Simple Steps Nonprofits Can Take to Boost Their Cybersecurity
By Bartholomew St. John, Chief Innovation and Communications Officer, Communities In Schools of Chicago
January 1 arrived, and there I was, hunkered over my laptop, clicking through the first course in Google and Coursera’s online cybersecurity certificate program. I had read about the popular course on CNBC a few months earlier and was intrigued. Not because cybersecurity is a fast-growing and lucrative field of employment. (Though it is). Instead, I wanted to better understand the key challenges that cybersecurity professionals are grappling with today and how they train to defend against those threats.
I took a Cannonball Run approach to earning my certificate — hitting it hard daily, 8 courses in a dozen days. It was a firehose of information aimed at me. We covered everything from assessing risk and reducing “attack surfaces” to understanding network defenses and exploring tools of the cybersecurity trade like Linux, SQL, and Python. Fortunately, a lot of the information eventually soaked into my brain. By the end of the program, I’d developed a deeper conceptual understanding of cybersecurity and the threats lurking out there.
It’s hard to believe that a generation ago most of the assets of an organization like mine were tangible: confidential dossiers, microfiche tapes, and countless paper files locked inside those old rhino-grey filing cabinets. Basically, a Dunder Mifflin dreamscape. Today, the bulk of organizational assets are digital, and threats are constantly emerging that can compromise the integrity of so much of that essential data and information. A 1980s officer manager didn’t have to worry about international crooks trying to break into their brick-and-mortar building each day to steal a trove of manila folders. But today, in the digital world, that’s essentially what’s happening. Cybercriminals are working around the clock, from lairs across the globe, trying to crack networks and steal sensitive information.
When people think of those threats and the organizations that get hacked, big companies come to mind: Equifax, Target, MGM, Home Depot. But cyberattacks victimize all parts of the economy. In recent years, hospital groups, law enforcement agencies, and city governments have all been hit. The nonprofit sector, which I’ve been part of for decades now, is not immune from cyber threats either. Last fall, Save the Children experienced a ransomware attack that impacted terabytes of the organization’s data. In 2022, the venerable International Committee of the Red Cross experienced a major breach, resulting in the leak of personal data of more than a half million people. But it’s not just a few high-profile cases like these that cause worry. According to a recent Nonprofit Tech for Good report, more than a quarter of nonprofits and have been compromised by cyber attacks.
The costs of cybercrime are well-documented. Financial, reputational, and operational harm all come into play when an organization is breached, undermining long-term brand-building efforts. Despite the threat atmosphere, far too many nonprofits are behind the curve when it comes to cybersecurity. Studies by several industry analysts, for example, have found that:
- Almost 60% of nonprofits did not train staff on cybersecurity risks.
- More than half of nonprofits do not use multi-factor authentication to secure networks.
- And about two-thirds don’t have documented procedures in place to respond to a data breach.
If you work for a smaller nonprofit with a modest budget and limited staff, this may all sound a bit overwhelming. But there are still steps you can take in-house to begin building your defenses. Here are a few to consider:
Conduct a digital security audit.
Where are the vulnerabilities in your website, servers, or password procedures? Ethical hackers can conduct ‘penetration tests’ to find lapses in your defenses, and then share insights into how to patch them in a cost-effective way. Squeamish about bringing an outsider in to test your defenses? Then conduct your own audit by interviewing the leaders of teams within your organization. Start by asking them to prioritize the data and other digital assets they own. Which assets are public and can be made available to everyone? More important: which are confidential and should have the strongest protections and greatest user restrictions? Clarifying which assets are most sensitive and mission-critical, and determining if they are robustly protected, can be a first step to strengthening your internal security procedures.
Develop a digital usage and cybersecurity policy.
What are expectations for your staff around computer equipment usage? Connecting to public Wi-Fi networks? Sharing passwords or transmitting organizational data via email? Being alert to phishing attacks? All these questions and many more can be answered in a succinct digital usage policy. And good news: you don’t have to start from scratch to create one. Templates abound online if you do a simple keyword search.
Enable multi-factor authentication.
If you use banking apps or health insurance portals, you’re probably already familiar with how multi-factor works. In order to successfully log in to a website, you need to have a code emailed or texted to you, in addition to having the correct password. It’s a simple but powerful extra step that helps prevent a malicious actor from gaining access to your accounts if they happen to guess your password through a variety of devious methods. By adding this extra layer of protection to your organization’s work platform like Google or Office 365, you substantially enhance the defenses of your network with little to no extra cost or effort.
Research options with cybersecurity insurance.
A trial attorney here in Chicago once told me that some of the ugliest cases he’d litigated were cyber cases. That’s in no small part due to what’s at stake when breaches occur: loss of confidential information like donors’ or clients’ personally identifiable information, including health records, credit card information, and social security numbers. For a few thousand dollars a year, organizations can sometimes secure millions of dollars worth of protection. What’s more, the underwriting process for issuing a new cybersecurity policy typically includes a risk assessment by the insurance company, providing an organization with insights into how its risk profile is assessed by a knowledgeable third party.
The old adage that the only certainties in life are death and taxes probably needs updating at this point. One more given nowadays is that cybercrime is a constant threat. For that reason, it’s in the interest of any nonprofit organization, and the clients it serves, to put focused attention into making sure its digital assets are as secure as possible.
