As more and more companies and people use and rely on technology, cybercriminals have become more sophisticated, and cyberattacks have been on the rise. According to Cybercrime Magazine, the cost of cybercrime is projected to rise from $6T in 2021 to $10.5T in 2025. As we enter 2023, here are some preventative measures that you can take to better protect your organization from potential attacks:
Use VPNs for Remote Access
A great way to add an extra layer of protection to your nonprofit is by requiring all remote employees to use a VPN (Virtual Private Network) when accessing internal applications and data from off-site. A VPN encrypts your internet traffic and disguises your online identity. This makes it more difficult for cybercriminals to track your activities online and steal data. VPNs can also be used to create a single shared network across multiple locations. This means that if your nonprofit has two offices, both can use the same shared network system.
Implement Multi-Factor Authentication
A system that uses single-factor authentication only requires the employee to provide a username and a password to gain access. The problem with single-factor authentication systems is that their level of protection depends solely on how secure an employee’s password is. Strong access security protocols, such as using passphrases for authentication or implementing strict password guidelines can be implemented to ensure employees are using strong passwords. Still, there is a limit to how secure the system can be. A system that uses two-factor authentication is more secure than one using single-factor because it requires an additional form of authentication to access it. If you have ever used a system that required you to verify your identity by inputting a code that was texted or emailed to you, then you have accessed a system using two-factor authentication. A system that uses multi-factor authentication requires a minimum of two forms of verification to access it. The more factors required to access the system, the more secure it is. However, it is important to make sure that there are not so many authentication factors required that it impedes employees from being able to do their job.
Implement a Robust Data Back-up Process
When it comes to protecting your information, we can only ever minimize the risk, not eliminate it completely. It is important that you are prepared should something go wrong. A good way to ensure that an attack does not become catastrophic to your organization is by ensuring that you have automated processes for backing up your organization’s data and that those backups are being tested regularly to ensure they are not corrupt. Having a recoverable backup of your data can minimize the downtime your organization faces should something go wrong.
Limit Access to Sensitive Data
One of the most important and effective ways to protect your organization’s data is by limiting who has access to it. Every person who can access the information is a vulnerability. Therefore, the more people with access, the more vulnerable it is. User roles and permissions can be used to control who in your organization has access to specific datasets and files. It is important that these permissions are frequently audited to ensure that no person has access to something that they shouldn’t.
Least Privilege Access
Starting with a deny-all policy and allowing use on a need-to-know basis. This also includes zero-trust networking protocols.
Keep Your Systems and Software Up-to-date
Software updates are essential to ensuring the security of your systems, but not all updates are the same. Major updates should not be done without being properly vetted by your organization’s IT department. The types of updates that you are going to want to stay on top of are minor and patch updates. To determine what type of update you are being asked to do, look at the version number. A version number consists of three groups of numbers separated by periods. An example of a version number you might see is 2.5.3. Here the major number is 2, the minor number is 5, and the patch is 3. Every time a new major or minor version is released the following numbers are replaced this allows you to determine the type of update without needing to know the prior version. So, if the software you are updating is version 3.0.0, it is a major update. If the update is version 3.4.0, then it is a minor update. Any time a number other than 0 exists in the third group, it is a patch update. Patch updates are used by developers to provide fixes for common bugs or to fix any flaws in the system’s security. While patch and minor updates are important to stay up to date on, patches are the most important because they could fix potential vulnerabilities in your current system. A good way to make sure you are keeping your system up to date is by using automatic updates. Most systems will only perform automatic updates on minor and patch updates and will require manual verification before doing any major updates.
Create Security Policies
Security policies help your employees to understand what their individual responsibilities are and what is considered acceptable behavior when using organization computers/other devices, sharing organization data, working remotely, and responding to cyberattacks.
Reduce the Information Available to Steal
A good way to minimize your organization’s risk is by reducing the information available to be stolen. This can be accomplished by establishing a data retention policy that outlines what types of data are actively being stored, how long that data should be stored, and how it should be destroyed or relocated at the end of that time. It is crucial to purge emails and files periodically to avoid how much information could be stolen if a breach occurs.
Conduct an IT Security Risk Assessment
IT security risk assessments involve cataloging information assets, identifying threats and vulnerabilities, assessing the potential impact of the risk, and prioritizing the order threats are dealt with. The IT security risk assessment process includes both the identification of risks and the construction of a plan of action for addressing them. It is an efficient and effective tool for understanding your organization’s security weaknesses and vulnerabilities and taking action to begin to fix them.
Conduct Phishing Tests
Phishing is a type of cyber attack where an individual sends a fraudulent message to a recipient to try and trick them into sharing sensitive information with the sender or installing malicious software on the recipient’s device. Phishing tests are automated tests that send the employees in your organization phishing emails to assess the organization’s susceptibility to this type of cyber attack.
Educate!
This is perhaps the MOST important step! Don’t underestimate the importance and power of educating your employees on cybersecurity risks and preventative measures. A well-informed staff who knows what to look out for can help to spot potential risks and take the steps necessary to hold each other accountable.
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.