When security professionals work with nonprofit organizations (NPOs), our primary focus, understandably, is most often the protection of persons, facilities, and operations in the physical domain. Increasingly, however, we find ourselves shifting to looking at threats coming from the digital domain, where bad actors are stalking and targeting our clients and partners. In the COVID era, as cyber activities and digital footprints have increased exponentially, these cyber threats – and vulnerabilities – have grown in tandem. At the Secure Community Network (SCN), the official safety and security organization of the Jewish community, we saw a sharp increase in cyber threats in the early days of the COVID crisis, and we have seen these threats steadily rise ever since. In this respect, we have faced challenges similar to security professionals advising the full spectrum of faith-based and secular NPOs: how to frame cybersecurity strategies in a manner that both conveys the urgency of the threats and makes the solutions, and the necessity of their adoption, accessible to those who may find the topic arcane, intimidating, or abstract.
SCN’s CEO Michael Masters often reminds us we cannot choose how or when an organization will be targeted, but we can choose to be prepared for how we will deal with an attack. This wisdom applies equally to both physical threats and cyber-attacks. Chief Security Officers, security consultants, and other security professionals, as trusted advisors to organizational leadership, can bridge the cybersecurity gap by introducing best practices to their partners and clients to help them build a mature, robust program. Security professionals can adapt fundamental security concepts of situational awareness, target hardening, and incident response to cyber-risk management.
Why Don’t NPOs Invest in Cybersecurity?
For a variety of reasons, NPOs often fail to invest in cybersecurity. These reasons typically fall into one or more of three categories:
“Too Small to Target.” Small NPOs often think cyber criminals will ignore them in favor of bigger, richer targets. In fact, small businesses – of similar staff and budget profiles as most NPOs – account for around 60 percent of all victims of cyberattacks, according to an oft-cited industry statistic. NPOs generally overlook the asset that makes them most attractive to cyber criminals: the valuable financial and personal data they hold of members, donors and funders. That data, combined with the funds under their stewardship, make NPOs attractive targets. If NPOs fail to harden their cyber defenses, they are likely to wake up one day to find it is too late.
“Somebody Else’s Problem.” NPOs routinely outsource infrastructure, administrative, and back-office functions, including information technology (IT) support. Organizational leadership may mistakenly assume this covers all their cybersecurity needs when, in fact, the standard IT support function seldom includes more than detecting and preventing events that could disrupt regular IT operations. The net result is that no one in the organization, or on behalf of the organization, has the clear responsibility for maintaining cybersecurity, “end-to-end,” throughout the enterprise from a risk management viewpoint, including staff training and policy compliance, and engagement after a cyber incident.
“Not Worth It.” Organizations large and small often believe that absorbing the cost of a potential cyber breach, especially through insurance and tax deductions, will be easier and less expensive than making the investments necessary to prevent a breach. They are mistaken. Industry reporting suggests that as many as two-thirds of small businesses that suffer a cyberattack may be shuttered within months. Those that survive may face hits to budgets and operations and reputational or brand damage. For an NPO, trust that it will safeguard sensitive financial data and funds under its stewardship is critical to fundraising and operations. The potential costs of an NPO foregoing cybersecurity are, by all measures, far higher than the cost of implementing a responsible cybersecurity program.
Cybersecurity as Enterprise Risk Management
The gritty science, impenetrable language, and constantly changing technology of cybersecurity can be daunting. Executives and managers, however, are proficient in managing all kinds of risk in their organizations. By viewing cybersecurity as a facet of their overall enterprise risk management, they can come to terms with stewardship obligations in this domain. In larger organizations, this is typically accomplished through the hiring of a Chief Information Security Officer (CISO), often a member of the C-suite and answering directly to the board of directors. The CISO owns the enterprise’s risk for its information, its integrity, and for the continuity of IT operations, working in close collaboration with a Chief Information Officer and IT team. Competition for CISO talent is high and average salaries can be over $200,000 per year. Add to that the cost of an in-house cyber security team to support the CISO and the price tag can be out of reach for many nonprofits.
Smaller organizations generally cannot afford a dedicated CISO. A lower-cost alternative exists in the ecosystem of Managed Security Service Providers (MSSPs), many of which are right-sized and fit-for-purpose to meet the needs of small enterprises, including NPOs. MSSPs can provide a virtual, on-demand CISO (vCISO), as well as network monitoring and incident response services. Outsourcing this service can make best-in-class services more affordable and accessible for nonprofits.
At a barest minimum, an organization’s leadership should designate a member of its executive team as the risk manager for cybersecurity. This risk manager should be empowered and resourced to identify cyber risks in the organization’s plans and operations, to develop strategy and plans to address those risks, and to promulgate and ensure compliance with sensible cyber policies.
SCN, as a national organization supporting the community of Jewish faith-based organizations, works to resource security solutions to service the broader community of its partners. These solutions include identifying fit-for-purpose training, technical, and risk management platforms, effectuating economies of scale and efficiency for those partners. Communities of interconnected NPOs can similarly leverage their combined requirements and assets to achieve comparable efficiencies.
Know Your Organization’s Inherent Cyber Risk
Every NPO should know its inherent operating risk, including cyber risk, across four domains. The intersection of these four domains describes the organization’s inherent cyber risk. With this understanding of an organization’s risk, its leadership, especially its cyber risk manager, can build and implement an Information Security (InfoSec) program to meet its needs.
“The Crown Jewels.” These are the things that are of the greatest value to the organization. Chief among them is the organization’s reputation as well-governed, and as a reliable steward of information and assets entrusted to its care. The crown jewels also include the intellectual property and proprietary information on which an organization’s essential functions depend. For an NPO, these include member and donor databases and grantee lists, along with associated financial and program data. An organization should carefully catalog all of these assets and understand how essential functions rely on the availability and integrity of that data.
“Interdependencies.” Each of an organization’s essential functions is dependent on additional, second- and third-level activities to accomplish its mission, as well as on a mix of staff members, contractors, vendors, and a supply chain. Mapping these interdependencies – internal and external – and their reliance on the organization’s crown jewels can reveal potential points of vulnerability of or intrusion into an organization’s operations.
“Signatures.” Internet presence and activities leave a trail that can allow cyber criminals to learn about their targets and tailor an attack to their weaknesses. That digital trail includes information voluntarily shared, information mined from online activities, and information that algorithms intuit or assume from compiled information. Sometimes referred to as “digital exhaust,” a better term for this trail would be “digital artifacts.” Exhaust is ephemeral but much of what individuals and organizations do online lives forever. Organizations should carefully curate what information is posted on their websites and social media accounts, and ensure both are secured from outside intrusions. They should also monitor what is posted about their organizations on third-party websites and social media accounts. Organizations should restrict user activity on their network to trusted sites that are necessary for the conduct of business. An organization’s IT services provider should be able to blacklist sites known to be untrustworthy and to whitelist trusted sites. There are subscription services that help to identify trusted and untrustworthy sites.
“The Adversary.” From “phishing” (emails that try to hook employees into revealing information that enables a cyber-attack), to ransomware (which encrypts data and holds it hostage), to business email compromise (emails impersonating senior executives or other key employees, in order to convince targeted employees to carry out fraudulent transactions), knowing the current threats to the organization is key to preventing breaches. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation’s InfraGard program regularly publish cyber threat reports that should inform NPO cybersecurity efforts and policies.
An InfoSec Program That Builds a Cybersecurity Culture
The aim of an InfoSec program should be to both meet fiduciary responsibilities for good governance and to build a strong culture of cybersecurity. Good cybersecurity policies alone are not enough to address an organization’s cyber risk. Culture trumps policy, and only policies that translate to practices that are then repeated consistently over time can yield a good cybersecurity culture. These practices include:
Training. A well-trained staff is an organization’s best firewall against cyber-attacks. New employees should receive training on cyber awareness and the organization’s cybersecurity policies as part of the onboarding process, as should any contractors or others who have been granted access to the organization’s network or data. Additionally, refresher training should be required at least annually for anyone accessing the organization’s network and data.
Password Discipline. In today’s digital climate, organizations should provide staff with a password manager application. These applications function as an encrypted digital lock box, opened with a single master password, in which users can securely store log-in information for all of their accounts. These applications also assist with the creation of strong, unique passwords for each account, warn users of weak, repeated, or compromised passwords, and remind users to change passwords regularly. Employees should be required to use the password manager for all work-related accounts, and encouraged to use it for personal accounts. There are reliable password managers available at a modest cost, with cost savings for enterprise licenses.
Multifactor Authentication. Multifactor authentication (MFA) is today an industry best practice. It requires users to provide a second means of authenticating their log-in to an account or application, in addition to a correct user name and password. Like adding a deadbolt to a door, this extra step involves a small inconvenience but brings a much higher order of security. MFA comes in many forms, from one-time access codes texted to a smartphone, to applications and devices that generate one-time access codes for each log-on, to card readers or other devices that require some kind of physical key. For any account or application where MFA is available, organizations should require its use. If a new application being considered by an organization does not include MFA as standard security, it should be avoided. Staff should be well trained in using MFA correctly to ensure its effectiveness.
Securing Remote Workers. With remote work comes increased risk to organizational data integrity and confidentiality. In the COVID era, most have become dependent on videoconferencing platforms to replace face-to-face meetings. A new meeting application is deployed every few weeks and each has its strengths and its vulnerabilities. Their ease of use and convenience often mask vulnerabilities to unwanted attendees crashing the call. Institutions should carefully vet and select their preferred application to ensure it offers security and privacy features commensurate with their risk profile and risk tolerance. Different platforms may be called for by different uses within the same institution. Whichever platform is chosen, employees must be familiar with its privacy and security tools and how to use them effectively.
Home wi-fi and public networks used for remote work are notoriously vulnerable to exploitation by cyber criminals. To mitigate this risk, at a minimum, organizations should provide remote workers with a virtual private network (VPN), which acts as an encrypted “tunnel” through unsecured wi-fi portals to the organization network. Organizations with higher cyber risk profiles may need to consider services that provide secure virtual browsers or desktops, isolating the user’s work and access to the network inside encrypted and obfuscated cloud domains. There are a number of highly reliable VPN services available at a modest cost and with discounts for enterprise licenses. Virtual browser and desktop services can be somewhat more expensive but, when needed, are worth the cost.
Up-to-Date Software. Software companies and vendors are constantly trying to find vulnerabilities in their programs and develop patches for them before they can be exploited by cyber criminals. While organizations cannot control how long it takes the software vendor to design and field the fix, they can ensure the fix is expeditiously applied, whether by enabling “auto-update” for software or adopting policies requiring users to install software updates quickly when they become available. “Patch latency,” the interval between release of a fix and deployment on the organization’s systems, should be a key performance metric for assessing an organization’s IT service provider.
Off-line Back-ups. An organization’s IT services provider is likely backing up the organization’s data to ensure continuity of operations. That backup is typically online and discoverable by a ransomware attack, meaning the cyber-criminal will likely encrypt the backup along with the main data storage, depriving the organization of both. A regular backup of the most critical data, maintained offline, can get the organization back to an acceptable level of functionality while it works through the remediation and recovery of its main system. It can also be a critical fail-safe in the event of data loss as the result of any kind of catastrophic event.
Personal Devices Rules. Bring-your-own-device policies introduce substantial cyber risk into enterprise operations. Neither an MSSP nor an IT services provider has visibility into personal devices accessing the organization’s network and data, meaning they can neither verify that operating systems and applications are up to date with current patches nor audit those devices for malware. Prohibiting personal devices on the network, however, is difficult to enforce and therefore largely ineffective. A more practical solution can be policies that require whitelisting of personal devices, combined with IT solutions that limit what systems and data can be accessed with those devices.
Business Controls. The social engineering used by cyber bad actors depends on complacency and laxity in business operations to manipulate their targets. Organizations can disrupt such efforts by introducing skepticism into their processes and requiring validation of transactions. Any request coming from an unknown party, or for an atypical action from an ostensibly known party, should automatically be met with suspicion. Any atypical transaction should require separate verbal confirmation before moving forward, to disrupt any social engineering-based fraud.
Testing. InfoSec measures require regular testing and evaluation to ensure they are achieving the organization’s goals. At the most foundational level, there should be regular “phishing” tests of the staff, with those who fail given mandatory retraining. Staff who repeatedly fail should have their data access and privileges restricted. Conversely, staff who successfully identify and report potential cyberattacks should be publicly acknowledged and rewarded, reinforcing the desired behavior. More sophisticated technical tests to assess the vulnerability of an organization’s digital infrastructure to penetration by outside actors (“pen tests”) should also be conducted regularly.
Planning for Incident Response, Remediation, and Recovery
Preparedness for cyber incidents, just like preparedness for natural disaster or other emergencies, requires having a plan that addresses incident response, immediate-term remediation, and longer-term recovery, including returning to an acceptable level of functionality and addressing vulnerabilities that may have enabled the attack in the first place. Such a plan should also identify an organization’s key staff who will be involved in responding to, remediating, and recovering from any cyber incident, and ensure they are familiar with their roles and responsibilities. Regular tabletop and full-scale incident-response exercises will go far to ensure effectiveness.
MSSP. Given the technical complexities involved in cyber-attacks and their remediation, an organization’s incident response will likely require the specialist services of an MSSP. As part of its incident response planning, an organization should identify and establish a relationship with an MSSP that suits its needs. Engaging the MSSP in the incident response planning process will enhance its responsiveness and effectiveness in the event its services are needed. Some MSSP’s prefer a retainer-fee-based model for incident response services. In these cases, unused hours should be available to be repurposed to other cybersecurity assistance, as needed.
Insurance. As part of an organization’s incident response plan, it should have sufficient insurance coverage for cyber losses and liabilities, as a means to cushion losses and facilitate recovery. As a reminder, insurance is not a substitute for a sound InfoSec program and good risk management practices. Moreover, it should be emphasized that the payment of ransom, whether from insurance or other resources, to recover encrypted data can expose an organization to additional liabilities. Non-U.S. based cyber actors are often subject to sanctions by the U.S. Department of Treasury’s Office of Foreign Asset controls (OFAC). In these cases, payment of ransom could expose an organization to serious criminal and civil penalties. Consideration of payment of ransom should be done only with a full understanding of legal and operational risks, and in consultation with legal counsel and cognizant law enforcement officials.
A Unique Opportunity for Security Professionals
Security professionals, regardless of their discipline, are adept at applying fundamental concepts of situational awareness, target hardening, and incident response to enterprise risk management. That expertise can be readily adapted to cybersecurity risk management by integrating cybersecurity into an organization’s enterprise security risk management program. Through sound application of fundamental security concepts, Chief Security Officers, security consultants, and other trusted security professionals can bridge the cybersecurity gap by introducing InfoSec best practices to their partners and clients as the foundation of a mature, robust program.
The digital domain and the inherent hazards, threats, and risks that come with it are an inescapable part of modern life and business. Good governance of organizations – large or small, for profit or nonprofit, faith-based or secular – requires their leadership to consider these risks as part of the enterprise risk management process. Incorporating cybersecurity into the organization’s operations, risk management, and culture can give it a sound cybersecurity posture at a reasonable cost. Failing to do so, while appearing to offer a cost savings in the short-term, can lead to catastrophic costs down the road.
Our clients, partners, and communities already rely on us, their trusted advisors, for physical and operational security, for their safety. No one is better placed than we are to help them to be just as safe and secure in the digital domain.
While a robust InfoSec program is not cost-free, there are some no-cost resources that can be used to start or bolster a program.
Cybersecurity Essentials ToolKits (https://www.cisa.gov/publication/cyber-essentials-toolkits). The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency offers references designed to help C-suite and IT teams work towards full implementation of a sound InfoSec program.
Cybersecurity Resources for Small Businesses (https://staysafeonline.org/cybersecure-business/). The National Cybersecurity Alliance publishes free cybersecurity resources for small businesses as part of their CyberSecure My BusinessTM program.
Policy Templates (https://www.sans.org/information-security-policy/). SANS Institute has published a catalog of security policy templates to assist organizations in developing their own InfoSec polices.
Cyber Awareness Training (https://www.cdse.edu/catalog/cybersecurity.html). The Defense Counterintelligence and Security Agency’s Center for the Development of Security Excellence makes its Cybersecurity Awareness and Phishing Awareness training available to the public online. Although these provide sound basic cybersecurity training for any organization.
Secure Community Network Resources (https://securecommunitynetwork.org/cybersecurity). SCN has developed a series of quick-reference guides for cybersecurity awareness, including social media awareness, spotting phishing scams, and videoconferencing best practices.