Tag: cybersecurity

If your nonprofit takes payments of any kind, then you need to be familiar with a scary, yet vital protocol called PCI.

PCI (payment card industry) compliance is a set of rules and regulations ensuring that payments are secure, and no cardholder data is at risk to hackers and scammers.

Nonprofits must abide by these rules, or face fines between $5,000 and $500,000. PCI compliance is a necessary part of your nonprofit’s security plan.

If you use an e-commerce package or online donation tool, PCI compliance is often already done for you by the company providing the platform, but you should know how it works.

For now, we’re going to focus on the two most likely scenarios: those who outsource all of their payment processing to a third party and organizations who outsource most of their payment processing. All of the below solely applies to web transactions.

Define who you are

One of the first steps of PCI Compliance is determining where your nonprofit falls into the PCI Compliance spectrum. There are eight different classifications that are given confusing titles such as “SAQ B-IP.” The SAQ stands for Self-Assessment Questionnaire, and the vast majority of our lovely readers will fall into the first two categories: SAQ-A and SAQ A-EP.

SAQ-A

This is for the group of nonprofits that outsource all of their payment processing to a third party.

Examples of organizations that fall into this category:

  • Donations made on a third-party site such as DonorBox or Classy.org.
  • Donations made on your nonprofit’s site, but using a PCI-compliant solution such as Formstack with Stripe integration.
  • Events payments made on sites such as EventBrite.
  • E-commerce done on sites such as Shopify, or payments made on PayPal.com.

In these scenarios, you never touch the cardholder data, because these sites/services are doing the heavy lifting. This is the simplest way to go.

SAQ-A: What you should do

  1. Destroy all paper copies of cardholder data, if you’ve received it.
  2. Ask questions of your vendors to ensure they’re PCI compliant. Get it in writing, or take a screenshot on their site. It’s been known that some vendors have stated they’re compliant, but then oscillated to a “whoops, we weren’t compliant.” Not good.
  3. Monitor/ check-in with the vendors to ensure they’re maintaining PCI compliance.

SAQ A-EP

This is for the group of nonprofits that outsource most of their payment processing, but at some point during the payment process, the nonprofit’s site/ server is touched. The main difference between SAQ-A and SAQ A-EP is that SAQ A-EP controls how the information is passed to the PCI-compliant vendor.

Examples of organizations that fall into this category:

  • Donations and other transactions made on your nonprofit’s site are using a gateway such as Authorize.net (non-hosted solution).
  • Transactions made are using a solution such as PayPal’s PayFlow.

SAQ-EP: What you need to do

Well, my first and obvious suggestion would be to change your processes so you can fall into the SAQ-A category. But, if that’s not an option, let’s continue.

There are 12 requirements that you’ll need to pursue. Please note there’s a lot more to these, but here’s a good primer:

  1. Install a firewall. Get a solid hosting provider, and they should be able to do this for you.
  2. Be careful with your passwords. Don’t use vendor-supplied passwords, and don’t use “password123” or your dog’s name. You catch my drift.
  3. Protect cardholder data. Getting technical pretty quickly here, but you’re here because you’re smart! Ensure the stored data is fully encrypted, and be sure the encryption keys are protected. There are cases where the encryption keys are laying around, or are in a spreadsheet—that’s not protected. Also, ensure the cardholder data isn’t laying around in a spreadsheet somewhere or on physical paper. This requirement item also requires a flowchart of cardholder data.
  4. Protect how cardholder data is transmitted. Before, we were talking about stored data. This item is all about protecting how the data is transmitted.
  5. Say no to the viruses! Ensure you have anti-virus software on any system and application that touches cardholder data (phones, tablets, computers, servers, etc.).
  6. Be current. Many, many breaches are due to outdated software installed on your machines or server. Ensure you’re constantly on the latest, most stable versions.
  7. Be choosy with who gets access. Not everybody needs access to your sensitive data. Be particular with who gets access to what.
  8. Be a fortress with your usernames and passwords. Ensure you have a solid policy for usernames/ passwords, and have logic in place to disallow usernames/ passwords that aren’t secure. Set password lockouts (such as “You’ve entered your password incorrectly 3 times, therefore I’m not letting you in”), as well as enabling multi-factor authentication (your password in addition to something only you have, such as your fingerprint or a hardware token).
  9. Your physical space must also be a fortress. Having all of the above in place is for naught if someone can walk into your office and change everything.
  10. Monitor all access to the data. Keep detailed logging of who’s accessing what information, as well as how and where they’re accessing it.
  11. Regularly test. How often does your technology seem to break for no reason? For a secure environment, regular testing controls are imperative.
  12. Have a policy. All of this is confusing, and your staff will find it equally confusing. Ensure you have a policy in place that clearly addresses security standards and procedures.

Limiting your PCI compliance scope

As you have deduced, SAQ-EP is a massive task and one that can consume energy, resources, and budget. If you’re completely overwhelmed by everything that’s needed to be accomplished to be fully compliant in this, consider what’s needed to move from SAQ-EP to SAQ-A.

In conclusion

I’m not a PCI Compliance specialist, just someone who knows enough to raise awareness on this important topic. For a comprehensive overview, please head over to the PCI Security Standards Council site.

Becoming PCI compliant is imperative, especially as more organizations’ data practices are under increased scrutiny. While all of this sounds extremely technical, PCI compliance is not just an IT function. Instead, it involves buy-in from your entire organization and support from the top.

Go forth, good people, and take these steps to ensure a better, more secure web!

 

If you don’t have a solid understanding of what PCI compliance is, and you take credit cards in any way, then I beg you to read this article in its entirety. It’ll be the best 5 minutes of your week. Now that I’ve set the expectations high, let’s get on with it…

What the serious heck is PCI compliance and PCI DSS?

PCI compliance is a phrase fairly unknown to most people, but one that can send chills down the back of those familiar with e-commerce. Why? Because it can be super-scary, and I’m here to make you feel a bit better about it.

PCI compliance, or payment card industry compliance, is born out of something called PCI DSS (data security standards). There’s a lengthy history of PCI DSS, but here’s my summation:

Internet: “It’s 2006, and OMG, so many people are using credit cards to make online purchases with me!”

Bad people in the world: “Wow, it’s 2006 and so many people are using their credit cards online. I can totally steal the credit card information super easily and make fraudulent purchases at places you’d never shop.”

Smart techie people: “We need to form a governing body, and set some rules set in place to stop the bad people from doing bad things to people with poor taste in where they shop. Okay, let’s start PCI DSS, and it’ll be a list of things that companies must do to protect consumers from said bad people.”

And thus, my friends, PCI DSS was born.

Should you care about PCI compliance and PCC DSS?

Yes. If your nonprofit sells anything or accepts donations, then you need to make sure the service you use to accept those funds is PCI compliant. If you’re a consumer, then you should also know if a company or nonprofit you’re giving your money to is PCI compliant.

Why should nonprofit leaders really, really care?

If your transactions are hitting your server in any way, you’re liable. If there’s a security breach and you’re not compliant, you can be fined from $5,000 to $500,000 per month.

What can you do about PCI compliance and PCI DSS?

There are a few options. If you’re looking to read through hundreds of pages of technical PCI DSS guidelines, then have at it. However, since the interwebs are filled with so many e-commerce platforms, they can take the heavy lifting and let you do what you’re good at: selling goods and services. Many e-commerce platforms have likely invested millions to make their platforms as secure as possible.

Let’s go over some basic terminology:

  • E-commerce package: This is what sells your products; you may call it an online shopping cart. Sometimes it’s integrated into your site, sometimes it’s a stand-alone.
  • Online donation tools: The service you use to accept online donations, such as Network for Good.
  • Merchant’s web server: Where your e-commerce is hosted. If you’re using a package such as Shopify, this is most likely also your web server.
  • Payment gateway: This is what connects the e-commerce package to the banks. Think of the payment gateway as the super gossipy kid in class that’s passing notes back and forth to everyone.
  • Settlement bank: This is where your funds get settled (aka your bank).

So someone buys a Grumpy Cat t-shirt off your site (e-commerce package), it goes through the payment gateway, your payment gateway chats with the e-commerce platform (which may or may not be part of your site) and eventually deposits funds into your bank account. Within that process, it could also hit the merchant web server. In that case, you’d be totally open for PCI DSS scrutiny. The same process applies for online donations.

So instead of using an e-commerce or donation platform and a payment gateway that hits your own servers, you can use a fully hosted solution (which lives on their servers, so it’s their liability). Any time you’re evaluating any service or tool that accepts online payments, be sure you ask about this aspect in writing: “Are you 100% fully PCI compliant?”

Surprisingly, many vendors will start to dance and avoid the question. If they do this—run, don’t walk, away. We’ve had conversations with well-known form services that “leave it up to the customer to handle PCI compliance.” This is not good practice.

Some e-commerce platforms are fully compliant, and take pride (as they should) in it. For example, Shopify boasts full compliancy. However, it’s also important to ensure any payment gateways they work with also claim the same. This is imperative. Some sites, like BigCommerce, seem to be a bit more vague with their statement.

If you take a look at the two links above, you’ll see a really noticeable difference: Shopify is quite straightforward about it. “Yes, Shopify is certified Level 1 PCI DSS compliant. This compliance extends to all online stores powered by Shopify,” says their site. BigCommerce’s explanation seems to dance around the fact a bit: “BigCommerce takes care of the vast majority of the steps toward PCI compliance for any customer on our platform.” BigCommerce may be PCI DSS compliant, but it’s a bit difficult to tell. These are the red flags to look for.

In general, when the payment is hosted elsewhere (say PayPal), it’s safer to know they’re compliant. However, with PayPal’s “on page” payment solution Payflow, where the transaction is made on your site (e.g. www.myshop.com/payment) vs. (www.paypal.com), PCI compliance once again becomes a major concern.

The same red flags go for anything that receives payment: online forms, donations, event registrations, you name it. These are questions you should be asking yourself, your IT team, your app vendors (e.g. Shopify, Wufoo, etc), to make the best decision for your organization and your resources.

To make sure your nonprofit is PCI compliant, you don’t need to understand PCI DSS inside and out—you just need to understand the basics, what questions to ask, and what the red flags are.

Back in 2012, we implemented an organization-wide password manager here at NTEN, finally replacing our comically insecure “Shared Passwords” document, and the all-too-common practice of reusing the same password across a variety of different sites.

The idea of using a password manager had been on our radar for several months, but we had any number of excuses for why “now” wasn’t the right time:

  • We’ve never had issues with our “Shared Password” document to this point.
  • No hacker wants access to our accounts as a small nonprofit, so “admin” is a fine password to keep using everywhere.
  • There are a lot of reports saying password managers themselves can be insecure.
  • We already have too many systems, so I don’t want to force staff to learn yet another one.
  • We’re too busy right now, so maybe we can implement this next year.

While some of these ideas may have contained grains of truth (e.g. password managers aren’t a perfect defense), they all quickly fell flat once we’d experienced the time-saving and security benefits of using a password manager.

Five years later, it’s not exaggerating to say this change may be the most significant stress-reducing and time-saving policy I’ve ever put in place at NTEN since I started working here more than 10 years ago.

Step 1: Make the decision

If you’re not part of the leadership team, you’ll need to convince someone who is to help you champion this project. Figure out who that person will be, and make sure they’re on board.

Step 2: Pick the right password manager

Security experts can’t agree on which password manager is the “best,” so as a non-security expert I’m in no position to help you with that decision. That said, as long as you pick a tool that’s well established, well reviewed, and has a history of being transparent and quickly fixing any security holes, you can’t really make a bad choice.

The other thing that will help is figuring out any must-have features that may be unique to certain tools. Your budget may be another factor depending on your needs. Many of the most popular tools do offer free versions, but proper implementation for your nonprofit may require a paid Pro or Enterprise license.

Here are a few features I wouldn’t have known to look for initially, but have proved quite valuable over the years:

  • Ability for the administrator to:
    • set specific security policies to meet your org’s needs (e.g. password length, multi-factor authentication, remember me settings)
    • take over a user’s account and remove access to shared passwords when an employee leaves
    • reset a user’s master password if needed
  • Shared folders or security groups to easily manage who can access specific shared accounts
  • Ability for staff to link a personal account to the organization’s account to improve workflow, but without mixing personal data with the organization’s data (since once staff see the benefits at work, they’ll likely want to start managing their personal accounts the same way).

Step 3: Create an implementation plan

Once you’ve decided on a tool, the next step is to create a plan for launching this tool across your organization. This is where having the champion you found in Step 1 will be helpful.

You’ll need a detailed implementation plan that documents the on-boarding process for users, organization-specific policies for how to use the tool, a migration plan to bring all your existing accounts into the tool, and finally, a plan to purge all your old, insecure passwords and replace them with secure, unique passwords.

Testing out the tool yourself is a great help in creating this plan. While you should make it as detailed and complete as possible, keep in mind that it’s a first draft and will almost certainly require substantial revisions after the next step.

Step 4: Do a trial implementation with a small team

There’s no quicker way to sour your co-workers on a new system than a poorly delivered implementation. If a new tool adds to their stress or workload, as soon as you turn your back, they’re going to stop using it and go back to what they know.

To avoid this potential landmine during NTEN’s implementation, I chose a small group of trusted staff members to help test out my plan prior to the big launch. This exercise helped me identify and fix several incomplete or rocky patches in my plan. Perhaps more importantly, it also created a committed group of converted staff that were able to help answer questions and train other staff later.

Step 5: Launch it to the whole organization

Now that you have your revised and improved plan in place, along with a small team of staff eager to see this new tool implemented, you’re ready for the official launch. There are sure to still be unanticipated bumps in the road, but as long as you have the right people on board and have carved out the time to make sure everyone is trained effectively, your coworkers should quickly start seeing the benefits of the new tool.

This is where all the work you’ve done is rewarded, often with glowing smiles and relieved sighs emanating across the office as users realize the burden of remembering countless passwords has been lifted, and that their accounts are actually going to be significantly more secure.

Step 6: Provide continued training and improvement

Bask in the joy of accomplishment for a few minutes, but then get back to work. While it may seem like everything is safe, easy, and wonderful after implementation, it’s critical you don’t become indifferent to the risks that still exist. In reality your users are all going to have different levels of adoption, and your organization is only as safe as your least secure user.

To combat this, most password management services have tools you can use to monitor how secure each user’s account is (e.g. master password strength, reused passwords, multi-factor authentication usage), so you can use those to identify and follow up with any users who seem to be falling behind the curve.

You’ll also need to keep your policies up to date to match new needs or discovered security risks, and offer routine refresher trainings to staff. For example, I’m pondering removing the mandatory password change requirement from our policy and replacing it with mandatory multi-factor authentication. And don’t forget to keep staff trained about related risks like phishing and baiting.

Conclusion

If you’ve read this far, but still haven’t made the decision to implement a password management system for your organization, please make that decision now.

Seriously though, whenever I read a “password best practices” type of article and their first piece of advice isn’t to use a password manager (which surprisingly is the majority of them), I cringe a little for anyone who’s still attempting to follow all those oft-repeated rules on their own (such as using a passphrase, changing your passwords every 30/60/90 days, or using a combination of letters, numbers, and symbols).

Those rules all still make sense of course, but in 2017—when we all have hundreds of different accounts across the internet—it’s impossible for any mere mortal to actually follow all those rules to the letter without a password manager.

There’s a new wave of ransomware sweeping the globe. Last week, more than 200,000 computers were infected in 150 countries by the WannaCry Decryptor, which encrypts users’ files while the attackers extort money to unlock them.

Many nonprofits don’t realize they’re vulnerable until it’s too late. In fact, nonprofits are often at greater risk:

  • Nonprofits typically lack IT and IT security knowledge.
  • Nonprofits tend to have fewer IT-related staffing resources.
  • Hackers can steal as much information from 10 small nonprofits as they can from one large business.

We are discounting our Intro to IT Security course, which starts next week, to help more nonprofits gain access to the tools and skills they need to protect themselves from cyber attacks like WannaCry. Leon Wilson, a nonprofit IT security expert with more than 20 years of experience, will share resources and practical tips on how you can protect yourself and your organization.

Use the discount code protect and get a 25% discount. Sign up today and make sure your nonprofit is prepared.

Still can’t afford it? Contact us at training@nten.org and tell us a bit about your work and why you want to take this course.

Most people will say security is important, but if pressed, chances are they don’t really know what that means. What is IT security, exactly, and what’s the worst that can happen? Most pressingly: How can often cash-strapped nonprofit organizations keep their information—and their clients’ or donors’ information—safe and sound?

Leon WilsonLeon Wilson, Chief for Digital Innovation & Chief Information Officer for the Cleveland Foundation and past NTEN Lifetime Achievement Award winner, is leading an online NTEN course on security basics for nonprofits: Intro to IT Security, in May. He was kind enough to answer a few questions about IT security and the special considerations for nonprofit organizations.

Why are nonprofits at greater risk of information breaches and other hacks?

Because hackers know that they’re easy prey; that is, they presume that nonprofits not only don’t have a sophisticated or a secure environment as say a bank or hospital, but that they aren’t even performing the basics well enough. Also, nonprofits have a trove of donor and client information that can be pilfered for identity theft and social media trolling.

What are the potential consequences to nonprofits and their clients?

Loss of trust between the nonprofit and their client that can lead to loss of donors/donations and loss of business/clients wanting to work with the nonprofit.

What are a few things that nonprofits can do to assess their risk?

1) Hire a credible IT consultant to perform a comprehensive IT security & risk assessment; 2) Identify any compliancy regulations they must conform to (e.g. HIPPA, PCI-DSS, Personally Identifiable Information (PII) pertaining to kids).

Why is having an IT security strategy important?

Most, if not all, IT security experts will tell you that these days, it’s not a matter if you’ve been hacked, but when. It’s nearly inevitable in this day and age. Therefore, having a “constantly” current IT security strategy is akin to being a fiscally responsible organization.

What’s the first step that at-risk nonprofits should take to improve their practices?

I can’t say it enough: You don’t know how bad of a situation you have until you assess the situation. Thus, the first step is for nonprofit leadership to take IT security seriously and have a IT security assessment performed. A good IT security assessment should not only identify your vulnerabilities, but rank them by severity. Tackle the severe ones first.

What is the number one pitfall or roadblock for nonprofits implementing an IT security policy?

Unfortunately, it’s a four-way tie: a) lack of awareness, b) not knowing who to turn to for help; that is, finding a good IT security consultant that will help them identify and plug any holes without going overboard, c) lack of finances to perform a good IT security assessment, and d) funding to implement those changes warranting additional technology solutions and consulting work.

View our courses page to find the next Intro to IT Security course with Leon.

While nonprofit organizations enjoy certain exemptions, they still have liability risks and, as with any business, liability concerns are going to be industry-specific. A nonprofit construction company like Habitat for Humanity, for example, will have liability risks associated with bodily injury for its own workers and volunteers, while a nonprofit legal organization like the ACLU will need to carry insurance that protects the company against erroneous legal advice or even slander and libel.

Common Nonprofit Risks

What risks will impact your nonprofit are highly industry-specific. That said, however, most businesses in general, including nonprofits, will have commonalities among their liability concerns. Nonprofits should be concerned with:

  • Bodily injury claims from customers or clients
  • Physical property loss or damage
  • Management and directorial board decisions
  • Cybersecurity

The types of insurance that fall under these categories may include general liability, business owners policies, commercial property, management liability insurance policies such as directors and officers and employment practices liability, and especially cyber liability insurance. Let’s review how these different policies may provide necessary coverage for your nonprofit.

Core Liability Coverages: General Liability, Commercial Property, and Business Owners Policies

The two categories of risk that most businesses share are third-party claims dealing with bodily injury or property damage, and the loss of the business’s own property as a result of a loss, such as a fire or theft.

Commercial property insurance will help provide needed funds should you lose any property that’s directly tied to the business. All commercial property policies will cover loss related to theft, such as the what might occur after a break-in, while policies sometimes vary in terms of what is covered in the case of other types of loss events, such as natural disasters. Computer equipment and other forms of technology, in general, are going to be a primary target for thieves during break-ins, while such equipment is also very susceptible to breakage during a natural disaster. Nonprofits that have offices or space in areas that are prone to floods or earthquakes may want to consider additional coverage, as these are regularly not considered to be covered events.

Perhaps one mistake many nonprofit organizations make is mistakenly assuming that, if an accident occurs, individuals will not seek recompense from them. Lawsuits of this nature can and do happen against nonprofits, making general liability a consideration.

Slip-and-fall lawsuits are common general liability concerns, while a general liability policy also covers instances where your nonprofit may be responsible for damaging someone else’s property. However, a general liability policy is just one alternative available to nonprofits. This is where a business owners policy (BOP) may be a worthwhile venture. A BOP combines the benefits of a commercial property policy and a general liability policy.

Management Liability: Directors and Officers and Employment Practices Liability Insurance

Your board of directors serves an important function in your nonprofit, but they are not infallible or exempt from investigation. Directors can make mistakes with managing money or with general decisions in the direction of the nonprofit, while managers can make mistakes related to hiring, firing, and other employment-related issues.

Given this, a directors and officers (D&O) policy is valuable to help mitigate the risks associated with nonprofit boards. As boards meet and make decisions, it’s important to remember that those decisions are often held under greater scrutiny because of your nonprofit status. Tax-exemption affords a nonprofit a lot of leeway toward using resources to give back to the community, but how your nonprofit chooses to funnel donation money can result in litigation and claims of mismanagement of funds. As noted by Nonprofit Quarterly, the benefits of purchasing a D&O policy tend to outweigh the costs.

Meanwhile, all nonprofits are still held responsible for their hiring, firing, and promotion decisions. This can be partially covered under a D&O policy, but your nonprofit should also consider employment practices liability insurance, which covers all aspects of employment practices to a much greater degree, including issues related to wrongful termination, sexual harassment, other forms of workplace harassment, and retaliation claims.

Cyber Liability

Every business, nonprofit or otherwise, needs to be concerned with issues such as data breaches, hacks, malware and/or spyware, ransomware, and general data loss. Your data is valuable, and for tech-based industry nonprofits, your valuable data can make or break your operations. Cyber liability insurance is designed to help mitigate the risks associated with all forms of data loss that involve cyber attacks.

For example, if you operate a nonprofit that digitally collects and maintain donors’ personal and payment information, that data is at significant risk. According to a recent article, 60% of small businesses never recover after a cyber attack. The costs associated can be more than many businesses can absorb, with the cost—and the threat—growing every year.
It’s incredibly important for nonprofits to maintain adequate liability coverage, especially for cyber security threats. With cyber criminals growing more sophisticated in their methods, the risks are too great to ignore.

 

While good leadership can help employees understand the need for security measures and encourage compliance, bad leadership can foster employee discontent, conflict with the IT department, and the failure of even the best of plans. Executives must have a good understanding of what computer security risks are out there for nonprofits so they can guide the organization in evaluating how much risk the organization can afford. The IT department can educate and give advice, but decisions and support must come from the highest level.

Here are the seven most common security weaknesses that nonprofits have:

  1. Lack of organizational understanding or commitment to security
  2. Ineffective or unenforced policy
  3. No regular user education on risk
  4. Weak passwords
  5. No anti-malware software
  6. No email filtering
  7. No website filtering

Beyond the tips below, organizations should probably seek outside professional security incident management services, which can provide a level of monitoring and responsiveness to threats that most organizations couldn’t afford on their own. Such services usually provide monitoring of logs and other indicators of network activity, using a combination of automated and human evaluations, providing almost real-time responses to threats.

How To Make Your Nonprofit More Secure

The SANS website has a number of sample policies for almost everything related to computer security. These can be modified to meet your organization’s needs. The biggest trick with policies is getting people to follow them.

Providing procedures such as a quick checklist or flowchart of how to evaluate suspicious emails or web sites can help users make better decisions. For IT, such procedures would be more complex and in-depth, but for end users, a quick “if you see something like this, do this” will be helpful.

Finally, users need constant training and re-training on the importance of organizational security. Such training doesn’t have to be a massive all-day affair; frequent reminders are probably more effective. Train new employees thoroughly and all employees on new threats as they arise. After that, a quick mention at meetings, posters, or other reminders should suffice. If you do have periodic trainings for employees, make sure you cover why it’s important as well as what they should do differently.

There’s No Excuse for “Password1”

Passwords are the first and—in many organizations, the only—method of protecting computers, so let’s talk about the reality of passwords in a day of massive computing power at the hands of almost anyone who wants it.

A good password should be at least 12 characters long with a combination of letters (upper and lower case), numbers, and symbols, in order to be very complex by most current standards. If the password was truly random, it actually would take over a 100,000 years to crack by brute force.

The problem is that even moderately complex passwords are hard to remember, and unless you use a password generator they are never really random.

Most organizations require an 8-character password with letters, numbers and symbols. A random 8-character password can be cracked by brute force in about a year. This may seem like more than enough since you probably (hopefully) change passwords more often than that, but remember, people don’t create random passwords. They usually use a familiar word (such as the names of loved ones) with some numbers (like important dates) and symbols added on or mixed in, or they post their “random” password on a sticky note on their monitor or worse, in a plain text file on their computer.

Passwords sometimes aren’t enough. Some organizations have implemented multi-factor authentication. Using two factors (for example, a password as well as a fob scan) gives an order of magnitude improvement in security. What is practical (and least expensive in most cases) for organizations is to use the cell phone as the second factor by setting up systems to ask for a code that is texted to the phone. Google and Office 365 both have good multi-factor authorization options.

The biggest problem with implementing solutions like these is never the complexity or cost: it’s your users. Many users will see this additional requirement as a burden and some will even seek ways of circumventing them, like saving your confidential files on their personal cloud storage account, violating the principles of confidentiality and integrity as well as authentication. Once again, the key to solving this problem is leadership, policy, procedure, and training.

Protecting Your Users from Themselves

A couple of basics that all organizations should have are: anti-malware software (commonly called antivirus), email filtering (spam filtering), and website filtering (content filtering). These three solutions are a good way to help protect users from themselves, if they are used effectively and kept up to date.

Security is everyone’s business. Let’s say a user gets a phishing email that got past your filters, but because they got training, they realized what it was and notified the IT department. IT staff could then update the anti-malware software for the new threat and update the email filtering rules to block the sender. They can also update the website filtering rules to block the bad URL where the virus is disseminated. These changes would help less careful users who might click on the link in the email, since their access would then be blocked.

Have a Good Backup Plan

A good backup isn’t a single copy somewhere else on the network—you may not know exactly when the attack happened and your backup might be a backup of encrypted or infected information. Best security practices dictate that you have multiple backups, covering several weeks or even months, held in an isolated location. If your files are compromised or held ransom, you can clean up your systems and restore from the last good backup.

Is Your Organization Compliant?

If your organization is required to follow one of the many government or industry regulations and rules, such as HIPPA, FERPA, PCI and the rest of the alphabet soup, you should definitely have professional help in implementing and certifying compliance. It is a good idea, unless you are willing to spend the money to do it right yourself, to use vendors. Make sure your vendors are able to provide proof of such compliance and give you the documentation you need to maintain it.

Working with a Limited Budget

If you are working with a very limited budget and think you can’t even begin to do the basics, here are some tips to get started:

  • Make sure your organization’s leadership is committed to doing things in a more secure way.
  • Check to see if what you already have can do more. For example, if you already have a firewall, you also might have some web filtering capacity or other advanced features you haven’t used yet. Both Office 365 and Google have the ability to implement multi-factor authentication free for nonprofits. Both have some level of email filtering, although probably not as robust as I’d like without additional licensing or expense, but it is a start. Learn how to use what is available and start making better and more complete use of the basic features included with what you already use.
  • For backup, your nonprofit may qualify for free or discounted use of Microsoft Azure services. Not only can you create virtual servers, there are some good backup products that you can use to back up servers located in your offices.
  • In addition to the cloud services mentioned above, techsoup.orgoffers software and hardware donations to qualified nonprofits for a very modest fee.
  • There are also a number of subscription services that can help create a more secure environment. When you look at the cost of purchasing software or hardware, maintenance, support, and the other related costs of an owned solution, a subscription may be a more cost-effective way to go.
  • Always ask for a nonprofit discount. Even if they don’t advertise it, many vendors will give you at least a 10% discount if you ask, and some offer even more.

Taking Security to the Next Level

Good security is multi-layered, each layer adding another amount of security. Good security also isn’t “set it and forget it.” It needs to be maintained and monitored by organizational IT staff or an outside vendor. And most important, IT leadership; without this, even the best plans will fail.

When planning security for your organization, think about what it would cost to have a hacker gain access to your organization’s information, and what the loss of data and reputation would actually cost your organization. And then make a plan to prevent it.

Resources

Microsoft Trust Center: www.microsoft.com/en-us/trustcenter/Compliance/default.aspx

TechSoup: www.techsoup.org

Google 2-step verification: support.google.com/accounts/answer/185839?hl=en

 

Photo credit: blogtrepeneur

Security is serious business for nonprofits. Not only do they need to protect themselves from attacks, but they have a responsibility to protect sensitive client and donor data. There are many protocols you can establish to protect your organization, but the first step starts with individual people.

While the technology we depend on has changed over the years, people’s social behavior hasn’t. This leaves us at risk of having our goodwill exploited. In security circles we call this scheming activity “social engineering.” It’s an attempt to acquire sensitive information for malicious reasons through deception.

An act of social engineering starts with a lie. The lie doesn’t have to be outright; often it’s easier if the lie has a grain of truth. The best social engineering attempts will frame a thread of misinformation within a jumble of truth. It’s not a matter of if, but when a fraudster will target you or your organization. There are a variety of tactics, so I will focus on three of the most common; phishing, pretexting, and baiting.

Phishing

In a March 2016 article in SC Magazine, a payroll employee at Pivotal Software received an email from CEO Rob Mee asking them for tax information on employees. Not realizing something was wrong, the employee replied with the W-2 information for an unknown number of employees. As you might guess from the title of this article, it was not, in fact, Rob Mee that sent the email.

Phishing (pronounced “fishing”) seeks sensitive information through a deceptive email that masquerades as a trustworthy source. Typically, this is a wide-net activity: the more people an attacker approaches, the more likely they are to find a victim. If the net is wide enough, even a .01% response rate can be productive. A great example is the common “Nigerian Prince” emails. These scams, known as Advance Fee or 419 scams, have been around in one form or another since the 1920s. They work by convincing their target that they will receive a large payoff in return for providing the would-be fraudster with a “small” amount of funds, sometimes several payments. The fraudster will then make up excuse after excuse and draw out the interaction until the target refuses to give any further money—at which point the fraudster will disappear along with the money, never to be heard from again.

We now see these same tactics employed to convince users to download files or attachments which contain malware (in the best case) or Ransomware that encrypts your files, and demands payment in the form of bitcoins before it will decrypt the files again. For those who do not backup their systems to an external device on a regular basis, this can be devastating.

The events at Pivotal are an example of a more targeted attack called spear phishing. This type of attack is characterized as a more personalized attack directed at specific individuals, groups, or companies. Whaling is another form of phishing directed at executives and other high-value targets. These attacks often appear in the form of a legal subpoena, customer complaint, or executive issue. In both spear phishing and whaling, the attacker will often spend a great amount of time doing research on their target in order to craft a believable attack that is harder to identify.

Pretexting

“I’m really sorry to bother you, but I’m running really late for my appointment with the Head of Marketing, and I managed to leave my laptop at home with the client list! He’s really counting on me here—can you forward me a copy?”

Pretexting is creating an invented scenario which engages a target to act in a way they otherwise wouldn’t. To make their scenario more believable, an attacker will often play on their target’s sympathy by crying down the phone, admitting something embarrassing, or telling someone about just how terrible their day has been. The attacks involve a lot of prior research so the attacker sounds as natural as possible and can think on their feet while interacting with their target. Smaller acts of pretexting are often used to gather information as part of a larger attack and are favored by identity thieves.

Other examples include the “Microsoft phone scam” where the attacker calls claiming to be from Microsoft, saying that your PC has a virus, and that they can help you over the phone. These calls often end with the attacker asking their target to download malicious software onto their computer. Similarly, in the “Grandparent scam” the attacker calls claiming to be a grandchild or other relative stranded abroad and in need of money. Because these attacks play on victims’ fears and ask for immediate action, they are often believable to those who are less tech savvy.

Baiting

“Aw sweet, free USB drive!”

The modern day Trojan horse. Have you ever found a USB on the ground and wondered what treasures it might hold? Or more likely, you’ve needed to access your email urgently and connected to a Wi-Fi hotspot you didn’t verify first. This attack is all about putting a carrot out and waiting for someone to take it. The USB is infected or a hacker is snooping your web traffic on their Wi-Fi. This is often seen online in the form of free music or movie download advertisements. These adverts will often ask that the victim create an account asking for personal information or the file itself is malware. Baiting is also being seen with phones via cell tower spoofing, meaning a third party could be looking at your call, text, and mobile data in real time without your being aware.

Protecting yourself

While these attacks seem complex and distinct, they all have commonalities based in simple deception. Awareness and vigilance will go a long way towards protecting yourself.

Phishing attacks can be combatted in a variety of ways:

  • Verify the source. If you receive a weird email, call the person who supposedly sent it and confirm it was them.
  • Did your bank email you to ask for updated details? Don’t click on the link in the email, use a search engine to navigate to the website yourself and login through secure means. Hovering your mouse over a link will often display the link address (at the bottom of your browser), which makes it easier to confirm its validity.
  • Look for spelling errors or strange grammar. Attackers often purposely include such mistakes to weed out less gullible targets, and make things a little easier for themselves.
  • Distrust emails which demand immediate action. If it’s important, it’s likely you would have been contacted by phone or text.
  • A company who deals with you should know your name. Emails addressed to Dear Customer, Valued Client, etc. are likely fraudulent.

Pretexting is often difficult to spot right away, due to the creative nature of the act:

  • Being polite but suspicious will help. If something seems off, or someone seems too nosey, don’t be afraid to ask questions.
  • If a deal seems too good to be true, it probably is.
  • Whenever possible, verify odd requests from a third source. If your bank calls you to discuss your account but requires you to confirm personal information first, call them back with a known good number or visit in person at a local branch.  

Avoiding baiting attacks is relatively easy:

  • If you wouldn’t pick something up and put it in your mouth, don’t pick it up and put it in your computer!
  • Remember that nothing in life is free. If you are not paying for the product, then you are the product.

Lastly, while it won’t directly protect you, talk to your friends, family, and coworkers about the dangers of social engineering. Social engineering education doesn’t have to be formal to be effective.

With social engineering, you can’t avoid being a target, but you can avoid being a victim. Awareness and personal vigilance make all the difference.

 

Photo credit: Damien Jeanmaire

Many nonprofits are nervous about their information security, and understandably so. Even large and well-financed organizations, such as the NSA, The White House, Target, Chase Bank, Home Depot, and Sony, have all been hacked. And if they can’t protect their data, even with their extensive resources and high-priced IT experts, how can a small nonprofit possibly protect its information?

A common sense approach is to first consider what risks your organization is most likely to face and then develop a plan to address them. This is called a risk analysis.

Assessing your data

The first step is to take a kind of inventory. Exactly what data do you have? Where is it located? Most importantly, how sensitive is the information?

List all of the different types of data by location. For example, if you have a donor management system, list everything it collects and stores: addresses, donations given, petitions signed, etc. Then, move on to your website and list everything stored on it.

Repeat this process for each location where your organization stores information, including Cloud-based storage. This will provide you with a comprehensive map of the data your organization collects.

Sticky notes are a helpful tool for this exercise. You could write each type of data onto a note that’s color-coded by system. This will make it easier when you begin sorting. If you prefer to see everything on one page, RoundTable Technology has created a spreadsheet template to use for this process.

Once you have inventoried all of your data, the next question is: How much do you care about it? What’s essential to your organization’s ability to function? What would risk your constituents’ well being or your organization’s reputation if it got out?

One helpful approach is to divide up the data you’ve listed into three categories:

  • Data you can’t lose
  • Data that can’t be exposed
  • Nonessential data

Examples of data you “can’t lose” might include the final files for a major project, templates and brand standards, or employee handbooks and manuals. Examples of data you “can’t expose” could be donor information, HR records, strategy documents, or payment information. You might even feel that some things are both “can’t expose” and “can’t lose.” That would indicate that those items are your highest priorities.

At the end of this sorting, you’ll probably have a few sticky notes left over. Those are likely to fall in the “nonessential” bucket. To be clear, the “nonessential data” category doesn’t mean that you should be careless with that data, just that you’re not going to place a high priority on securing it. For example, you may have put blog posts in the “nonessential” category because they don’t contain any sensitive or essential data. That doesn’t mean you shouldn’t take steps to protect your website content from being lost or vandalized.

Considering the risks

Once you’ve sorted out what you “can’t lose” and what “can’t be exposed,” the next step is to identify the risks your organization faces. Ask yourself:

  • What could happen to that data?
  • How likely is it that something would happen to it?
  • How bad would it be if something happened to it?

“What could happen?” is about imagining the various scenarios that would put your data at risk. Is it at risk in a fire? What if a computer was infected by ransomware—a malicious virus that encrypts your data until you pay a “ransom” for its release? Could data be picked up by a keystroke logger? The number of security risk scenarios is potentially huge, but here are a few of the most common:

Physical theft of equipment or printed files

  • Natural disaster
  • Improper disposal of equipment or printed files
  • Inappropriate use of software
  • Phishing (employees fooled into providing data)
  • Insecure mobile devices
  • Spying via software that tracks activity or keystrokes
  • Spying via WiFi connection
  • Hacking through remote access to your network
  • Vandalism through malicious viruses or adware
  • Ransomware
  • Denial of Service attacks (bots flooding your website with traffic and causing it to crash)
  • Social engineering (someone without authorization convincing authorized personnel to hand over information or access to systems)

More generally, these scenarios describe various ways your data can be lost, changed, misappropriated, made unavailable, or exposed.

How likely any of these are to happen is a little less straightforward. In most cases, the likelihood of any of these events occurring depends on the behaviors of your staff members. People who thoughtlessly click on links are going to significantly increase the risk of viruses and other malware. Other scenarios might depend on whether you’re likely to be singled out as a target—organizations that work on contentious issues are more likely to be vandalized or exposed. The outside perception that you handle a lot of money might also make you a target.

“How bad would it be if something happened?” is a trickier question because the consequences can be both tangible and subjective. For example, a breach that causes your organization to lose money from its bank account is easy to count and to characterize within the context of the overall budget. But if that breach is publicly known, how will attitudes about your organization change? Will people still trust you to take their donations? Will they continue to invest in your programs? And this is one of the more straightforward scenarios. How would you weigh the exposure of emails that outline your advocacy strategy? How bad is it if your donors’ names and home addresses are exposed?

Also, don’t forget to consider the possibility that old equipment and software can put you at risk. You might have tools that are rarely used and don’t contain much important information. Good candidates for the “nonessential data” pile, right? Probably, but that doesn’t mean you should ignore old technology. In fact, it may pose a bigger security risk than the tools you use everyday. If old software or equipment is connected to your network, it can be a weak link that provides a way in for hackers. If losing a piece of technology is no great loss, you should consider getting rid of it.

Managing an incident

A security incident can happen at any organization, not only because hackers are indiscriminate but also because human error is the most likely cause of data loss or exposure. It’s not hard for someone to accidently delete a file. And most of us are guilty of taking files home and working on them on machines or networks that are much less secure than what we use at work.

The policies and culture of your organization are important factors in preventing an incident. Every organization should have a written guide that outlines the steps it will need to take when a data breach or other kind of security incident occurs. In your guide, you’ll need to think through:

  • What mechanisms are in place to detect a security incident?
  • Who will document the events leading up to and immediately following when the breach was discovered?
  • Who will lead the response if a breach occurs?
  • Who will be part of the response team?
  • How will you respond to various scenarios?
  • How will your response team communicate with the rest of the organization?
  • How will your organization recover files or repair systems?
  • How will your organization communicate with your constituents (if necessary)?

Your incident response guide could be as simple as a list of a few of the most likely scenarios and bullet points outlining roles and responsibilities. What’s important is to have enough of a plan in place so that if something were to happen, you and your team aren’t left wondering what to do.

Data security can seem scary, but it doesn’t have to be. One way to reduce the stress and gain expertise is to establish a relationship with an IT consultant that has some background in security. However you choose to approach security, keep in mind that perfect security will never be possible, but every organization can take practical steps that will significantly reduce the chances of a major data breach.

Learn more

For insights into nonprofit data security, download Idealware’s recent report: “What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk.

accelerator_logo_xsmall.jpegAs the grand finale to NTEN’s first-ever Leading Change Summit, a number of intrepid 14LCS attendees pitched and developed 24 awe-inspiring projects during the Idea Accelerator.

The Idea Accelerator was designed by LimeRed Studio’s Emily Lonigro Boylan, Owner and Creative Director, and Demetrio Cardona Maguigad, Director of Strategic Design, who teamed up with NTEN to carry out the event.

The Summit may have ended, but many of these projects are only beginning. Today, we want to introduce you to “Nonprofit InfoSec” an idea pitched by Spencer Bolles.

bollesspencer.jpgWhat is Nonprofit InfoSec?
We are proposing a new entity that would work iteratively over time to fulfill four main purposes:

1. Provide educational and media resources for nonprofit organizations in order to raise awareness concerning the need for improving information security

2. Provide assessment tools that measure the current effectiveness of security controls and identify areas that are in need of enhancements according to a risk management framework

3. Matching of needs and projects to resources that would include a directory of pro-bono information security professional volunteer consultants

4. Partner with corporate and private donor philanthropists and technology companies in order to fund and encourage NPO security projects

How did the idea get started?
Nonprofit organizations are increasingly at risk of attacks on their sensitive and private data and networks. We must find ways to collaboratively and creatively address the nonprofit information security gap as a community. We can work together to increase the security profiles of NPOs with the end result that we will defend organizations from attacks and prevent breach of data that ultimately distracts NPOs from their missions.

Who could use this?
IT leaders and staff involved with improving the information security of nonprofit organizations. Information security professionals working in the government and the private sector. Corporate philanthropists. Concerned citizens. Reassurance to donors and customers of nonprofit organizations that their data is safe with NPOs.

What does this project need?
We need collaboration with such organizations as TechSoup, NTEN, ISSA, SANS, State, and Federal Governments. Identifying others who are passionate about these ideas and plans and partner with them is also a priority. Another need is to start promoting these ideas and building resources within the Bay Area and Silicon Valley to test viability and then expand from there. We can consider a B Corporation model when there is sufficient momentum to sustain an entity and to promote this mission.

What’s next for this project?
Coaching, drafting or business plan, and finding partners and funders.  We also need to build a collaborative network and found a B Corp.

Spencer Bolles is IT Director for Bay Area Community Resources.

Read more about the Idea Accelerator and pitched projects on NTEN’s blog.