By Brigid O’Leary
(Our November webcast is on nonprofit cyber security issues. Register now.)
Nearly every day in the news there are new names of high-profile people or organizations that have fallen victim to online hackers. Hacking is not a new phenomenon; New Scientist magazine reported in 2011 that people have been interrupting the use of supposedly “secure” connections since as early as 1903 when a public demonstration of Guglielmo Marconi’s wireless telegraph system was hijacked by Nevil Maskelyne, who turned troll, mocking Marconi’s accomplishments and then some.
And while other incidents of hacking took place in the intervening years, readers of a certain age may recall the 1983 movie War Games that starred Matthew Broderick and brought the concept of hacking to the general public.
As internet use has grown, so too have the size, scope, and technical savvy of hackers, who now come in all kinds, sometimes working alone and other times working together, with varying targets and for different reasons. Many are familiar with the loosely-organized hactivist group Anonymous, which is usually involved in meting out a form of social justice, but other groups exist, such as Fancy Bear, a Russian cyber-espionage group blamed for recently targeting the World Anti-Doping Agency and releasing the medical records of several Olympic medalists – and those are just the groups that have made the news recently.
And while the media usually reports on large-scale security breaches that relate to significant amounts of money (Yahoo!, Target and Amazon breaches) or salacious personal information (Ashley Madison), it doesn’t mean nonprofit organizations are immune.
Risk Assessment
“Nonprofits are no different than any other organizations in terms of potential cyber risk; as long as they have a computer network, have email and mobile devices, they are at risk for potential cyber breach. Nonprofits are as diverse as the for-profit business world in terms of the types of information and type of cyber risk they face,” said Deirdre O’Callaghan, chief counsel of Center for Internet Security, Inc., headquartered in East Greenbush, New York.
The Center for Internet Security (CIS), itself a 501(c)3 organization, is dedicated to enhancing the cybersecurity readiness and response among public and private sector entities, while utilizing its industry and government partnerships to combat evolving cybersecurity challenges on a global scale and helping organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks. CIS runs the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls.
“They do face the same risks but probably less thought of by hackers as not having anything worth stealing. But most charities have a lot of personal information stored on donors and volunteers especially if they do background checks,” concurred Patrick Craven, director of the Center for Cyber Safety and Education.
Headquartered in Clearwater, Fla., the Center for Cyber Safety and Education is the nonprofit, charitable foundation of (ISC)², which educates and certifies cybersecurity professionals around the world. The Center offers internet safety education and recently partnered with Paws Inc. and Jim Davis, the creator of Garfield, to launch a new education initiative for children that will include online and print Garfield materials and tackle different cyber safety issues.
It’s clear that both O’Callaghan and Craven know exactly what hackers are after and that many people might not realize that nonprofit organizations have plenty of information to tempt a hacker, even the individual who just might be out for individual profit.
“Most nonprofits have at least some employees, so their system would include personal, health and banking information related to those employees. Nonprofits also often have sensitive data regarding donors, including credit card and banking information. Many social service organizations have sensitive client data. Research and development organizations often have important intellectual property that needs protection. Not-for-profit hospitals and medical organizations will have sensitive medical information on patients. All of these information sources are potential cyber targets,” explained O’Callaghan.
Plan of Action
At this point, no one can afford to ignore the potential havoc a cyber security breach could cause for a nonprofit, but in reality it is one more thing with which each organization’s leadership must contend.
“Because of the personal information organizations now have on volunteers and clients, often required by law, it needs to be a major point of concern for leadership. But raising money and providing a program or service is what most focus on leaving themselves vulnerable to hackers,” said Craven.
While responsibilities of running an organization often take precedence for organization leaders some are stymied by the albatross cyber security presents.
“As noted …nonprofits can have control of very significant amounts of personal data of third parties and information that is of value to the nonprofit itself. The potential damage if a significant breach occurs, both in terms of actual data loss and of reputation, should be a major consideration for any nonprofits that handle this type of information,” said O’Callaghan. “We find that while most organizations know that cyber security is important, they are often at a loss as to how to address the problem.”
The question, clearly, for some organizations is where to start.
The Center for Internet Security (CIS) has developed and maintains the CIS Critical Security Controls, a set of 20 sequential actions it recommends that organizations take to improve their level of cybersecurity protection – which can be downloaded for free. O’Callaghan indicated that, at a minimum, organizations would be wise to undertake the first few steps of the CIS Controls, which the organization refers to as basic “cyber hygiene”:
- Documenting the types of hardware and devices used within the organization;
- identifying software and applications used throughout the organization;
- making sure that these devices and software are set to the appropriate security configurations (for example, making sure that password are of sufficient length and complexity to make unauthorized access more difficult);
- create a continuing program to make sure that vulnerabilities that are identified in software and hardware used by the organization are “patched” to correct the vulnerability, and that software and operating platforms are updated; and
- take steps to minimize the number of people who have administrative privilege for the organization’s network, i.e. who can change or bypass the network’s security.
“There are also some additional steps that we recommend. We recommend that employees receive at least basic cybersecurity training. Additional training may be necessary for certain positions that handle particular types of data. For example, [for] those employees with access to credit card information, there are specific standards for the handling of this data developed by the Payment Card Industry (PCI) and training is available for PCI compliance. We also recommend using two factor authentication for all banking transactions. Additionally, we recommend doing file backup at least once a day; this will protect access to as much information as possible in the event of a ransomware event,” she added. “While these steps will go a long way to reducing cyber risk, the reality is that it is not a question of whether a cyber incident will occur, but when. Therefore, we also recommend that an organization develop a cyber incident response plan so that they are prepared when and if an incident does occur.”
Palpable Hit
And they will occur. Last year, The Urban Institute and the National Center for Charitable Statistics – organizations that handle Form 990 filings for nonprofits – were hacked. Each was a breach that jeopardized the personnel information for every employee at each organization that had filed 990s with the companies targeted.
Those security breaches are beyond the responsibility of the individual organizations but they do ramp up the pressure for those who employ individuals whose information was compromised. Even if cyber security was not on their radar before, it should be now.
“The cybersecurity posture of vendors, particularly those who handle a nonprofit’s sensitive information or that of its clients or supporters, has become an increasing point of focus … It is important for nonprofits (and all organizations for that matter) to learn more about their existing and prospective vendors and how they handle, store and destroy information. This should be part of any interview or initial discussion with a prospective vendor that will have access to the nonprofit’s data or computer network,” said O’Callaghan. “There are also contractual vehicles that can provide additional assurances. Organizations have developed standard terms and conditions or require specific language to be added to purchase contracts that address confidentiality, information handling and breach notifications. I am also more frequently seeing organizations requiring the vendor to maintain certain levels of separate cyber liability insurance.”
Even with precautions like these in place, nonprofits have a duty to those whose information may have been compromised when a vendor takes a cyber hit – or when the organization itself finds itself compromised.
“Securing their system should be the first priority to assure that the attack is over and assessing what has been taken. Then they have an obligation to let those who’s information was taken to know of the breach,” said Craven.
Protect and Defend
Cyber security is not something that anyone should take lightly. It is a real threat.
“Many of the cyber attacks are opportunistic in nature, as opposed to a specific target. Hackers send out phishing emails en masse in the hopes that someone will open the infected attachment. This means that nonprofits are just as likely as large organizations to fall prey to these types of attacks,” O’Callaghan said.
Phishing is just one way – arguably one of the easiest ways – for a hacker to gain access to a target, but it’s far from the only means hackers will use in an attempt to access information. In the recent ebook The Evolving Face of Cyber Threats the Center for Strategic and International Studies (CSIS) indicates that a cyber breach can continue for months before it is discovered. The book also estimates that 80 percent of most cyber attacks are of the “known variety,” making the other 20 percent the most damaging—precisely because of their unknown qualities, which make them hard to defend against.
“You have to take it seriously from the beginning. Community and donor trust is what most organizations survive on and losing that could literally destroy them and their mission. Set up tight protocols for dealing with sensitive information including strong and constantly changing passwords,” said Craven, who stressed the importance of asking for help if needed. “Most nonprofit leadership will be lost with how to do this and should seek outside help starting with guidance from their board members who are most likely business leaders who can assist in the process.”
Help could mean reaching out to an organization such as the Center for Cyber Safety and Education, it’s parent company (ISC)² or CIS, which can help a nonprofit ensure it is as equipped as best it can be for any possible cyber attack.
“We can say that based on our experience in assisting hundreds of organizations with cyber incidents, undertaking the basic cyber hygiene steps we outlined will eliminate or reduce the risk of a cyber incident dramatically,” said O’Callaghan. “We recognize that figuring out what are the right steps to take to protect an organization against cyber threats can be daunting, particularly to organizations without dedicated resources. Unfortunately, there is no one easy fix for cyber security protection; it is more of an ongoing effort that must be incorporated into daily operations.”
