The COVID-19 pandemic is hitting the nonprofit sector hard, and many nonprofit organizations are struggling to adapt to economic and social changes it has brought about in the past few months.
But the bad news doesn't stop there. With many countries and regions requiring staff to work from home, analysts have found that phishing attacks are also increasing. Phishing is the most common type of cyber attack on nonprofits. Typically, an attacker will send employees forged emails with links to look-alike sites mimicking Gmail, a financial website, or a social media site. The attacker hopes the unsuspecting employee or volunteer will try to log in, thereby disclosing their user name and password to a Web server that looks like the real thing.
Preventing this kind of attack is critical for NPOs, especially during the current crisis, as the recent ransomware attack on two Ontario children’s aid societies shows.
Why and how are nonprofits phished?
Nonprofits are typically less aware of the risks of phishing than private companies. Experts have long pointed this out.
“Nonprofits are no different than any other organizations in terms of potential cyber risk; as long as they have a computer network, have email and mobile devices, they are at risk for potential cyber breach. Nonprofits are as diverse as the for-profit business world in terms of the types of information and type of cyber risk they face,” points out Deirdre O’Callaghan, chief counsel of Center for Internet Security, Inc.
In fact, nonprofits may be uniquely vulnerable to such attacks. Many rely on volunteers and lack the resources to provide thorough cybersecurity training. It’s no surprise that in a 2018 study on a more than 6 million users, KnowBe4 found that nonprofit organizations have the highest percentage of “phish-prone” employees of any large organizations.
Much of the data nonprofits hold is not obviously commercially sensitive, so it can be easy to overlook the value it can have data for hackers. Nevertheless, organizations should recognize that they must be concerned about cybersecurity.
Preventing phishing attacks on nonprofits: five key strategies
Preventing phishing attacks relies on a number of tools and processes: some are technical systems that encrypt your data; others are best understood as ways of working.
1. Risk assessment
The first and most important element in protecting your organization from this type of attack is to do your research on what a phishing attack actually is, and what kind of attacks you are vulnerable to. Phishing attacks today are generally highly targeted and designed to exploit the most important systems you use.
These systems could be those you use to store personal information on high-value donors or operational data that can be stolen and used to blackmail you. Other types of attacks are focused on scamming money directly from your organization: in 2017, Save the Children revealed that an unknown cyber attacker impersonating an employee tricked the institution into transferring $997,400 to a fraudulent organization in Japan, on the belief that the money would be used to purchase solar panels for health centers in Pakistan.
Your first step is to conduct a risk assessment to ascertain which of your systems are most vulnerable to phishing attacks.
2. Use strong, unique passwords
One of the most fundamental steps you can take to protect your data is simply to remind (or require) your employees and volunteers to use strong, unique passwords for all of their work-related systems. Many IT systems give you the capability to require employees to use passwords of a certain length or complexity; you should use this option where it is available.
In addition, you should remind your employees and volunteers of the importance of practicing good cybersecurity. Often, a simple email reminding them to update their passwords once a month can make your systems much more difficult to hack.
3. Keep your software updated
Another simple way to protect your system against phishing attacks is to ensure that you have installed all the relevant security updates available for the software you use. Despite the importance of doing this, it is a step that many nonprofits overlook, because they lack the well-resourced IT staff to do so.
Organizations should therefore designate a particular staff member to keep all machines—including any personal computers employees and volunteers use for official business—up to date with the latest security patches.
4. Secure Your Internal Communications
Many nonprofits and startups are suffering immensely from the COVID-19 pandemic, forcing work-from-home rules or, worse, broad layoffs. You should recognize that working from home significantly increases employees’ and volunteers’ exposure to phishing attacks. The home networks that most of your staff are now using were never designed to protect sensitive data, and represent a huge opportunity for phishing scammers.
A solution to this issue can be found in virtual private network (VPN) services, which encrypt the information that your staff shares with your organization, thereby keeping it safe from hackers. The best VPNs will give you the ability to protect all of your staff in this way. You should insist that each staff member use a VPN whenever they are working off-site.
5. Access policies
Finally, the current crisis is a great moment to take a thorough look at your access policies, and to audit which of your employees have access to your data. Wherever possible, access to systems should be as limited as feasibly possible, in order to avoid a low-level employee being taken advantage of.
Insecure access policies have been the source of many recent, damaging phishing attacks on nonprofits. Take, for example, the recent ransomware attack on Family and Children’s Services that encrypted most of their servers and cost the agency $100,000 in cyber insurance.
Or consider the recent malware attack on Children’s Aid Society that locked staff out of online files containing sensitive data about the children and families they serve. Both were caused by volunteers having access to far more data than they should have.
All of the processes and tools above will dramatically reduce your exposure to phishing attacks, but you should also recognize that no cybersecurity tactics can completely protect you. Unfortunately, it is almost inevitable that at some point your organization will fall victim to a phishing attack. The way you respond to an attack is just as important as the way you protect yourself.
If an attack occurs, you should be clear in your communications with your clients, employees, and supporters. You should also ensure that you contact the relevant authorities in order to limit the impact of the attack.
It might seem like the current crisis is a bad time to improve cybersecurity. It's certainly true that nonprofits have a lot on their plate. But improving your organization’s resistance to phishing attacks can prevent pain in the short term and pay off in the long run.