Not-for-profit organizations face numerous risks, and in the information age, the threat to online security is becoming more and more prevalent. Per Symantec Corporation’s “Internet Security Threat Report 2013”, traditional threats are expanding into new forums such as social media and mobile devices, with an approximate 42% increase in targeted attacks noted in 2012. Particularly relevant for not-for-profit organizations is the fact that 31% of overall targeted attacks were against companies and organizations with fewer than 250 employees, up from 18% in 2011. Not-for-profit organizations can no longer assume that based on their size, they would not be a target for attackers.
The negative repercussions of a cyber attack are numerous, from negative publicity for the organization to exposure of sensitive donor, customer, and organizational information to actual theft of organization assets. As such, organizations need to ensure that appropriate information technology policies and procedures are in place to mitigate these risks. Some of the best ways to prevent a cyber attack include:
Ensuring there is depth in an organization’s IT defenses. An organization cannot rely on just one specific technology or protection method – a combination of gateway antivirus, intrusion detection and prevention systems, and Web security gateway solutions throughout the network provide the best defense.
Playing offense. Antivirus software has proven to not be enough. Behavior blocking and scheduled file scanning should be used to help identify malware that has avoided the organization’s preventative defense mechanisms.
Protecting your organization’s website. Consider additional security measures, such as “Always On SSL” to encrypt visitors’ interactions with your site across the whole site, not just on the checkout or sign-up pages. Also, run vulnerability and malware scanning tools on your websites to proactively detect problems promptly.
Being aggressive in updating software. Review your patching process for any potential improvements to keep up with the pace of emerging technology. Keeping software up to date and applying patches as soon as they are available will address weaknesses and vulnerabilities in the software, particularly in software with a higher increase in recent attacks such as automated scripting and animation software. An automated process for patch deployment is most efficient and effective.
Educating employees. Good training, as well as strong IT policies and procedures, can reduce the risk of accidental data loss and other insider risks. Make sure these policies and procedures encompass both computer and mobile device use. Annual written acknowledgement by employees of their receipt and review of these policies is a best practice.
Addressing the possibility of data loss from malicious users or software. Consider the use of data loss protection software on your network to identify and block sources of data loss or exfiltration.
As the world becomes more connected through personal devices such as tablets and smartphones for both personal and work purposes, organizations can lose sight of their network’s borders. These devices present another gateway for potential attackers that employers may not have as much control over as their own internal systems. Organizations should consider the access they provide employees on mobile devices and whether those devices have appropriate security features such as encryption, access control, and manageability. Organizations should consider installing security software on these mobile devices.
Another area of access gaining popularity is the use of cloud computing. Given the benefits provided by using a cloud such as resilient, secured, and backed up systems, more companies and organizations are moving away from storing data internally. This, however, triggers new security challenges, particularly with regards to who has access to the information stored in an application where many other companies and organizations also store their data. Organizations should understand who has access to their organizational data and how this data can be extracted and recovered at a later date. Organizations should request a SOC (Service Organization Control) report over areas such as security and confidentiality from both their cloud provider and data center host. Review of these SOC reports can identify any potential security concerns an organization should consider before selecting their providers. Additionally, organizations must be very conscious that a massive storage application with a large amount of data might be more attractive to an attacker than an individual organization.
As cloud computing gains popularity, there is also a risk that employees might utilize systems not approved by the organization, such as free online file-sharing applications or social networking sites, to transfer sensitive organizational information. Not-for-profits should evaluate policies in place regarding employee access to non-company approved software and social media sites, including the amount of sensitive information that can be disclosed online.
Unfortunately many organizations don’t know their weaknesses until a cyber attack or data loss occurs. Therefore, in addition to installing the appropriate countermeasures, it is best to plan ahead and have a separate plan for incident response, for escalation, for communication, and ultimately for recovery (if needed) in place in the event an attack does occur. Although the speed of technology development will continue to provide challenges in an organization’s IT security, by being vigilant, an organization can work to defend itself from potential IT security breaches.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.
All Not-For-Profit News Not-For-Profit Overview