Cybersecurity Awareness 101: "Nonprofit" Doesn't Translate to "Non-Risk"
Posted on 05/10/2017
Dale A. Dresch, IT Audit Manager at Maloney + Novotny LLC, recently spoke to Licking County nonprofits about the variety of risks introduced as organizations increase their integration and reliance on information technology, with a special focus on cybersecurity as it relates to nonprofit organizations.
Here are some interesting/scary things we learned at Cybersecurity Awareness 101:
• 95% of security breaches start with social engineering. Social engineering is psychological manipulation of people into performing actions or divulging confidential information. (See how to avoid this below.)
• On average, it takes 147 days to detect a security breech/intrusion.
• Since January 1, 2016, there have been 4,000 ransomware attacks daily! The average ransom amount was $700.
Any organization can be vulnerable to a range of cyberattacks. There is no way to avoid being the target of a cyberattack, but that doesn’t mean becoming a victim. Simple steps can have huge results: restricting which programs can run on organization’s computers, keeping software updated regularly and minimizing the number of people who have administrative control over networks and key machines.
One of the biggest cybersecurity risks is your people. No matter how great your data backups, antivirus, firewalls, and security measures, hackers and cybercriminals still often break into an entity because employees click on suspicious links and email attachments. Are your employees trained about the dangers of clicking on malicious emails and websites?
There are some attacks that every employee should know about. The most common attacks use a method called “phishing,” or a variant that specifically targets one potential victim, called “spearphishing.” These typically take the form of email messages that appear to be sent by coworkers or supervisors asking for sensitive information. These messages can contain instructions that a victim might follow, believing them legitimate – such as clicking a link that installs malware or captures login information, or even making a wire transfer to another business’s account. The best defense against these types of attacks involve skepticism and vigilance. Attackers can be very clever and persistent: If just one person has one weak/careless moment and clicks on one malicious link, an entire network can be compromised.
What can you do?
• Make sure you have antivirus/antispam software, and keep it updated.
• Don’t click on hyperlinks in emails (see more on this below).
• Don’t open attachments directly from email, save them to your computer so that your antivirus software can scan it. If you have ANY suspicion, delete the email and request that the sender re-send it.
• Have multiple backups offsite, and make sure they work.
• Consider purchasing cybersecurity insurance for your organization.
• Have a cybersecurity audit done, or talk to your I.T. provider about your preparedness.
• TALK TO YOUR EMPLOYEES ABOUT CYBERSECURITY FREQUENTLY!