fbpx

< Back to Thought Leadership

Cyber Security Vulnerabilities for NFPs

A hot topic of many conversations recently has been cyber security. Are not-for-profit organizations at risk? If so, what should be done to address the risks? Not-for-profit organizations handle sensitive data every day, which make them a prime target for an attacker. Reputation is everything to a not-for-profit organization, and a data breach or other cyber attack can destroy that reputation very quickly. Some of the top cyber security threats to an organization today are your employees, outdated software or patches, and poor decisions in password management.

Do your employees know how to tell if an email is from a legitimate source? Can they identify safe attachments and non-safe attachments? What if someone sends an email to one of your employees asking for private information, or pretends to be someone they are not? Proper training for your employees will help them identify possible threats that might be reaching out to make contact with your organization via email, chat and/or telephone.

Security Awareness Tips

Many data breaches are initiated when employees click on email links or attachments. Attackers are always adjusting their attack methods and are getting craftier. Emails often appear legitimate and may originate from email addresses that appear valid. Security awareness training for all employees, including board members, should be completed regularly. Below are a few red flags regarding emails noted by KnowBe4, a security awareness training and simulated phishing platform:

  • Is the email from someone you don’t ordinarily communicate with?
  • If the email is from someone within your organization, is it very unusual or out of character?
  • Is the email from the Executive Director/CEO encouraging you to pay an invoice quickly or wire transfer money to someone? Always confirm face to face/voice to voice.
  • Were you copied on an email sent to one or more people; however, don’t personally know the others?
  • Was the email sent to an unusual mix of people? For instance, it might be sent to a random group of people at your organization whose last names start with the same letter.
  • Is the sender asking you to click on a link or open an attachment to avoid a negative consequence?
  • Is the email out of the ordinary or does it have bad grammar or spelling errors?

Software patches and anti-virus software are pivotal in the cyber security world, as they keep attackers from being able to inject code or processes in your computers or network remotely, or from sending your organization disks or files that do nefarious things like stealing sensitive information. These patches to the operating systems and antivirus are released in an effort to protect the computers on which they are applied, and it is important they be applied regularly to ensure the maximum level of protection.

If you are unsure about an attachment, hover over the link or picture before clicking to go to an external site. Often, these links will not appear legitimate and you can see that it is trying to send you to an alternative disreputable site. This should be your first indication that something is not right and you should not click on the link.

Where are your passwords right now? If you lift up your keyboard, open your drawer, or even look in that notebook you keep stored next to the computer, would you find your password? Today’s threats aren’t always coming at you digitally. If someone can find the password to your computer or account, they have an easier way to get into your information. Password policies about storage and expiration are important to ensure that the sticky under your keyboard isn’t the weakness that let someone cause your organization unnecessary problems. If you are having trouble remembering multiple passwords, consider a software password manager such as Dashlane, OnePassword, LastPass, Keeper, or a host of other options.

On that note, give thought to the physical location of your network or computer devices. If someone of the right skill level can get physically to your computer, they do not need the password. A laptop you keep in your car or the desktop computer that you always sign into that has your passwords saved might be a prime target for someone that’s looking for access to places they shouldn’t be.

Does your organization accept online payments or credit cards? Make sure your payment processor is compliant with all the requirements of a reputable payment processor. A less reputable processor might not protect your data or the data of your contributors in such a way that prevents dishonest types from skimming the numbers as they pass across a website or service. You may consider inquiring whether the processor has a SOC 1 or SOC 2 report, issued by a CPA which describes and verifies the controls they have in place.

If you have questions or would like assistance addressing the risks for your organization, please feel free to contact Holly Fields, Thomas Skoog or your local Blue & Co. advisor.

 

Indiana Survey of Law Firm Performance

Online Form – Indiana Survey of Law Firm Performance

Learn More
FAQ: System and Organization Controls (SOC) Reports

FAQ: System and Organization Controls (SOC) Reports

What kinds of companies need SOC reports? Organizations that provide the following types of services for customers/clients may benefit from a SOC examination and report to demonstrate to customers/clients the strength of their internal controls: Software as a Service Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s) Professional Services with Access to Sensitive Client Data (e.g, […]

Learn More
As of October 1, 2019, CMS will Begin Enforcing Accounting Classification Rule for Crossover Bad Debts

CMS to Begin Enforcing Accounting Classification Rule for Crossover Bad Debts

On April 4, CMS announced that for cost reporting periods beginning on or after October 1, 2019, providers must comply with a “longstanding” rule to claim reimbursement for crossover bad debts from the Medicare program. After this point, providers will be denied reimbursement for their crossover bad debts unless the underlying balances are logged to […]

Learn More