What nonprofits need to know about assessing security risk

As laws regarding data security standards such as PCI mature, small companies and nonprofits increasingly find themselves facing complex decisions about the security measures that are right for them.

Here are some options worth considering, as well as what criteria to apply to find the best fit for your organization.

Taking control of your own security

If your nonprofit has the internal resources necessary to implement and support its own IT infrastructure, it may be preferable to host some or all of your information services internally.

As the organization grows, this is often a great option that allows you to tailor security controls specific to your needs. Security can be built in at the design phase, which makes additional measures more effective. A well-structured plan can also allow for scalability as the organization grows. Properly undertaken, hosting your own security infrastructure can be a solid fit for medium to large nonprofits.

When considering internal security designs, there are myriad options and no one perfect answer. Some options that sound cost-efficient at the start become more expensive as time goes on and other high-cost options make more sense in the end as a company takes control of their security landscape.

Assess your security with vulnerability scans or penetration tests

A lesser-practiced but necessary element in any security program is the idea of assessment. A security assessment is a practical exercise in which existing security measures are put to the test. This is often undertaken through vulnerability scanning or manual penetration testing, or a combination of the two.

When scoping penetration tests with many new customers, we find that in the past they have paid high costs for vulnerability scans that are presented as penetration tests. Both are great tools, but you want to get what you are paying for.

Vulnerability scans use complex tools that search your network for known vulnerabilities. They sometimes discover false positives and can be confusing to someone who hasn’t seen them before. They are much cheaper than actual penetration tests because a tool is performing most of the work, not a person.

If your team has some knowledge of vulnerabilities and is comfortable reading these automated reports, a vulnerability scan is a lower cost option that works great for many companies.

Penetration tests often include vulnerability scans to give a penetration (or pen) tester a starting point during your test. That is where the similarity ends. A capable pen tester works with security findings daily and wields a diverse toolset specifically designed to validate the vulnerability scan findings and levy real-world attacks against systems.

Your pen tester should spend most of their time using that information as a starting point in learning the landscape of your environment so that they can test your systems manually. Automated scanners can only find so much—manual testing delves into a much deeper level and often reveals real-world dangers that scanners fail to identify.

Make sure to get information from the pen-tester on the methods that will be used, the impact on end-users (if any), and the estimated time for testing, as well as any meetings, interviews, or additional investigations that may be necessary as part of their service.

A good penetration test report will be highly applicable and much more understandable than a vulnerability scan report. Reports vary widely between different companies, and it is well within your rights to ask for sample reports when shopping for a penetration testing company. In the end, when the test is done, you will be left with a report that you will likely show to management and technical staff as well as vendors. Look for a report that caters to the interests of all stakeholders and can be understood by non-technical staff as well as diving into the technical details so that your employees know where to start fixing the issues.

Vulnerability scans and penetration tests are both great tools, and either may be right for your company. Take the time to know what you’re paying for and start with an option that fits best for you.

Tools vs. services

Before moving on from assessment it’s important to note that your company can run its own vulnerability scans. There are some free scanners that do an okay job, and there are a number of expensive scanners that do a great job. The expensive scanners likely are the ones used when you pay for an outside party to perform your vulnerability scan, and it is a great idea to ask what scanners they use. A few popular free to try (and fee-based for licensed use) scanners are available through websites like Solarwinds or Rapid7. There are many other open-source or OS-based tools available, as well.

If you decide to use vulnerability scanning tools yourself instead of hiring a third party, keep in mind that you may need to hire and train staff to support the tools. All of these tools are complex and may require customization to adapt them to the needs of your environment.

As with general security infrastructure, keeping this functionality in-house adds flexibility and allows you to apply the tools where most appropriate. Just remember that maintaining an in-house vulnerability scanning solution incurs additional ongoing costs in licensing, staffing, and infrastructure.

Let someone else do it for you

Now that we’ve discussed the nitty-gritty of security options, it is important to mention that many nonprofits enjoy the advantages of outsourcing the complexities of handling sensitive data to specialists. There are numerous companies that host and maintain websites and databases as well as those that process payment data without it ever coming in contact with your systems. The line-item costs of outsourcing can be offset by not needing to hire highly skilled employees or to invest in the infrastructure necessary to provide adequate security measures. Lower management burden and ease of planning make this approach particularly appealing to smaller nonprofit organizations.

Informed research is a critical part of choosing a security vendor. Look for companies that go beyond just services by choosing a provider that understands your organization’s needs and can provide a clear path to help you reach your goals for greater network security. Security is an ongoing process; a trusted partner can help you navigate difficult waters that might fall outside formal product offerings.

At Raxis, for example, we provide a formal document attesting that companies have performed a third-party penetration test and have remediated all findings. Such attestation letters show that the organization approaches security proactively and that they are willing to allow an outside party to verify their security posture. We recommend asking potential vendors if they can provide a letter of attestation. Your search for the right vendor might also be better informed by asking for feedback from a few of the security company’s current clients.

Consider strategic growth in your security investments. It is more cost effective in the long run to plan for growth than to react to it. This is especially true in something like security, where the intermingling of disparate technologies is common. Managed service offerings such as network and web application firewalls, for example, may appear to be over and above the expected costs, but an undersized solution will incur greater expense through maintenance than one that was planned to accommodate growth over time.

Making the decision

There are endless options to consider when designing a security program. Security needs and budgets often play conflicting roles in the decision-making process. A good starting point is to work with the different parties involved (network administrators, developers, physical security teams, etc.) to build a list of goals.

Take your time researching the companies that provide the services or tools that you are interested in. Reputable companies will want to work with you to scope a meaningful engagement that fits your budget needs. If they can’t meet your needs, good companies will make that clear from the start.

Bonnie Smyre
Bonnie Smyre is the COO at Raxis . She's performed penetration testing for some of the largest companies in the US as well as many smaller companies beginning their security programs. Her offensive security skills are complemented by her knowledge of enterprise vulnerability management and regulatory compliance, such as PCI. Bonnie has breached countless vulnerable systems for customers through the manipulation of application parameters or injection of code. Bonnie believes that assessments are focused on illustrating how effective security adds overall value to the business and how security practices can help guide the direction of the enterprise. She also is frequently featured on Fox 5 TV in Atlanta to cover current technology news stories, speaking from her extensive background as an information security expert.