iu

Associations, nonprofits and other member organizations far too often take comfort within the incontrovertible fact that the bulk of reported data breaches are the results of a targeted attack on for-profit businesses and government agencies. However, frankly, that’s a false sense of security.

Associations especially but nonprofits, generally , amass an enormous amount of personally identifiable information (PII) just by servicing their members or fulfilling their mission. Mastercard numbers, healthcare information, SIN numbers, and more are stored in association systems. this suggests that whether you wish it or not, nonprofits and associations are ripe targets for cybercrime.

Which means that you simply better be ready.

Here’s a crash program on how you’ll secure data and systems without interrupting your service and without emptying the coffers.

 

Identify Where Data Breaches Come From

First, let’s get a touch perspective. Yes, some hacks are caused by cyber criminals working through back channels for national governments. they’re well trained, funded, and equipped.

If you’re targeted by this type of attack, it’s unlikely you’ll be ready to prevent it. Fortunately, that’s the vast minority of attacks. Most cybercrime is effectively a crime of opportunity. It’s a phishing/spear phishing attack, an automatic scam, or a hardware exploit. It’s not a matter of: “We want to hack you” the maximum amount as it’s a matter of: “We want to hack someone, and you’re vulnerable.”

Second, recognize that root explanation for cybercrime. It’s usually people.

As Beauceron Security put it, “it’s not a tech problem,” citing research from IBM and Ponemon that 95% of successful cybercrime are often traced back to people. Combined, we will draw three obvious conclusions:

  • Cybercrime will happen to you, no matter if you think that what you’ve got is worth stealing.
  • Cybercrime is overwhelmingly a criminal offense of opportunity and one targeted at the weakest link within the security chain — the particular people involved.
  • Improve attitudes and behavior towards cybersecurity, and you will hugely strengthen your organization.

Let’s check out a couple of specific ways you’ll do this .

 

Changing Attitudes and behaviour

  1. Build a risk assessment plan. Identify weaknesses, and build an action and decide to solve them.
  2. Drill your staff. Run a fake phishing scam and see what happens (there’s an excellent podcast episode about this).
  3. Assign a cybersecurity owner within the technical team. Better yet, hire someone specifically for that role.
  4. Elevate data security to the extent of the board, ensuring there’s understanding at every level what the results are of a breach.
  5. Review any relevant legislation and make sure that you’re meeting compliance standards. It’s an excellent best practices start line .
  6. Beef up your physical security. Scan in/out passes is a simple solution. Restrict access to any hardware you’ve got . Locking the server cabinet may be a simple solution.
  7. Create a corporation password policy. Make a password mandatory for everybody in your organization.
  8. Make expiring shared links the quality in emails instead of attachments. That way, if someone’s email gets hacked, it’s easier to contain the damage.
  9. Cut down on the amount of system admins for various programs. The perfect number should be 1-2.
  10. Ensure that people have access to the info they have — and zip more.
  11. Build a cybersecurity emergency plan. Does everyone know what to do?
  12. Getting hacked is embarrassing. confirm you’re fostering a culture of “It’s okay to come forward” if they’ve been a victim of an attack or caused a vulnerability.

 

Tech fixes (because there are some belongings you can do)

  1. Update all of your software as soon as possible. If you’ll automate this, all the better .
  2. (If you’re using hardware, do an equivalent thing).
  3. Host your data on the cloud. Ironically, the cloud is usually safer because the hardware is best maintained and guarded because the work is completed by specialists, not generalists.
  4. Required VPN access only over secure networks (e.g. not public wifi) to permit users to attach to your system.
  5. Require two-factor authentication (ideally via Google Authenticator or an identical tool) on every login.
  6. Periodically review every internal system and external vendor, and map who’s accessing what data. Identify weak vendors and review/update.
  7. Move off open source software, or isolate open source credentials from the remainder of your system. for instance , the user names and passwords for your WordPress site shouldn’t be an equivalent because the ones for your email registry.

 

Wrap Up

Cybersecurity doesn’t need to be an enormous undertaking. By taking some simpler precautions like updating your software and hardware, tracking who has access to what data, and streamlining admins and vendors alike will help.

But the foremost important thing to recollect is that at the guts of it, cybersecurity is about people. It’s about people remembering to shut the door behind them, using different passwords for every system, and being on one’s guard for phishing emails. Which suggests that data security is within the business of behaviour change — a way tougher job than updating some outdated technology.

It’s about building a culture where cybersecurity is known , threats are recognized, and therefore the process of coming forward is obvious and understood. It’s an extended , slow, uphill battle. However, if you’ll change your mind, then you’ll be secure for years to return.