurity(DHS),ExecutiveDirectorofModernization, Federal Communications Commission, Deputy Director, National Cybersecurity Center/DHS, and Chief of Administrative Operations, DHS Headquarters.

Ms. Seale received an undergraduate degree from the University of Georgia and a Master of Business Administration in Finance from the American UniversityandisaCertifiedInformationSystemsSecurityProfessional.

About the National Cybersecurity Society (NCSS)The National Cybersecurity Society is a national nonprofitorganizationfocusedonprovidingcybersecurity education, awareness and advocacytononprofitsandsmallbusinesses.TheNCSSisacommunityoftechnology and security professionals focused on helping small businesses andnonprofitsstaysafeonline.

The NCSS provides cybersecurity education tailored to the needs of the small business owner, helps businesses assess their cybersecurity risk, distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business. Most recently, the NCSS has partnered with Graham-Pelton to extend their reach to the nonprofitcommunity.

Page 9: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

ShareVault, Graham-Pelton and the National Cybersecurity Society

9

Specifically,theNCSS:

• Assistssmallbusinessesandnonprofitsinunderstandingtheircyberrisk• Educates businesses on security best practices• Provides advice on the types of cybersecurity services needed• Providesaccesstoaffordableandvettedcybersecurityproductsand

services• Collaborates with cybersecurity vendors to ensure the highest service

delivery• Provides how-to guides, tips, conferences, webinars, articles, and other

educational materials• Provides an “Ask-an-Expert” service for technical expertise and to address

small business issues or concerns• As an Information Sharing Analysis Organization, facilitates incident

reporting and information sharing to provide members protection from legal action

• Advocatesfortheneedsofthesmallbusinessandnonprofitcommunity.

Become a member of the NCSS today and learn more about how to protect your business from cyber attack.

Find out more at www.nationalcybersecuritysociety.org.

Page 10: CYBERSECURITY FOR NONPROFITS - Graham-Pelton · advocacy to nonprofits and small businesses. The NCSS is a community of technology and security professionals focused on helping small

Pandesa Corporation, dba ShareVault

Headquarters 16795 Lark Avenue, Suite 210 Los Gatos, CA 95032

ShareVault is a registered trademark of Pandesa Corporation, dba ShareVault

About ShareVault®

ShareVault offers secure, cloud-based document sharing solutions, also known as virtual data rooms, for organizations of all sizes looking to securely control and monitor highly confidential documents being shared with outside parties. Backed by the experience of billions of dollars in deal transactions, ShareVault’s solutions are used in due diligence for:

• Licensing and Partnering

• Fundraising and M&A

ShareVault is also used in other sensitive applications such as:

• CROs and CMOs sharing and protecting their SOPs

• Document sharing with consultants, vendors, distributors, Scientific Advisory Board and Board of Director members

• Document archiving for sponsor and regulatory audits

• University tech transfer licensing processes

ShareVault’s robust features together with its wide adoption and recognition in Life Sciences (44 out of the 45 largest pharma have used ShareVault) are just two of many reasons BIO and more than 50+ other regional associations have chosen ShareVault for their member savings programs. It is also why organizations in 48 countries have trusted ShareVault for their secure document sharing needs.

Toll-free USA 800.380.7652 | Worldwide 1.408.717.4955 sharevault.com