Your work is vital. We are raising funds to support it.
Opening scene: a pale, bespectacled man types furiously on a keyboard, muttering, "I almost got it!" Monochrome green code scrolls across his screen, and an unnecessarily large "Transfer Status" window shows stolen data in the process of being transferred.
Hollywood has taught us that this is how our data or network gets compromised. But nothing is further from the truth. Rather than a clever hacker directly targeting your nonprofit, your organization is more likely at risk from a software update you skipped in haste, a disgruntled employee who still has access to your cloud drive, or an unencrypted device left in an airport bathroom.
According to the August 2014 Symantec Intelligence Report, there were 259 data breaches between September 2013 and August 2014. These breaches exposed the identities of 598 million individuals.
The four causes of those data breaches were:
The top five types of data exposed in these breaches were names, social security numbers, addresses, birth dates, and financial information.
The well-publicized attacks on Target, Community Health Systems, and Home Depot recently were the first type. They were likely planned and coordinated by rogue groups using advanced persistent threats, an increasingly common methodology used by hackers.
Unless your nonprofit or NGO has specific adversaries or is being spear phished, the hacking you may encounter is probably less sophisticated and less targeted. The attack vector (how the hackers get in, wreak havoc, and steal data) is most likely to be unpatched software or devices.
Using both known and yet-to-be-disclosed vulnerabilities in software and hardware, hackers create malware designed to exploit holes. If you skip a software update, you become vulnerable.
That's why you should always keep your software updated, especially often-used software like your operating system and productivity software. If you have networked workstations, you should also consider enterprise-wide security suites that can monitor and scan for suspicious activity (check out our security page to see what's available through TechSoup).
Even if you effectively defend against malware, lost devices or drives are common causes of data breaches. That fundraising contractor whose laptop was stolen? If that laptop held a copy of your donor data, losing it is just as harmful as a hacker plotting an attack. Nonprofits should avoid having sensitive data stored on mobile devices and drives if possible. If you must store data on a mobile device or drive, make sure the device is encrypted:
Lastly, although "insider threat" was the least prominent threat among the four Symantec identified, it is still a potential problem for any organization. We should never assume that all of us working in the sector are well-intentioned. For example, when an employee is no longer working for you, do you make sure to change all the online passwords to which the person had access? Even if an employee or former employee isn't intentionally stealing information, malware searching for credentials on an unmanaged device or account could still cause problems.
Staff should also be adequately trained and informed about potential threats, and security should be part of new hire (and volunteer!) training and termination procedures. Kaspersky has an informative guide, Top 10 Tips for Educating Employees about Cybersecurity, which addresses 10 things you should do to ensure you don't become a victim.
Do you have any other tips for data breach mitigation? Share them below!
This post is part of TechSoup's Safer Online for Nonprofits education campaign in partnership with Microsoft.
Image 1: Brian Klug / CC BY-NC
Image 2: Symantec
Kevin Lo | Senior Program Manager, NetSquared.org | a part of TechSoup Global
The New York Times small business blog posted a story on the same issue. All of their tips apply to nonprofits as well, especially those who run point-of-sale systems or accept donations:
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.
Close this window