top of page

Non-Profits: A target rich environment for bad actors


                 

                  The old adage is that no good deed goes unpunished, and this is most true when it comes to non-profits and their security. Attackers have learned that non-profit companies are usually easier targets because of their leaner budgets and reduced staff. While you and I might not target a non-profit because of our moral leanings, attackers do not share that morality.

 

                  I have worked at a couple of non-profits and have had several non-profits as clients and have comprised the following list of steps you can take to help secure your cybersecurity stance. The following tips are good for any business type but are especially true for non-profits.

 

 

Limit Oversharing

 

                  Have you ever had to sit next to your weird uncle at a wedding? He starts telling you stories about things you have never wanted to know before. Whether it’s the stories about his younger romantic engagements, his over-the-top glory stories of savings lives and inventing products or his latest medical concern in extreme details, you just simply want him to stop.

 

                  One of the greatest tools attackers have is open source intelligence (OSINT), which is information about your target that is already available in the public domain. OSINT can be anything from passwords and usernames to important dates and company details. This OSINT can be generated from database leaks, previous employees and contacts or even our own social media profiles.

 

                  While on the surface this type of information seems innocent enough, in the right hands it can be leveraged to perform devastating attacks. One of my previous clients had shared on social media that their CEO was out of the country and promoted the work they were doing. An attacker took that information and crafted targeted email and texts to certain employees pretending to be that CEO. The imposter CEO claimed their laptop had broke and their credit cards were not working since they were out of the country. They then proceeded to instruct multiple employees to get BestBuy gift cards and send them the codes. Luckily the employees who had been through security awareness training didn’t send any money, but a couple who had not received the training unfortunately did.

 

                  I am not saying social media is bad, or not to use it. The takeaway here is to limit what information we are putting out into the world. This is much more difficult for non-profits, as you want to share the victories.  Find a way to share those victories in a way that is safe, such as waiting until travelers are back in the states, sanitizing posts and webpages for company details and most importantly, training employees.

 

Maintain Consistent Security Awareness Training

 

                  In a hypothetical situation where a company can only choose a single cybersecurity defense strategy, my recommendation 100 out of 100 times will always be employee training.

 

                  I have never stormed a castle before, but I think if I had to, I would try the Trojan Horse approach. In the Trojan War, the Odyssey tells a tale of Odysseus coming up with an ingenious plan where the Greeks would build a massive wooden horse as tribute to the Trojans for “winning” the war. Several of the Greek soldiers would hide in the horse and the rest would pretend to sail away. The Trojans opened their gates and wheeled the horse into the center of the city where they proceeded to celebrate. As they slept off the celebration the Greeks snuck out of the horse and opened the gates for the rest of the army.

 

In the tale Odysseus recognizes that the city walls are impenetrable. So instead of wasting countless men to failed attacks he decides to use his enemy’s human nature against themselves. In the same vain, we could have the most advanced next generation firewalls, EDR’s, network scanners and a team of offensive hackers looking for vulnerabilities, but it would all be lost if Suzy in accounting falls for a phishing email.

 

Security awareness training has consistently been shown to lower cyber security incidents when its implemented and maintained. While non-profits have limited budgets, typically security awareness training is relatively cheap compared to comprehensive technical solutions.

 

 

Implement the basics of secure logins

 

                  There is some low hanging fruit that every company can do that will drastically improve your security stance.

 

1)        Do not reuse passwords. Not only for yourself but also within the office. I cannot tell you how many companies I have consulted for that have an “Adobe password”, or any other service

2)        Setup MFA on EVERYTHING. MFA or Multifactor Authentication is critical for secure logins. MFA apps like Google authenticator are best but even just having email or text codes is a massive improvement.

3)        Regularly change passwords and audit access. If you have employee turn over you should change every password that employee had access to. In general you should be setting your passwords to expire every 90 days or less.

 

Conclusion

 

Non-profits play a vital role in our communities, often operating on tight budgets and with limited resources. Unfortunately, this makes them attractive targets for cyber attackers. By implementing a few key practices, such as limiting oversharing, maintaining consistent security awareness training, and ensuring secure login procedures, non-profits can significantly enhance their cybersecurity posture.

 

Remember, the human element is often the weakest link in cybersecurity. Investing in your team's awareness and training can be one of the most cost-effective measures to prevent cyber incidents. While technical defenses are essential, they must be complemented with a vigilant and well-informed staff.

 

By taking these proactive steps, non-profits can better protect their sensitive data and continue their good work with greater peace of mind. No good deed should go punished by a cyber attack.

 

Reach out us to see how we can help!


Stay safe,

-Soteria Tech

6 views0 comments

Recent Posts

See All

Backups: Company's best friends.

While backups in of themselves do not usually fall under the cyber security umbrella, it is important to spend a little time discussing...

Comments


bottom of page