Cyber-security for non-profits: Challenges and Solutions
Non-profits face some significant challenges from a cyber-security risk standpoint. The data they collect on donors, supporters, and clients can be very valuable to criminals. Non-profits are often decentralized and operated by volunteers or part-time employees, and lack a centralized IT, let alone information security, function. Often they have limited resources for internal functions such as IT and cyber-security mitigation.
In general its easy to volunteer and start working at an organization. In my experience, several organizations have given me admin credentials to some of their systems without performing background checks. It would be easy for somebody with nefarious intent to volunteer for an organization and social engineer their way into gaining access to donor and donation lists, which may include personally identifiable information and bank or credit card numbers. If you are an organization whose donors concentrate in a particular community, it would be pretty easy for a bad actor who gets on the inside to work their way through that community.
Even volunteers who mean well but who are not aware of the value of the data to such nefarious actors represent risks. They are relatively easy targets for phishing schemes designed to harvest credentials, or worse yet, spear phishing schemes, in which a cyber criminal sends targeted email to an individual posing as a legitimate member of the team requesting information.
Another type of risk is that of somebody posing as a member of the class that the nonprofit is dedicated to serve to gain benefits they are actually not eligible for. People who work or volunteer for nonprofits want to serve; it can be easy to exploit that interest in “doing good”.
The decentralized nature of nonprofits is both a blessing and a curse from a security standpoint. While there is often no central network to be attacked and breached, each person who connects remotely to an online resource represents a potential exposure.
Now its not all doom and gloom. Increasingly non-profits use on-line (“Software as a Service” or “SAAS”) applications to perform core management functions like fund raising, constituent management, accounting, event management and so on. Developers of these systems do put effort into ensuring that they are secure, like encrypting data, encrypting connections, and monitoring usage. When shopping for such systems ask about how the vendor ensures security; it’s a good idea to review the vendor’s security performance annually.
Unfortunately, there are two significant vectors through which SaaS services can be compromised. The first is through credential theft, often accomplished through the phishing or spear phishing attacks mentioned above. A phishing attack often leads the victim to a web site that prompts for credentials on a bogus web site designed to look legitimate, and its success is predicated on the fact that many people use the same credentials repeatedly. The stolen credentials can then be used on your SaaS application.
The second vector is downloading data, often in the form of reports from the SaaS application. Once an authorized user downloads data out of the secure SaaS application, it resides in a potentially insecure state. Malware can be planted on a user’s laptop to detect sensitive data and steal it. A user may copy the data to a USB drive that can be physically compromised (as can a laptop, of course), or they may circulate it via insecure email, which is prone to interception. By the way, its not that farfetched to consider the loss or theft of laptops. I’ve seen it. In once case, my former company got a significant amount of work from a client whose laptop disappeared with a file of customers of a big five bank they were servicing.
A special consideration is organizations where computer use is a provided service. For a number of years I was on the board of a non-profit that made computers available to community members to process social services functions, prepare resumes, and search and apply for jobs. The amount of malware those PCs collected was breathtaking. They needed to be reformatted and have an OS reinstalled regularly (ideally there would have been backup images reapplied nightly), and its possible that doing that may not have been sufficient, though in most cases shutting down a PC and erasing the local storage should clean it.
Having considered some of the scenarios we would like to avoid, let’s look into some of the things we might do to prevent them. The first challenge is how to “encourage” users authorized to interact with the non-profit’s systems to behave and operate in a way that promotes security. The problem here is that all we can do is “encourage”, because the risk is a result of the human-computer interaction gone wrong, and there is no purely technical solution we can enforce, though we can provide some.
At the same time, we can provide training to our users. There are a number of vendors (e.g. Proofpoint, InfoSec, KnowBe4, among others) who offer training programs and implement phishing simulations, where they send email that look like phishing emails and track how users respond. The cost of entry is fairly low, and some have entry level programs that have no cost. Many companies, including some of our commercial clients, require their employees to participate in these programs. Requiring anybody interacting with organizational information resources to complete basic security awareness is a good first step.
Next, we should think about how to control the computing environment that users are working in. Ideally, we would give everybody interacting with our organization’s systems a laptop that was configured with only approved software, that can only reach specified Internet sites, and that runs state of the art endpoint security software. Some non-profits are capable of doing just that, but for others, I suspect it is going to be a stretch.
Most of what I describe in the next few paragraphs will be about identifying legitimate users and controlling their access to information resources on a “need to know” basis. In security circles, we talk about the concept of “Least Privilege”, which is that agents (can be human or computer based) should only be granted privileges sufficient to accomplish their tasks. This contrasts with the naïve practice of granting new users all the privileges they might ever need when creating their account. A number of companies have become very successful identifying agents with excessive privileges and limiting them. From a non-profit perspective, least privilege means only giving users accounts on the systems they are going to work with, and then going into the internal user access area to control what specific functions they can perform. For example, an individual assisting with accounts payable in an accounting system should not have the right to run financial statements.
Least Privilege is a concept in the realm of Authorization, which speaks to what a legitimate agent should be allowed to do. A more basic concept is the concept of Authentication, which deals with verifying that the agent requesting access is among those agents allowed access at all, and determining that the agent is really who it claims to be. When you log onto a web site where you have an account, you enter a user name and password, and the web site may rely on those two pieces of information to accept the fact that its really you who are trying to log in. Unfortunately, in this day and age, those two pieces of information are often insufficient, because the Internet is rife with stolen credentials; you read about hacks of major websites regularly where user names and passwords have been stolen. This occurs because login information is extremely valuable. Many people use the same passwords for many accounts so if a criminal buys a dataset from a hacker that includes your name and password from Home Depot, chances are it will work on your Wells Fargo bank account as well.
I’ll make two recommendations to address the identity challenge. The first is for the organization to license a password manager, which is software which serves as a vault in which individuals save their passwords. I really like 1Password, but their business pricing is a bit high. An alternatives is Dashlane, which is available at a discount for nonprofits through TechSoup. (If you don’t know about TechSoup, you should). With a password manager, you enter a password that unlocks your vault, and then it creates secure passwords for each site and fills them in.
The second recommendation is to use “two factor authentication” or “2FA”. Think of the password as something you know, which is one factor. The second factor is usually something you have, and most of us nowadays have a phone. Your bank texting you a number to enter after it processes your user name and password is an example of a second factor in the 2FA equation. The second common way to do 2FA is to have an Authenticator App on your phone (Microsoft and Google provide them). When somebody logs in with your user name and password, the site sends a message to your Authenticator asking for approval. You have to pick up your device and approve the request before the site will let you in. Most products and services support one of these 2FA mechanisms, and it is a best practice to enable it.
Using authentication methods that enforce strong passwords with 2FA, and adhering to least privilege goes a long way to securing your organization. There are ways to make authentication and authorization even stronger, but that would be beyond the scope of this article.
Finally, I should mention “endpoint security” which is a modern term for what we used to thing about as anti-virus software. Viruses are no longer our biggest worry in the cyber-security realm, and users and interacting with our systems using a wide variety of devices, or endpoints. On the TechSoup Virus and Malware Protection page, it claims that the products offered will “help nonprofits protect their organization’s data from viruses, worms, Trojan horses, botnets, rootkits, and spyware.” Those are some of the kinds of threats we worry about. The problem is they have a tendency to jump from the user’s device into whatever network they connect to, and you don’t want your users’ malware to jump into your network. Techsoup offers products in this category from Norton, Avast, and Bitdefender, which are all worth looking at.
Now, in the nonprofit world where you have volunteers using the system policing use of endpoint protection products can be tricky. You might consider requiring your volunteers to certify that they have current endpoint protection running on their PCs and other devices. Its not widely known but most of these products have apps for iPhone and Android based devices.
A final note is that Microsoft has a number of products available for nonprofits, for instance, an approved nonprofit can receive 10 free licenses of Microsoft 365 Business Premium and pay only $5.50 (USD) per month for each additional license. That’s a 75 percent discount off Microsoft commercial pricing. Nonprofits that use Microsoft 365 Business Premium get access to a variety of security tools and Microsoft will perform security assessments on them. For larger nonprofits this is certainly something to consider.
There’s more and I may go into some of that in a later post. With the length of this post, I’m afraid I may have lost some of you along the way. For now this should be sufficient to get you started. If you want a one on one deep dive on security practices, feel free to contact me.