Tag: password managers

Like all nonprofits, Tech Impact continually struggles to balance cybersecurity against cost, time, and user frustration. Unfortunately, there isn’t a lot of room for error! With access to hundreds of nonprofits’ systems, Tech Impact is an attractive target for criminals, activist hackers, and even government agencies. We take our mission seriously and put as much as we are able to secure our environments.

On the other hand, as security experts ourselves, we are quick to spot the difference between what “they say” you should do and what actually makes us more secure. In this post, I’ll share a subset of our security practices so that you too can do more than check the box.

Policies

You’ve heard it before (probably from us) but having written policies is an essential part of any cybersecurity strategy. The trick is to have a specific goal in mind for every policy and to keep the document itself short and to the point. Here are some of the goals and policies that your organization should likely have:

Goal Policy
Be able to hold staff accountable if they use systems or computers in an inappropriate way. Acceptable Use Policy
Educate staff about how to store and share sensitive information Data Sharing & Storage Policy
Make sure risky data isn’t kept forever Retention Policy
Educate staff about how to create, manage, and share passwords Password Policy
Ensure staff understand the potential ramifications (wiping devices if staff leave) of using a personal device for work activities Bring Your Own Device Policy
Prevent staff from transferring money or data based on impersonated emails. Approval Process for Bank & HR Data Transfer
Limit the number of administrators in our systems Administrative Access Policy

One goal of our policies is to allow us to discipline staff who won’t take security seriously. But generally speaking, we don’t expect our policies to guarantee that our staff stays safe. Instead, we use them to educate staff about how to be safe using the tools available to them.

Training

To get staff actually to be safe, we rely much more on training and awareness. Being secure means making the right decisions dozens of times a day. Every time we email a client or share a file, we have to evaluate the risk and take appropriate safety measures. The high frequency of these decisions means that we can’t expect our staff to look up and follow complex policies.

Instead, we teach folks regularly about who might want to attack us, why those attackers are interested in us, and how those attacks are likely to happen. By educating about our actual threats instead of imagined or possible risks, we keep our staff paying attention. That’s why we focus on password strength, phishing attacks, and impersonation attacks and not on protecting against NSA EMF monitoring.

At Tech Impact, our learning culture doesn’t lend itself to formal training. Besides some mandatory training for staff dealing with sensitive data (like HIPAA-regulated data), we mostly don’t force our staff to sit down for training. Instead, we regularly send emails and chat messages to the team with information about attacks we have intercepted or articles that seem relevant. This constant drip of information keeps folks on their toes.

One formal approach we do recommend is to use a third-party phishing penetration service like KnowBe4. Using the service, you can send your staff simulated phishing emails. Folks who fail the tests (by handing over their username and password) can be required to complete additional security training.

Escalation

Between our policies and constant communication, our staff is definitely paying attention! But paying attention isn’t enough by itself if folks don’t know what to do when they encounter something suspicious. At Tech Impact we’re lucky to have a resident security team. Our staff has been trained to forward emails or send questions to the team anytime they are worried about something that came in. By making it easy to report an issue and get help, we have dramatically increased engagement and often prevent staff from taking risky action.

For your organization, this might mean sending one person to security training, or it might mean sending questions to your support provider. However, you approach this make sure to keep a record of the kinds of questions and issues that come in so that you can identify trends and create better training.

Technology

Only now is it worth talking about technology. In truth, technology is important but not enough. Staff and attackers will always find a way to get around anything you put in place. Your best bet (at least for organizations that aren’t facing activist hackers or hostile governments) is to focus on policies, training, and escalation.

But if you’ve handled the basics, or if you are at particular risk, technology can absolutely help your organization stay safe. There are lots of resources out there about cybersecurity technology, so I’m not going to reinvent the wheel. But I will share with you some of the tools that we use. Note that this is only a portion of the technologies we use at Tech Impact to stay safe.

For Everyone

Some of the cybersecurity tools we use are foundational and should be used by every single nonprofit out there. Nothing listed here is particularly complicated or expensive, so don’t wait!

  • Software Updates & Anti-Malware: You should know this by now, but most malware-based attacks use known issues that have already been patched. Keeping your computers up to date and using Anti-Malware software is a foundational need for every nonprofit.
  • Multi-Factor Authentication (MFA): The single most effective thing you can do to keep your organization safe from account compromise. In addition to a username and password, your staff uses a separate code from an app or SMS text message to log into systems. This will almost eliminate the risk of phishing attacks.
  • Single Sign-On: Use Office 365, Google Apps, Okta, or another cloud identity provider to let your users log into all your systems with a single username and password. This enables you to enforce MFA across all your tools and lock all accounts down from once place. Any software you’re using that supports the SAML standard can be integrated for Single Sign-On
  • Device Encryption: Encrypt your devices so that no one can read data off them even if they are lost or stolen. This is free and easy for Android, iOS, Mac OS, and most Windows computers!

For Many

For organizations that have some compliance needs (HIPPA, etc.) or are dealing with otherwise sensitive information, there are some basic tools that can make a big difference without a considerable cost.

  • End-to-End Encrypted Email: Allows you to send social security numbers, healthcare information, passwords, and other sensitive information via email. You send a standard email, but recipients get a simple email with instructions to use a secure web portal to respond.
  • Data Loss Prevention (DLP) Scanning: Scans outbound email, shared files, or files stored in semi-public locations for sensitive information like social security numbers or bank account information. This is an essential backup to your policies educating folks on how to safely store and transmit data.
  • Device Management: Lets you monitor devices remotely and make sure that they are kept up-to-date, encrypted, and secure. It also allows you to wipe them remotely if they are lost or stolen.

For a Few

There are a lot of things we do at Tech Impact because we are at high risk. These aren’t things I would recommend for everyone.

  • Conditional Access: Prevent devices from downloading files or syncing data if they aren’t enrolled in your device management platform. This keeps the staff from saving data to devices that aren’t encrypted or that you don’t own.
  • Advanced Multi-Factor Authentication: Text-message based multi-factor authentication is not secure against a determined hacker. We use code-based MFA from our mobile phones and are exploring U2F and certificate-based MFA to make ourselves even more secure.
  • Centralized Log Analysis: We send all of our logs to a system that looks for unusual behavior. If someone logs in from an unusual location or downloads more files than usual, our security team gets an alert and can investigate.

Wrapping Up

As a technology nonprofit, we know that there are limits to what technology can do to keep us safe. That’s why we use this multi-layered approach that includes policies, education, escalation, and technology. Staying safe is a constant balancing act, and it’s important to remember that some action is always better than no action.

We’re mapping the nonprofit cybersecurity landscape—and we need your help.

NTEN, in partnership with Microsoft, has produced the first State of Nonprofit Cybersecurity Survey, which asks nonprofits what steps they’re taking to protect their organizations and clients.

Your answers to these questions will help us understand:

  • the policies and procedures your nonprofit has for who and how people can access your systems,
  • to what extent nonprofits are using technology to protect their systems,
  • what kind of training is offered to nonprofit staff, and
  • how the way nonprofits operate contributes to cybersecurity vulnerabilities.

Your contributions will be anonymized and used in aggregate to produce this landmark report, to be released this fall. Organizations like NTEN will use this data to inform their training and support programs, so we can help the sector better protect its systems and the data our clients have entrusted us with.

And you don’t have to be technology staff to take the survey! If your organization doesn’t have an IT team, we still want to hear from you.

The survey will take about 10 minutes to complete, and participants can elect to enter to win a registration to the Nonprofit Technology Conference or an NTEN course of their choice.

Take the survey today.

 

Back in 2012, we implemented an organization-wide password manager here at NTEN, finally replacing our comically insecure “Shared Passwords” document, and the all-too-common practice of reusing the same password across a variety of different sites.

The idea of using a password manager had been on our radar for several months, but we had any number of excuses for why “now” wasn’t the right time:

  • We’ve never had issues with our “Shared Password” document to this point.
  • No hacker wants access to our accounts as a small nonprofit, so “admin” is a fine password to keep using everywhere.
  • There are a lot of reports saying password managers themselves can be insecure.
  • We already have too many systems, so I don’t want to force staff to learn yet another one.
  • We’re too busy right now, so maybe we can implement this next year.

While some of these ideas may have contained grains of truth (e.g. password managers aren’t a perfect defense), they all quickly fell flat once we’d experienced the time-saving and security benefits of using a password manager.

Five years later, it’s not exaggerating to say this change may be the most significant stress-reducing and time-saving policy I’ve ever put in place at NTEN since I started working here more than 10 years ago.

Step 1: Make the decision

If you’re not part of the leadership team, you’ll need to convince someone who is to help you champion this project. Figure out who that person will be, and make sure they’re on board.

Step 2: Pick the right password manager

Security experts can’t agree on which password manager is the “best,” so as a non-security expert I’m in no position to help you with that decision. That said, as long as you pick a tool that’s well established, well reviewed, and has a history of being transparent and quickly fixing any security holes, you can’t really make a bad choice.

The other thing that will help is figuring out any must-have features that may be unique to certain tools. Your budget may be another factor depending on your needs. Many of the most popular tools do offer free versions, but proper implementation for your nonprofit may require a paid Pro or Enterprise license.

Here are a few features I wouldn’t have known to look for initially, but have proved quite valuable over the years:

  • Ability for the administrator to:
    • set specific security policies to meet your org’s needs (e.g. password length, multi-factor authentication, remember me settings)
    • take over a user’s account and remove access to shared passwords when an employee leaves
    • reset a user’s master password if needed
  • Shared folders or security groups to easily manage who can access specific shared accounts
  • Ability for staff to link a personal account to the organization’s account to improve workflow, but without mixing personal data with the organization’s data (since once staff see the benefits at work, they’ll likely want to start managing their personal accounts the same way).

Step 3: Create an implementation plan

Once you’ve decided on a tool, the next step is to create a plan for launching this tool across your organization. This is where having the champion you found in Step 1 will be helpful.

You’ll need a detailed implementation plan that documents the on-boarding process for users, organization-specific policies for how to use the tool, a migration plan to bring all your existing accounts into the tool, and finally, a plan to purge all your old, insecure passwords and replace them with secure, unique passwords.

Testing out the tool yourself is a great help in creating this plan. While you should make it as detailed and complete as possible, keep in mind that it’s a first draft and will almost certainly require substantial revisions after the next step.

Step 4: Do a trial implementation with a small team

There’s no quicker way to sour your co-workers on a new system than a poorly delivered implementation. If a new tool adds to their stress or workload, as soon as you turn your back, they’re going to stop using it and go back to what they know.

To avoid this potential landmine during NTEN’s implementation, I chose a small group of trusted staff members to help test out my plan prior to the big launch. This exercise helped me identify and fix several incomplete or rocky patches in my plan. Perhaps more importantly, it also created a committed group of converted staff that were able to help answer questions and train other staff later.

Step 5: Launch it to the whole organization

Now that you have your revised and improved plan in place, along with a small team of staff eager to see this new tool implemented, you’re ready for the official launch. There are sure to still be unanticipated bumps in the road, but as long as you have the right people on board and have carved out the time to make sure everyone is trained effectively, your coworkers should quickly start seeing the benefits of the new tool.

This is where all the work you’ve done is rewarded, often with glowing smiles and relieved sighs emanating across the office as users realize the burden of remembering countless passwords has been lifted, and that their accounts are actually going to be significantly more secure.

Step 6: Provide continued training and improvement

Bask in the joy of accomplishment for a few minutes, but then get back to work. While it may seem like everything is safe, easy, and wonderful after implementation, it’s critical you don’t become indifferent to the risks that still exist. In reality your users are all going to have different levels of adoption, and your organization is only as safe as your least secure user.

To combat this, most password management services have tools you can use to monitor how secure each user’s account is (e.g. master password strength, reused passwords, multi-factor authentication usage), so you can use those to identify and follow up with any users who seem to be falling behind the curve.

You’ll also need to keep your policies up to date to match new needs or discovered security risks, and offer routine refresher trainings to staff. For example, I’m pondering removing the mandatory password change requirement from our policy and replacing it with mandatory multi-factor authentication. And don’t forget to keep staff trained about related risks like phishing and baiting.

Conclusion

If you’ve read this far, but still haven’t made the decision to implement a password management system for your organization, please make that decision now.

Seriously though, whenever I read a “password best practices” type of article and their first piece of advice isn’t to use a password manager (which surprisingly is the majority of them), I cringe a little for anyone who’s still attempting to follow all those oft-repeated rules on their own (such as using a passphrase, changing your passwords every 30/60/90 days, or using a combination of letters, numbers, and symbols).

Those rules all still make sense of course, but in 2017—when we all have hundreds of different accounts across the internet—it’s impossible for any mere mortal to actually follow all those rules to the letter without a password manager.