Why cyberdefenses are worth the cost
These tips can help not-for-profits and other organizations minimize the risk of potentially devastating data breaches.
By Mark Shelhart
Yes, all organizations are vulnerable, and yes, you've heard the warnings that it's likely only a matter of time before a data breach happens at your organization. But how do data breaches apply to not-for-profit (NFP) organizations? Why would anyone want to target anNFP?
The primary motivation for today's attacks is to acquire information and money. Every new person a hacker can identify can be a new victim or opportunity, and NFPs possess information about donors that may be very useful to hackers. Some in the health care sector, such as hospitals, have electronic health records (EHR) that may be worth more than $1,000 each (i.e., the EHR for one person) on the black market, according to a 2017 Forbes article.
NFPs host an array of potentially valuable information, from donor lists and profiles to employee and client files containing Social Security numbers and other sensitive data. Even if your organization is 90% volunteers and consists of little more than a tent-based medical camp, attackers realize that you likely have data and funds they can target. On the other hand, your organization might be a large, well-established NFP. Perhaps you have an IT staff that supports computers for hundreds of other staffers across multiple sites. Regardless of the size or sophistication of the organization, an NFP that falls victim to a ransomware attack might prefer to pay an attacker instead of having operations paralyzed for any amount of time and perhaps damaging its reputation.
A lack of IT resources devoted to cybersecurity can make NFPs appealing to hackers. But regardless of the type or size of your organization, you can choose from multiple options to enhance your security against attacks. These tips can help any organization guard valuable systems and data.
TRAIN USERS ON SECURITY PRACTICES
Educate your employees regularly about new attacks and risks. You can provide this education in many ways, including online training (perhaps through a company intranet) or written documentation provided in a simple, user-friendly format.
Consider monitoring the news for security incidents and passing along those articles to your staff. Staying informed about recent attacks can be a great form of defense.
It doesn't cost much to warn users against opening malicious files and clicking on links. To prevent wire or Automated Clearing House (ACH) fraud, educate employees on when to be suspicious of certain messages or email addresses .
Management support goes hand-in-hand with security awareness training. Employees should be able to contact their superior and ask, "Are we sure about this?" or "Is this real?" without any fear of reprimand. Management must emphasize that missing a deadline to get confirmation from a superior is better than taking the risk of sending money to the wrong person.
It's also important to have a process in place that allows an employee to get confirmation from a superior absent the use of a computer. For example, if the CFO sends an email requesting to wire $10,000 to a specific account, the employee should call, not email, the CFO for confirmation. Walking to the CFO's desk may even be the best course of action. If attackers have access to your systems, they may be able to read and respond to the CFO's emails and allow the fraud to occur.
If an employee clicks on a bad link or gets a virus on his or her computer, does the employee feel that reporting it could endanger his or her job? Help your employees feel comfortable about discussing mistakes and understanding what happens when they report an incident. Emphasize the importance of doing so immediately.
Also understand that this sort of training is not "one and done." Training should be ongoing and periodically refreshed because everyone needs at least a gentle reminder now and then.
CREATE AND TEST SYSTEM BACKUPS
Backup is a key component of mitigating a ransomware attack. Data backups should match the recovery time and objective defined in your organization's disaster recovery plan.
Backing up systems nightly gives you the ability to restore a system to its state from the day before a breach, and in the case of a ransomware attack, you may be able to ignore an attacker's demands and maintain business as usual for the most part.
Your systems should be backed up every day, and some organizations may wish to back up systems more frequently. For example, some organizations are transaction-heavy, and losing an entire day of data entry could be problematic. Today's backup technologies afford organizations the flexibility to back up data using multiple methodologies over varied time periods to many locations, whether in-house, to an alternate location, or online (cloud).
Simply making backups of your systems and data is not enough, however. System backups should be tested periodically by doing a system restore. A good exercise would be to ask your IT team when was the last time that they tried to restore something from a backup. It's a mistake to just assume that the "green checkmark" showing in the backup software is reliable. Your team should take the time to test your restore process often, perhaps quarterly, even if it's just for a single server. Additionally, if a test restore is being done for a critical application, it is usually best to have users test the application after the restore to ensure there is no database corruption and the required data exist.
PRIORITIZE ANTI-VIRUS AND PATCHING
Make it a top priority to install and run anti-virus software on all of your systems and apply all security patches in a timely manner. While anti-virus software is important, it is worth considering additional layers of protection, including a new breed of anti-virus applications called automated endpoint protection, which is part of an overall advanced threat protection methodology. You may also consider having multiple anti-virus applications running at the same time to cast a wider net.
It's important to understand that you cannot settle for 99% anti-virus coverage. Every computer in your organization should have anti-virus software installed. Computers without it should not be allowed on your network.
Anti-virus products do come at a price, but you can't afford to not have them running on your computers. When you consider the cost of a breach, anti-virus products seem quite affordable. If you are concerned about the price of anti-virus software for all of your organization's computers, companies such as TechSoup (techsoup.org) offer discounts for qualifying not-for-profits.
IMPLEMENT NETWORK SEGMENTATION
Segmenting your network is your best defense against a hacker moving through your environment, as would occur in a lateral movement breach. Segmentation involves implementing certain controls (e.g., firewall rules and access control lists) to divide up your environment and prevent certain networks from being able to access others.
In implementing segmentation, it's important to consider which groups need access to which systems and data. Should volunteers and HR be on the same network? Should sensitive accounting data be on the same computer as marketing collateral? Separating by job function can save your organization from a breach, or at least limit the type of data that is exposed should a breach occur.
In addition, it is too dangerous to run old or unpatched systems and software. Systems and software that are "end-of-life" no longer receive security updates from their vendors, meaning they can't be updated to protect against the latest threats. For example, Windows XP should not be allowed on your machines or in your network, no matter the circumstance. Even Windows 7 in some circumstances may not provide the level of security your organization needs.
No matter the platform, you need to apply security patches as quickly as possible. Do you have a vendor who says it can't apply a security patch to its computer on your network? You may need to consider changing vendors or, at the very least, giving that computer its own isolated network to prevent lateral movement in the case of an attack.
RESEARCH CYBER INSURANCE
Do you already have cyber insurance? Don't just assume it's on your general policy. Make it a priority to ask your agent. While this isn't preventive, it's something your organization should be looking into, as it can help you cover and recoup costs if an incident occurs.
When setting up a cyber insurance policy, you will want to inform your insurance company of which service providers you would use if you needed help with a breach (e.g., incident response/cybersecurity firms, lawyers, PR firms). It's worth mentioning that you can specify which law firm you want to use if you give the insurance company prior notice. If you don't preselect a law firm, your insurance company may assign someone to work with you.
When you are trying to frantically respond to and contain an incident, you don't want to be meeting new business partners, especially one as important as your legal counsel. Another important issue around cyber insurance is to know specifically what constitutes a breach in your organization and what constitutes restitution.
CREATE A WRITTEN INCIDENT RESPONSE PLAN
A written incident response plan can help an organization decrease the impact of a breach if it occurs. The organization's leadership and the board should approve a breach response plan in advance, and all relevant personnel should be trained on how the plan requires them to respond in the event of a breach.
The plan also may include the contact information for an incident response/cybersecurity firm that would be the organization's preapproved consultant if a breach occurs. In the case of a ransomware attack, the cybersecurity firm may help you decide if your organization would pay the ransom or try to find another course of action.
Finally, the response plan may contain information on which law enforcement agencies or regulators the organization would contact in the event of a breach. Even after the breach is over, your plan should help you prepare for media inquiries and breach notifications to regulators, consumers whose data may have been stolen, and other affected businesses, in compliance with legal requirements.
If you have IT staff, part of their weekly duties should include reviewing logs. The logs might be from firewalls, anti-virus programs, or any number of other systems.
Even though performing log review may not equate to identifying a breach within moments of its happening, it may help stop a breach more quickly.
While NFPs may not always possess an abundance of resources to devote to cybersecurity, following these tips can provide protection at a reasonable cost.