November 28, 2016

Seven Deadly Weaknesses of Nonprofit Security

(And How To Address Them)

While good leadership can help employees understand the need for security measures and encourage compliance, bad leadership can foster employee discontent, conflict with the IT department, and the failure of even the best of plans. Executives must have a good understanding of what computer security risks are out there for nonprofits so they can guide the organization in evaluating how much risk the organization can afford. The IT department can educate and give advice, but decisions and support must come from the highest level.

Here are the seven most common security weaknesses that nonprofits have:

  1. Lack of organizational understanding or commitment to security
  2. Ineffective or unenforced policy
  3. No regular user education on risk
  4. Weak passwords
  5. No anti-malware software
  6. No email filtering
  7. No website filtering

Beyond the tips below, organizations should probably seek outside professional security incident management services, which can provide a level of monitoring and responsiveness to threats that most organizations couldn’t afford on their own. Such services usually provide monitoring of logs and other indicators of network activity, using a combination of automated and human evaluations, providing almost real-time responses to threats.

How To Make Your Nonprofit More Secure

The SANS website has a number of sample policies for almost everything related to computer security. These can be modified to meet your organization’s needs. The biggest trick with policies is getting people to follow them.

Providing procedures such as a quick checklist or flowchart of how to evaluate suspicious emails or web sites can help users make better decisions. For IT, such procedures would be more complex and in-depth, but for end users, a quick “if you see something like this, do this” will be helpful.

Finally, users need constant training and re-training on the importance of organizational security. Such training doesn’t have to be a massive all-day affair; frequent reminders are probably more effective. Train new employees thoroughly and all employees on new threats as they arise. After that, a quick mention at meetings, posters, or other reminders should suffice. If you do have periodic trainings for employees, make sure you cover why it’s important as well as what they should do differently.

There’s No Excuse for “Password1”

Passwords are the first and—in many organizations, the only—method of protecting computers, so let’s talk about the reality of passwords in a day of massive computing power at the hands of almost anyone who wants it.

A good password should be at least 12 characters long with a combination of letters (upper and lower case), numbers, and symbols, in order to be very complex by most current standards. If the password was truly random, it actually would take over a 100,000 years to crack by brute force.

The problem is that even moderately complex passwords are hard to remember, and unless you use a password generator they are never really random.

Most organizations require an 8-character password with letters, numbers and symbols. A random 8-character password can be cracked by brute force in about a year. This may seem like more than enough since you probably (hopefully) change passwords more often than that, but remember, people don’t create random passwords. They usually use a familiar word (such as the names of loved ones) with some numbers (like important dates) and symbols added on or mixed in, or they post their “random” password on a sticky note on their monitor or worse, in a plain text file on their computer.

Passwords sometimes aren’t enough. Some organizations have implemented multi-factor authentication. Using two factors (for example, a password as well as a fob scan) gives an order of magnitude improvement in security. What is practical (and least expensive in most cases) for organizations is to use the cell phone as the second factor by setting up systems to ask for a code that is texted to the phone. Google and Office 365 both have good multi-factor authorization options.

The biggest problem with implementing solutions like these is never the complexity or cost: it’s your users. Many users will see this additional requirement as a burden and some will even seek ways of circumventing them, like saving your confidential files on their personal cloud storage account, violating the principles of confidentiality and integrity as well as authentication. Once again, the key to solving this problem is leadership, policy, procedure, and training.

Protecting Your Users from Themselves

A couple of basics that all organizations should have are: anti-malware software (commonly called antivirus), email filtering (spam filtering), and website filtering (content filtering). These three solutions are a good way to help protect users from themselves, if they are used effectively and kept up to date.

Security is everyone’s business. Let’s say a user gets a phishing email that got past your filters, but because they got training, they realized what it was and notified the IT department. IT staff could then update the anti-malware software for the new threat and update the email filtering rules to block the sender. They can also update the website filtering rules to block the bad URL where the virus is disseminated. These changes would help less careful users who might click on the link in the email, since their access would then be blocked.

Have a Good Backup Plan

A good backup isn’t a single copy somewhere else on the network—you may not know exactly when the attack happened and your backup might be a backup of encrypted or infected information. Best security practices dictate that you have multiple backups, covering several weeks or even months, held in an isolated location. If your files are compromised or held ransom, you can clean up your systems and restore from the last good backup.

Is Your Organization Compliant?

If your organization is required to follow one of the many government or industry regulations and rules, such as HIPPA, FERPA, PCI and the rest of the alphabet soup, you should definitely have professional help in implementing and certifying compliance. It is a good idea, unless you are willing to spend the money to do it right yourself, to use vendors. Make sure your vendors are able to provide proof of such compliance and give you the documentation you need to maintain it.

Working with a Limited Budget

If you are working with a very limited budget and think you can’t even begin to do the basics, here are some tips to get started:

  • Make sure your organization’s leadership is committed to doing things in a more secure way.
  • Check to see if what you already have can do more. For example, if you already have a firewall, you also might have some web filtering capacity or other advanced features you haven’t used yet. Both Office 365 and Google have the ability to implement multi-factor authentication free for nonprofits. Both have some level of email filtering, although probably not as robust as I’d like without additional licensing or expense, but it is a start. Learn how to use what is available and start making better and more complete use of the basic features included with what you already use.
  • For backup, your nonprofit may qualify for free or discounted use of Microsoft Azure services. Not only can you create virtual servers, there are some good backup products that you can use to back up servers located in your offices.
  • In addition to the cloud services mentioned above, techsoup.orgoffers software and hardware donations to qualified nonprofits for a very modest fee.
  • There are also a number of subscription services that can help create a more secure environment. When you look at the cost of purchasing software or hardware, maintenance, support, and the other related costs of an owned solution, a subscription may be a more cost-effective way to go.
  • Always ask for a nonprofit discount. Even if they don’t advertise it, many vendors will give you at least a 10% discount if you ask, and some offer even more.

Taking Security to the Next Level

Good security is multi-layered, each layer adding another amount of security. Good security also isn’t “set it and forget it.” It needs to be maintained and monitored by organizational IT staff or an outside vendor. And most important, IT leadership; without this, even the best plans will fail.

When planning security for your organization, think about what it would cost to have a hacker gain access to your organization’s information, and what the loss of data and reputation would actually cost your organization. And then make a plan to prevent it.

Resources

Microsoft Trust Center: www.microsoft.com/en-us/trustcenter/Compliance/default.aspx

TechSoup: www.techsoup.org

Google 2-step verification: support.google.com/accounts/answer/185839?hl=en

 

Photo credit: blogtrepeneur

Like what you're reading?
Sign up to receive the latest articles and updates on nonprofit tech from NTEN and its community of experts.

Subscribe

Leland Foster
Leland started out in property management working as a maintenance person in 1978 and has worked as a Property Administrator, Operations Manager (property supervisor) and finally as the Director of IT for an Oakland based housing non-profit. Along the way, he has also been a hermit, goat herder, pig farmer, and owner of a technology company. Technology, however has always been both a lifelong hobby and eventually a career for Leland, who built computers and operating systems from scratch in college and developed property management software that ran on a Commodore 64 computer in the early 80’s. Leland currently provides consulting services for organizations making the transition from on premises server infrastructure to office 365 and Microsoft azure cloud services.