Cyber Security Vulnerabilities
In light of the recent Blackbaud data breach, we are reminded of the importance of ensuring your data is secure and being aware of cybersecurity vulnerabilities. What should be done to address the risks? Not-for-profit organizations handle sensitive data every day, which makes them a prime target for an attacker. Reputation is everything to a not-for-profit organization, and a data breach or other cyberattack can destroy that reputation very quickly. Some of the top cybersecurity threats to an organization today are your employees, outdated software or patches, and poor decisions in password management.
Do your employees know how to tell if an email is from a legitimate source? Can they identify safe attachments and non-safe attachments? What if someone sends an email to one of your employees asking for private information, or pretends to be someone they are not? Proper training for your employees will help them identify possible threats that might be reaching out to make contact with your organization via email, chat, and/or telephone.
Security Awareness Tips
Many data breaches are initiated when employees click on email links or attachments. Attackers are always adjusting their attack methods and are getting craftier. Emails often appear legitimate and may originate from email addresses that appear valid. Security awareness training for all employees, including board members, should be completed regularly. Below are a few red flags regarding emails noted by KnowBe4, a security awareness training and simulated phishing platform:
- Is the email from someone you don’t ordinarily communicate with?
- If the email is from someone within your organization, is it very unusual or out of character?
- Is the email from the Executive Director/CEO encouraging you to pay an invoice quickly or wire transfer money to someone? Always confirm face to face/voice to voice.
- Were you copied on an email sent to one or more people; however, don’t personally know the others?
- Was the email sent to an unusual mix of people? For instance, it might be sent to a random group of people at your organization whose last names start with the same letter.
- Is the sender asking you to click on a link or open an attachment to avoid a negative consequence?
- Is the email out of the ordinary or does it have bad grammar or spelling errors?
Software patches and anti-virus software are pivotal in the cybersecurity world, as they keep attackers from being able to inject code or processes in your computers or network remotely, or from sending your organization disks or files that do nefarious things like stealing sensitive information. These patches to the operating systems and antivirus are released to protect the computers on which they are applied, and they must be applied regularly to ensure the maximum level of protection.
If you are unsure about an attachment, hover over the link or picture before clicking to go to an external site. Often, these links will not appear legitimate and you can see that it is trying to send you to an alternative disreputable site. This should be your first indication that something is not right and you should not click on the link. If on a mobile device and unable to hover over the link, leave those emails you are unsure about until later when you have the proper tools on a workstation or laptop to evaluate the email link.
Where are your passwords right now? If you lift your keyboard, open your drawer, or even look in that notebook you keep stored next to the computer, would you find your password? Today’s threats aren’t always coming at you digitally. If someone can find the password to your computer or account, they have an easier way to get into your information. Password policies about storage and expiration are important to ensure that the sticky under your keyboard isn’t the weakness that let someone cause your organization unnecessary problems. If you are having trouble remembering multiple passwords, consider a software password manager such as Dashlane, OnePassword, LastPass, Keeper, or a host of other options.
On that note, give thought to the physical location of your network or computer devices. If someone of the right skill level can get physically to your computer, they do not need the password. A laptop you keep in your car or the desktop computer that you always sign into that has your passwords saved might be a prime target for someone that’s looking for access to places they shouldn’t be.
Does your organization accept online payments or credit cards? Make sure your payment processor is compliant with all the requirements of a reputable payment processor. A less reputable processor might not protect your data or the data of your contributors in such a way that prevents dishonest types from skimming the numbers as they pass across a website or service. You may consider inquiring whether the processor has a SOC 1 or SOC 2 report, issued by a CPA which describes and verifies the controls they have in place.
If you have any questions or would like assistance addressing the risks for your organization, please contact your Blue & Co. advisor.