Published on: Jan 11, 2022 by Mark Schafer
Updated on: August 7, 2024
Nonprofit organizations have an increased risk for cybersecurity attacks than other types of businesses, due to the sensitive information they possess on volunteers and donors – and a lack of cybersecurity measures in place.
Don’t run the risk of your data falling into the wrong hands! Make sure you know how to protect your valuable information by understanding your current cybersecurity protections as well as your gaps.
According to research, only 25% of nonprofits actively monitor their network environments and even less have a policy in place to address cyberattacks. With limited staffing and resources facing nonprofits, there are a number of basic cybersecurity techniques that will make you and your nonprofit safer.
How do you know if you have cybersecurity? How do you know if it's good enough? How do you know where to start? How do you know what to spend your time and energy on? The way to do that is to compare your nonprofit to a baseline (a.k.a. standard). This will allow you to gain an awareness inside of your organization of what's bad, what's good, and what you should be worried about first. There are a few ways to do this:
Regulatory Requirements
When implementing a security program, start by identifying any regulatory requirements that affect your organization. For example, are you in the medical field where HIPAA is a concern? Do you accept credit card payments so you need to be concerned with PCI data security compliance? Are you publicly regulated? Do you have international or governmental clients? Start by looking at the base requirements of doing business and if there's already one for your operations, compare your security to those regulatory obligations.
If none of these apply to your organization, the NIST (National Institute of Standards and Technology) Cybersecurity Framework provides a comprehensive set of security rules to follow. This program covers most of the cyberattacks that can happen at some level and it helps provide an understanding of where resources should be spent.
Policies
What are the protocols in your organization? Most security programs start with policies (i.e., the rules of the road for employees). These are documents that state the organization’s requirements so that employees understand what is expected of them when they start the job. This is typically in the form of an employee handbook.
Make sure all cybersecurity components are in those policies and are handled in a way that will keep your organization compliant with regulatory requirements, and secure.
Risk Assessment Process
A risk assessment compares how your organization performs in relation to the requirements of the security framework. The main reason to perform a risk assessment is to identify security gaps.
First, you want to have a good baseline of what your security posture is at today. Then once you identify the security gaps, you can mitigate those gaps by implementing the appropriate controls, creating processes, and documenting policies and procedures. Prioritize the mitigations, evaluate potential security partners, and then establish, maintain, and improve your compliance.
The final step is to accurately forecast your future needs – determine where you are today and what your goals and objectives will be in 6 months, 12 months, 18 months, etc.
RELATED CONTENT: BIZ TIP
USE RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING TO PROTECT YOUR BUSINESS
Ensure you protect your laptop, mobile phone, computer, and anything you interface with day in and day out. Take care of those devices and make sure they are as secure as they can be to help keep your environment safe.
Regulatory requirements (such as HIPAA) state that if a device is stolen and it contains client data with at least 500 records, you must report it as a violation. However, there is a clause that states it does not need to be reported if the device is encrypted. Therefore, every device should be encrypted so that you don't have reportable events.
Encrypting a device is as simple as turning on the tool that’s built into the operating system which requires a password when signing in. Without that password, no one can access the device. There is no cost other than the time to encrypt the drive.
Other responsible device practices include:
There are tools already on your systems that you need to make sure are working and are working properly. Are they configured correctly? If you've identified a gap in your baseline that tells you that you need a tool, what's the area you should look for first?
Virus protection is the number one security tool that everyone should use. It's already built into a device’s operating system – just turn it on and make sure you're using it. In larger or more mature organizations, there will be additional processes to ensure protection such as verifying every device has been updated with the most current version of virus protection software. Even though vendors are proficient at patching their systems, viruses can still sneak through so it’s important to make sure these protections are up to date.
Once virus protection is installed, there's an additional step (which is an extra cost) that allows your computer system to become more adept when something bad happens. For example, if there's a detection that a virus is in your network and it affects all devices that contain a certain product, these software tools can now tell you every computer that has that product so you can fix those first. They're a bit smarter than virus protection and they're able to reach across endpoints and coordinate your response.
As you build your computer network, more things are going on at the same time and it's hard to keep track of them all. There are abilities inside of every software to create logs and alerts to help. Logs are important because if something bad happens, you have the ability to look back in time and see how and when it happened so it can be fixed. Also, pay attention to alerts when they pop up to say something's out of date. They're important and there's a reason they're showing up as they keep your operating system updated.
Two-factor authentication (2FA) improves online security, allowing an extra layer of protection. It’s a straightforward way to make sure that the person logging into a computer is who they say they are. This is where you not only have to enter in a password, but you also must have some other piece of information to make sure it's really you. So then if someone steals your password, they're not able to use it because they don't have that second factor.
There are many types and ways to do two-factor authentication. For instance, there are standalone tokens you can put on your phone. The federal government uses a PIV (personal identity vehicle) card to access devices. Doctors use similar cards to tap the keyboard which proves it’s really them and not just somebody using the password. Also, fingerprint readers are another way to make sure that you are you. Two-factor authentication allows you to secure beyond just the password.
There’s a vulnerability out there that is affecting a lot of systems. Timely patching and updating your devices with the latest software versions will keep everything up to date and current. Utilize the auto-update feature on all devices. In most operating systems, there's an automatic update available and it will let you schedule the time it performs the update.
The reason to update is all software has problems. There are vulnerabilities in software and these vulnerabilities are discovered as time goes on. They're not known when the product ships, but they are discovered later when someone breaks in. When the vendors discover an issue, they put a fix together and you will want those fixes on your system as soon as possible. Auto-updates are the way to get it done as quickly as possible, and you don't have to worry about forgetting because the computer just does it for you.
Make sure that every employee who uses your organization’s devices and touches your data is trained sufficiently. Providing training to your employees will prepare them if a hacker strikes. The more they learn, the more they're going to know, the more they're going to notice, and the more it's going to help your overall security program.
A “human firewall” is a well-equipped and trained workforce that is a nonprofit’s best defense against cybersecurity threats. There's a lot that can be caught in advance simply by having your people aware and looking for bad things to happen. They're the last chance you have to catch something as it's coming in or going out the door.
Therefore, training your “human firewall” is of utmost importance. Cybersecurity awareness training should happen often because of the impact of humans and the difference the right human interaction can have on being hacked. The better trained they are, the better off your organization is going to be.
Cybersecurity is crucial for all types of organizations. Don’t fall victim to a cyberattack. Implement a cybersecurity program and train your employees to protect your valuable information.
If you need assistance with creating a cybersecurity program for your nonprofit, contact SVA today. We can help you protect your organization.
© 2022 SVA Certified Public Accountants
Share this post:
Mark is the Chief Information Security Officer for SVA Consulting, LLC, a member of the SVA family of companies. Mark is a recognized consultant and leader in security program design and build, ensuring the security strategies he deploys are in alignment with his client’s business objectives.
Get Weekly Biz Tips Delivered Straight to Your Inbox!
Services
Madison, WI
1221 John Q Hammons Dr, Suite 100
Madison, WI 53717
(608) 831-8181
Milwaukee, WI
18650 W. Corporate Drive, Suite 200
Brookfield, WI 53045
(262) 641-6888
Colorado Springs, CO
1880 Office Club Pointe, Suite 128
Colorado Springs, CO 80920
(719) 413-5551
Are you in the know on the latest business trends, tips, strategies, and tax implications? SVA’s Biz Tips are quick reads on timely information sent to you as soon as they are published.
Copyright © 2024 SVA Certified Public Accountants | Privacy Policy | Cookie Policy | CCPA