My name’s Roger, and I run a cybersecurity firm: CyberSecure. We’ve helped leading startups and cryptocurrency companies secure themselves against critical vulnerabilities.
In an era of working from home, we’ve noticed a spike in digital attacks against all sorts of organizations — and a gap where non-for-profits we’ve interviewed want to become better in their digital hygiene and practices but don’t know where to start or wonder if it’ll be too expensive. Here are a few practical
Blackbaud, a leading provider of financial services to non-for-profits was recently hacked with a ransom being paid out in bitcoin to get back access to its systems. Even small non-for-profits are getting their websites shut down or are denied access to their systems by hackers. This can have a large effect on your operations, as digital fundraising and communications become essential parts of running a non-for-profit.
Here are some leading tips to make sure you’re putting your best feet forward when it comes to cybersecurity practices for your non-for-profit:
- Ensure you have a SSL certificate for your domain and that you site can securely raise funds
If your site is not SSL encrypted, it will be difficult to rank on Google search rankings, and certain payment providers will not work with you. Given the growing importance of digital fundraising, this is something you can’t afford to miss out on. Let’s Encrypt offers free SSL certificates so that your site can be secure and not transmit information accidentally to certain types of attackers — and so you’ll have the best chance possible to rank on the relevant Google index.
- Make sure that your staff is aware of basic anti-phishing practices
With an increase in phishing attacks, make sure your staff has done basic anti-phishing training and guidelines. This includes knowing exactly who should be forwarded suspicious emails to investigate, and how to verify links when they come in. More and more attacks are going to try to compromise internal security credentials. Ensure that your staff have the awareness needed to be protected against phishing.
- Choose the best provider for encrypted storage
Many services, including ours, will offer encrypted storage for much lower rates or even free (in our case) for non-for-profits (in fact, if you email me at [email protected] from a proven non-for-profit domain, I can get you set up on our encrypted cloud for the reduced price of $15/month.
Make sure that files containing donor information and other sensitive documentation doesn’t get accessed by unauthorized people. This is an important part of being compliant with many local laws governing data — making sure your data is stored an appropriate level of encryption, while still giving people access to documents when they are authorized.
- Consider endpoint/device protection
Many non-for-profits will operate on the personal devices of employees instead of having a standardized stack. In most cases, this makes sense, especially with the need to keep funding efficient. However, it can be a cybersecurity hazard of sorts, with many different devices connecting to different networks. Consider implementing basic anti-malware and anti-virus protections, and telling everybody on staff to maintain basic cyber hygiene for their home networks (enforcing WPA-2 security and above for their WiFi, resetting their default router password and more).
- Incorporate security into workflows by default
One of the most difficult parts of securing a non-for-profit is ensuring that your employees can still get their work done, especially in a remote context. We interviewed several organizations that hosted all of their data in an encrypted on-premise server — however, it was very difficult for them to be able to access that information since they ended up signing onto VPNs. Non-for-profits might have cybersecurity policies that sound good, but that aren’t being practiced since employees don’t find it practical — connections are too slow, especially in a remote setting, and certain tools are easier to use even if they’re not as secure.
It’s best to incorporate security into the workflows of employees by default, implementing security practices like end-to-end encryption and two-factor authentication in the background. CyberSecure has a lot of experience working with making painless and secure workflows that outperform conventional tools, so reach out to me at [email protected] if you have any questions.