"It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it." - Stephane Nappo.
Cybersecurity in general, and non-profits in particular, is an increasingly pervasive concern today. Over the last two decades, cyberattacks have continued to increase in number and size. Every shape and size are increasingly at risk.
Non-profit organizations (NPOs) are even more vulnerable as they have rather limited defense systems than other organizations. By shifting to technology-based platforms, cybersecurity has not only become crucial but difficult and complex. Industry experts estimate that cybercrime costs will double in the next decade, with the COVID-19 outbreak proving to be a catalyst.
Just how far behind we are can be seen in that only 20% of nonprofits have instituted a policy to address cyberattacks. What about you? Do you have a cyberattack policy in place?
It's a must for NPOs to have a fundamental understanding of a proper cybersecurity approach. To better help them overcome their cybersecurity risks and challenges, this article covers the most common types of cyberattacks that NPOs must guard against and lays down a systematic approach to design a robust cyber strategy, along with the best practices to be followed.
Get to know the most prevalent cyber attacks against non-profits
This is malicious software that is downloaded through a network vulnerability. It could contain spyware, ransomware, trojans, viruses, or worms.
Example: Emotet is a sophisticated malware that is hard to fight as it evades signature-based detection. As per the US Department of Homeland Security, this banking trojan has cost the government up to $1 million per incident.
A common threat where the attacker sends a malicious email to steal sensitive information. This can be done through deceptive phishing, spear phishing, whale phishing, pharming, COVID-19 related spam call, etc.
Example: A CEO fraud attack against Austrian aerospace company FACC in 2019 in which a phishing email was sent to a low-level accountant. The email purported to be from the company's CEO required funding for a new project. The accountant unknowingly sent $61 million into fraudulent foreign accounts.
This special attack floods networks, systems, or servers with malicious traffic, making it unavailable.
Example: In 2020, AWS reported mitigating a big DDoS attack. At the attack's peak, the incoming traffic was at a rate of 2.3 terabits per second (Tbps).
Man-in-the-middle attack (or eavesdropping attack)
Attackers can steal data or sensitive information by secretly inserting themselves between the victim and the network service.
Example: A Belkin wireless network router executed a noteworthy non-cryptographic MITM attack. It would periodically take over an HTTP connection routed through it, failing to pass the traffic to its destination. In place of the requested page, it showed a Belkin product advertisement. This feature was removed from the next versions of the router's firmware.
Inserts malicious code into a server that uses SQL and steals the information.
Example: An SQL injection vulnerability that allowed attackers to gain shell access into license manager systems was found in Cisco Prime License Manager.
Day zero exploit
Occurs when an application's vulnerability is announced, and the patch or the update is yet to be applied. Attackers can seek in during this window.
Example: A zero-day exploit crippled Sony's network, releasing sensitive corporate data on file-sharing sites. The exact vulnerability that was exploited in the attack is still unknown.
A type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee. Such attacks have become quite common in the recent past.
Example: RobbinHood ransomware hit the City of Baltimore, halting activities, such as tax collection, property transfers, etc. for weeks. It cost the city more than $18 million, and costs continue to accrue.
A systematic approach to address cybersecurity vulnerabilities
An NPO should have targeted communications and situational awareness about the risks, helping them make informed decisions while keeping the organizational goals in mind. An effective cybersecurity strategy must encompass all the aspects and risks across an organization to better manage risks and enable accountability. Such a strategy helps in the early spotting of risks and provides appropriate clues and mitigation methods to reduce the impact of attacks.
Designing a cybersecurity strategy
NPOs should consider the following aspects while creating their cybersecurity strategy:
Identify the risks
NPOs have adopted the latest technology for an effective and extensive donor reach. They have to collect and store sensitive personal information. Due to the nature of the business, it is essential to have regular risk assessments to ensure operability, sustainability, and smooth functioning without disruptions.
Assess the risks
Cyber risk assessments (as defined by NIST) are risks assessments to identify, estimate, and prioritize risk to organizational operations, assets, individuals, and other organizations, resulting from the operation and use of information systems.
Align enterprise risk management to goals and objectives
While designing a cybersecurity strategy, an NPO must keep the organization's goals and objectives in mind. The three pillars of enterprise cyber risk management: governance, risk appetite, and policy and procedure can help design the framework.
Implement a risk response strategy
An organization can design the risk response strategy using the following seven paradigms:
1. Priorities: In case of limited budget and resources, NPOs should prioritize risks and responses. Risk mitigation requires lots of information and effort.
2. Culture: The top management should induce a cybersecurity and risk management culture.
3. Information sharing: Security is a combined effort. All stakeholders must be aware of the risks, particularly of cross-cutting and shared risks, and be involved in decision making. An NPO should have a proper RACI (Responsibility, Accountability, Communication, Information) matrix.
4. Resilience: NPOs can leverage the CERT Resilience Management Model (CERT-RMM) to manage and improve their operational resilience.
5. Speed: A quick response can minimize the impact when an organization is exposed to risk. Identifying the risks helps, and NPOs must perform incident management drills periodically.
6. Threat environment: NPOs should enhance their intelligence into adversary capabilities to account for risks from third parties and insider threats.
7. Cyber hygiene: NPOs can implement the list of 20 cybersecurity controls released by CSI and baseline set of 11 cyber hygiene practices proposed by SEI.
Monitor the risks
Once the cybersecurity strategy framework is in place, monitor the progress and revisit the policies regularly using matrices, tools, and dashboards.
Communicate and send risk reports
Flawless communication ensures the success of a cybersecurity strategy. Proper channels should be in place to deliver timely, precise, and effective information throughout the organization.
Best practices for mitigating the cybersecurity risks
Irrespective of the size, nature, or location of a non-profit, the following cyber security measures can help:
- Have a cybersecurity team with updated policies: This is an important measure for any organization and is mostly overlooked. Either there is no cybersecurity team, or the policies are not regularly updated.
- Create well-defined policies: Implement policies to govern the handling of the data, systems, networks, and accesses. Only limited access should be provided. Additionally, there should be policies to tackle if there's an actual attack, and it should be documented.
- Focus on the basics (Password Policy, Email, MFA, and SSO): Most common cyberattacks are carried out with a combination of phishing and hacking due to poor password practices. Enforce strong password policies having a combination of alphanumeric and special character combinations, change passwords periodically and avoid previously used passwords.
- Take steps to prevent spamming: Ensure a robust email filtration is used to prevent spam.
- Incorporate MFA: A good practice (after the WFH scenario) is to incorporate MFA (Multi-Factor Authentication) for additional security over passwords. SSO (Single Sign-On) can help organizations securely authenticate access to multiple applications and web apps, reducing the chances of falling prey to phishing.
- Credit card security rules: Ensure the organization is well compliant with the credit card rules. Try not to store the credit card or debit data unless deemed necessary and encrypt the data if it must be retained. Never save the personal credit or debit cards pins.
- Train the resources: As per reports (IBM, Verizon, and Watson), at least 90% of security instances are due to human error. Various strategies could be used to raise user awareness, such as security training, mandatory quizzes regularly, etc. Although this will not be a fool-proof way to prevent the risks, the threats can be mitigated through these measures.
- Keep everything updated: Outdated tools and applications could open the window for a day zero exploit attack. So, always keep the tools, apps, and resources well-updated and patched.
- Data backup and disaster recovery system: We cannot predict when a click can make an organization a victim of a ransomware attack, asking for a whopping amount to release the system and the sensitive data. However, we can minimize the damages if we have a robust and well-tested disaster backup and recovery system.
- Intrusion Detection and Response (IDR): It is an umbrella term that includes an automated package to identify, monitor, and mitigate the threat by monitoring the anomaly in the network traffic and usage statistics.
- Endpoint Detection and Response (EDR): It works like IDR but only for the end devices like laptops and computers. It works well even outside the office premises. If there's suspicious activity, it is prevented at that moment, and it is reported to the IT team.
- Protecting mobile devices: Growing with digitization, using mobile devices for handling emails and responses is quite common nowadays. However, it opens another area to be secured.
- Proper passwords and security policies: Is the need to document appropriate security policies for mobile devices, laptops, and computers.
A robust cybersecurity strategy framework is a must for any NPO today. An experienced partner and vendor plays a key role in shaping an effective strategy. Implementing the latest stable technologies should go hand-in-hand with the best practices for mitigating risks. Most importantly, human resources are at the core of any cyberattack, which is why it is vital to spread awareness and train the staff to minimize any possible cyberattack risks.
Are you ready to graduate towards better cybersecurity? Connect with our experts and be cyber-safe today! We can keep your organization secure with our customized measures.