11 Cybersecurity Tips For Nonprofits

11 Cybersecurity Tips For Nonprofits

Access to your nonprofit organization’s data is one of the best tools you can provide your employees with to further your mission, provided that you’re not giving away your valuable data to unauthorized users. To further this effort, an IT environment that’s monitored and managed by IT professionals promotes the security you need. A knowledgeable IT provider will prevent cybersecurity vulnerabilities and keep your technology up and running. They will ensure that your members’ and donors’ confidential information remains private.

But there are also things that you can do to help. We’ve provided eleven tips for you to follow that will promote cybersecurity for your nonprofit organization.

  1. Appoint A Cybersecurity Chief. Tap a trusted member of your staff to liaison with your IT service company to ensure that your employees and volunteers strictly adhere to your cybersecurity plan. Along with your IT professionals, this person will be your point-of-contact to ensure your nonprofit adheres to IT security compliance regulations and standards so you can stay in good standing with governments and donors.
  1. Develop An IT Security Plan & Policy. Consult with your IT provider and put a plan in place to ensure that your data is protected both in storage and in transit. Hackers are looking to capitalize on your members’ confidential data, and you can’t afford a data breach. If this information is exposed, you may end up in expensive litigation, not to mention a reputation that’s ruined — If this happens, no one will want to fund your projects.

There are a range of flexible and affordable options for this that your IT professionals can implement for you. You needn’t be worried as long as they implement enterprise-based cybersecurity solutions and a layered defense that can automatically block and eliminate the latest threats. The idea of layering security is simple: You shouldn’t rely on one security mechanism such as an antivirus to protect your confidential information. If that security mechanism fails, you have nothing left to protect you.

You should also develop a Security Policy. This Policy should begin with a simple statement describing the information you collect about your members and donors and what you do with it. It should identify and address the use of any Personally Identifiable Information (PII) and how to keep it private.

  1. Plan For Data Loss Or Theft. It’s essential that you determine exactly what data or security breach regulations affect your nonprofit. You need to know how to respond to data loss. All employees and contractors should be educated on how to report any loss or theft of data, and who to report to. Data loss can expose you to costly state and federal regulations and litigation. You must be able to launch a rapid and coordinated response to a data breach to protect the reputation of your nonprofit organization.

Your plan should include input from all departments that could be affected by a cybersecurity incident. This is a critical component of emergency preparedness and resilience. It should also include instructions for reacting to destructive malware. Additionally, departments should be prepared to isolate their networks to protect them if necessary.

  1. Implement A Disaster Recovery & Business Continuity Plan. You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically, and make sure your backup systems are encrypted.

Knowing that you can restore your saved data from a recent point in time and access it from a remote source if you must leave your work premises is crucial in the event of any incident that threatens your physical office location. The key is to backup frequently and ensure redundancy. More than one backup in different locations is required, and you won’t only need this if a storm were to hit. Because ransomware can lock up or crash your IT system, you’ll need a restorable backup to keep working if this occurs.

  1. Arrange For Security Awareness Training. Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and thus present a serious threat to your security. So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls, and keep your nonprofit’s data secure?

Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites. They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

The human factor is still the biggest risk factor in most equations. Your staff can be your greatest asset or your weakest link. It depends on whether you take data security seriously enough to make sure that they are trained several times a year. People need to be reminded often about cyber threats. Plus, there are always new threats coming along, so it’s essential to stay up to date. Ongoing training and testing reduce the instance of human error that increases cybersecurity risks.

  1. Make Password Privacy A Priority. Passwords remain a go-to tool for protecting your nonprofit’s data, applications, and workstations. They also remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Weak passwords are easy to compromise, and if that’s all that stands between your data in the Cloud and in applications, your nonprofit organization could be at serious risk for a catastrophic breach.

There’s a better way than scribbling passwords on sticky notes. But what is that better way exactly? You must protect your data with hard-to-guess passwords and encryption that scrambles data unless the user has access to a decryption key. Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information. Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt files. Even if your data is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.

Another good choice is a password management solution designed to help you step up your security without making things harder for your employees and volunteers. A password manager generates, keeps track of, and retrieves complex and long passwords for you to protect your vital online information. It also remembers your PINS, credit card numbers, and three-digit CVV codes if you choose this option. Plus, it provides answers to security questions for you. All of this is done with strong encryption that makes it difficult for hackers to decipher.

Your team should also be using Multi-Factor Authentication (MFA). It protects against phishing, social engineering, and password brute-force attacks. It secures your logins from attackers who work to exploit your weak credentials. And, you must be able to generate the MFA for your employees and volunteers wherever they are. These tools can also generate time-based, one-time passcodes (TOTP). Your users simply key in the login prompt they receive to complete their multi-factor authentication.

  1. Keep Software & Operating Systems Up To Date. Software developers are diligent about releasing patches for new security threats. Make sure you install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t receive security patches or support leave you exposed.

Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. This is a popular operating system, so this creates concern for many. All support for Windows 7 will end on January 14, 2020.

This means that you won’t get bug fixes or security updates from Microsoft. Over time, the declining security and reliability of Windows 7 will make your computers vulnerable:

  • Your computers could be infected by malware;
  • Your antivirus won’t be updated;
  • Your online banking transaction protection may expire; and
  • Your financial data could be exposed to theft.

 

  1. Conduct Regular IT Inventory Assessments. Determine how your data is handled and protected. Also, define who has access to your data and under what circumstances. Create a list of the employees, volunteers, donors, or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. You must know precisely what data you have, where it’s kept, and who has rights to access it.
  2. Protect Data Collected On The Internet. If you collect information on your website, this must be protected. If a third party collects this data for you, they should fully protect it for you. You must ensure that any data you collect is secure.
  3. Enforce Access Policies on Mobile Devices. With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets, and laptops present significant security challenges. They can be exposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security. Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies. Ask your IT provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.
  4. Ask Your IT Service Provider To Do The Following:

Implement Layers of Security: You shouldn’t rely on just one security mechanism to protect sensitive data. If it fails, you have nothing left to protect you.

Segment Your Networks With Firewalls: Network segmentation categorizes IT assets and dataand restricts access to them. Reduce the number of pathways into and within your networks and implement security protocols on these pathways. Do this to keep hackers from gaining access to all areas of your network.

Use Measures To Detect Compromises: Use measures like Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), and anti-virus software to help you detect IT security events in their early stages. This provides 24/7 detection and response to security threats.

Secure Remote Access With A VPN: A Virtual Private Network (VPN) encrypts data channels so your users can securely access your IT infrastructure via the Internet. It provides secure remote access for things like files, databases, printers, and IT assets that are connected to your network.

Employ Role-Based Access Controls With Secure Logins: Limiting your employees’ authorization with role-based access controls prevents network intrusions and suspicious activities. Define user permissions based on the access needed for their particular job. For example, your receptionist might not need access to your financial data.

Install All Of Your Security Patches and Updates: Software developers are diligent about releasing patches for new security threats. Ask your IT provider to install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. They can set your systems to update automatically. Auto-updates will prevent you from missing critical updates.

Secure and Encrypt Your Wireless Connections: Be sure your company Wi-Fi is separate from guest Wi-Fi or public networks. Your internal wireless network should be restricted to specific users who are provided with unique credentials for access. These credentials should be preset with expiration dates, with new ones provided periodically. Your company’s internal wireless should also be protected with WPA2 encryption.

Back Up Your Data For You: As we mentioned, you must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically. And make sure your backup systems are encrypted.

You help others, so let us help you by protecting your nonprofit from IT security threats and instances. For more information, contact the Cybersecurity Experts at mProactive. We specialize in serving nonprofits. 

Did you find this article helpful? Check out the others on our Blog.  

Create your own fonts in Windows 10

Create your own fonts in Windows 10

You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.

Did you know that you can create your own fonts?

In the Windows store, you can get the “Make Your Own Font” app, a great way to add a personal touch to anything you may need to write. For example, you could even send an email in your own handwriting!

All you need to do is fill out the alphabet letter by letter (lower and upper case) as well as numbers and symbols. Then you name it, save it, and upload it via Control Panel > Fonts.

The next time you’re drafting something and find that Times New Roman is too formal, you’ll be able to switch to your personalized font instead.

Auto-Lock Your Computer In Windows 10

You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.

Do you know how to get your computer to automatically lock while you’re away from it?

It’s a feature included with Windows Hello. While you may already be using Windows Hello to unlock your computer with face recognition, you may not know about Dynamic Lock.

Here’s how it works – you configure Dynamic Lock to recognize a Bluetooth enabled device you keep on your person, such as your phone. After starting up, if that device goes out of range for longer than 30 seconds, your computer will automatically lock itself.

This feature allows you to get up and leave your computer unattended for short periods without having to worry about someone else snooping around your data.

Get More Out Of The Clipboard In Windows 10

You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.

Copy/Paste was a revolutionary feature when it came out years ago. However, operating systems have been slow to adopt the next logical step in its evolution – the clipboard.

Did you know that you can save 10 or more items to your clipboard on a long-term basis?

It’s simple – hit the Windows key + V to bring up your clipboard history. It’ll show you the many things you’ve Copy/Pasted, any of which you can choose to delete (for security purposes, if it were, say, a password) or pin for later use.

That way, you don’t have to always go back and Copy/Paste that same info from the same note or .doc file – you can have it ready for use on your clipboard for as long as you need it.

Protect Yourself From Ransomware In Windows 10

You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.

You’ve heard about ransomware, right?

It’s a type of malware that encrypts your data so you can’t access it and holds it for ransom. Usually, this malware makes its way into your systems by posing as a file or program you think you want. Even if you don’t end up having to pay the ransom, it’s a lot of trouble that you should try to avoid.

Did you know that you can enable Controlled Folder Access in Windows 10 to protect against ransomware?

Enabling Controlled Folder Access protects the default Windows data storage locations in your profile from access by unknown applications. When compared to identified and allowed programs, if the malware is determined to be unsafe, you’ll get a pop-up letting you know it was denied access to your storage.

Get Your Beauty Sleep With Nightlight In Windows 10

You may have been using Windows 10 for some time now, but it’s likely that you haven’t mastered all of its features just yet.

If you, like so many others, use your computer late at night, before (or even in) bed, then you may have found that it throws off your sleep cycle. Despite being tired when you got into bed, after staring at the backlit screen for a few hours, you’re not as tired anymore.

This has to do with melatonin – a chemical produced by your body when your eyes see that it’s dark and determine its time for sleep. Looking at a bright screen throws off this natural process, and the lack of melatonin makes it harder to get to sleep.

Did you know you can reduce this effect with Nightlight?

Nightlight is a feature that lowers the brightness of the screen and changes the colour spectrum in order to limit the interruption to melatonin production. To turn it on, find it under Settings, and set a schedule for it to follow based on your preferences for late night computing.

How do I protect myself from Ransomware?

Preventing Ransomware

(Tips/Insights)

There’s a real possibility that your computer can get infected with ransomware. Ransomware is the most frequently used form of malware today. You’ve probably heard about it in the news. But, do you know how to protect yourself from ransomware? We’ll tell you here. 

How Do I Protect Myself From Ransomware? 

You must take ransomware seriously, and educate yourself about all the ways your computers could get infected, and the steps you should take to prevent it from landing on your computers in the first place.  You can do this with security tools provided by your IT company and by practicing safe internet browsing and email use.

What Happens If I Get Ransomware?

Ransomware denies you access to your computer system or data until you pay a ransom. You can get ransomware from phishing emails or by going to an infected website. When you get ransomware, malicious software will lock down your computer’s files unless you agree to pay around $300 in bitcoin.

If your network and computers get infected with ransomware, recovery can be difficult. It typically requires the services of a data recovery specialist to remove the ransomware virus. Ransomware attacks can be devastating to both individuals and companies. 

How Can Ransomware Get Into My Computer?

If you visit an infected website, you could unknowingly download a ransomware virus to your computer.  Or a phishing email might trick you into clicking on a malicious link or attachment that downloads a ransomware virus into your computer.

Phishing emails are designed to appear as though they’ve been sent from a person you know. They will try to entice you into clicking on a link or opening an attachment containing malicious code. After the code is run, your computer is infected with malware.

Are There Different Kinds Of Ransomware? 

There’s more than one kind of ransomware. Viruses like CryptoLocker, CryptoWall, Locky, WannaCry, Petya, NotPetya, Crypto, Bad Rabbit, Eternal Blue, and more are designed to deny access to your data or network until you pay a ransom.

The WannaCry and Petya ransomware viruses spread via a vulnerability in Microsoft’s Server Message Block (SMB) network file-sharing protocol that’s widely used. It helps your computers connect to other computers and devices like printers.

Ransomware falls into three categories: Encrypting Ransomware, Scareware, and Screen Lockers.

  1. Encrypting Ransomware

This is a virus that locks down your files by encrypting them. There’s no software available that can unlock your files when this happens. The criminals who send the encrypting ransomware will demand a ransom to decrypt your files. Even if you pay the ransom, you still might not get your files back.

  1. Scareware

Scareware uses rogue security software and tech support scams to entice you. When this happens, you’ll get a pop-up message on your computer claiming that it’s infected with malware. But you should ignore this because your files are just fine. However, if you do ignore it, you’ll continue to get this pop-up message.

  1. Screen Lockers

If you get this type of ransomware, you’ll be locked out of your computer. You’ll see a message posing as the FBI or Department of Justice saying that you must pay a fine because illegal activity was detected on your computer. Don’t pay this “fine.” The FBI or DOJ would never freeze your computer or demand payment. So, don’t take the bait.

Can Ransomware Infect My Mobile Devices? 

It wasn’t until 2014 and the height of the infamous CryptoLocker that ransomware started showing up on mobile devices. Mobile ransomware typically displays a message saying your device has been locked because of illegal activity, and you must pay a fee to unlock your device.

You can get mobile ransomware when you download malicious applications. To remove it you should start your mobile device in safe mode. Then you must find the malicious app and delete it.

How Can I Protect Myself From Ransomware?   

The best way to protect your computers from ransomware is to prevent it from landing on them in the first place. Here are some ways that you can protect yourself from getting ransomware:

  • Update your software and operating systems with the latest patches. Outdated applications and systems are the targets of most attacks.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Configure your firewall to block access to known malicious IP addresses.
  • Be suspicious of unsolicited email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Don’t provide personal information or information about your organization unless you are confident of a person’s authority to have the information.
  • Never click on links or open attachments in unsolicited emails. Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
  • Follow safe practices when browsing the Internet. Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization’s helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Look for https in the URL which indicates the site is secure.
  • Perform frequent backups of system and important files and verify those backups regularly. If ransomware affects your computer, you can restore your system to its previous state with any files unaffected by ransomware. And store backups on a separate device that can’t be accessed from a network or offline in a secure cloud solution.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Don’t use the contact information provided on a website or email connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups.
  • If other people or employees use your network, restrict their permissions to install and run software applications. Apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on your network.
  • Enable strong spam filters to prevent phishing emails from reaching you and authenticate inbound emails to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching your computer.

How Can A Firewall Block Ransomware? 

Today’s modern firewalls are built to defend against ransomware. The right firewall and Intrusion Prevention System (IPS) helps to prevent viruses from getting into your computers.

Your IT company should implement a next-generation firewall with an Intrusion Prevention Systems (IPS). These can keep ransomware threats from getting into your network, and stop them from self-propagating and infecting other computers and systems.

An IPS collects the malicious traffic coming into your network and only lets the clean traffic through. It also performs what’s called deep packet inspection of your network traffic to detect exploits and stop them before they reach any of your computers. The IPS monitors for and identifies suspicious activity, logs the data, attempts to block it, and reports it to your IT services company.

This right IPS uses a tactic called sandboxing. It puts malicious programs in a separate place, so they can’t spread throughout your network. Ransomware like WannaCry and Petya spread like worms; they can lurk in files like Microsoft Office documents, a pdf, or updates for applications. Hackers can make these files appear valid and hide the malware. This is why sandboxing is essential for any IPS.

Ask your IT Services Company to:

  • Use a modern, high-performing next-generation firewall, IPS, and sandboxing solutions.
  • Perform network assessments to detect all security gaps in your network.
  • Set up a Virtual Private Network (VPN) to detect any IT assets that are vulnerable.
  • Establish IPS policies to prevent malware from spreading to other LANs.
  • Ensure that any infected network is automatically isolated until they can eradicate the infection.
  • Segment LANs, using VLANs (Virtual Local Area Networks) and connect them all to your next-generation firewall.

Using VLANs allows your computer to communicate through a virtual environment to protect them from any ransomware or other viruses that may be circulating in your network. Extending VLANs or zones into your firewall takes security to the next level.

TAP TO CALL!