By now, all organizations — for-profit and not-for-profit — know about the risk of cyberattacks. Why then, would any nonprofit fail to secure its network and digital assets? One reason is cost. Cybersecurity can be expensive. Yet according to IBM’s “2022 Cost of a Data Breach Report,” a data breach in the United States leads to an average $9.44 million loss. Obviously, the average is skewed by cyberattacks on large companies. But it’s possible for nonprofits to lose more than they can afford.
Most attacks are made via phishing schemes, where cybercriminals use email to dupe victims into providing personal information, including login credentials. Phishing emails generally include links or attachments that, when clicked, infect computers with malware that enables fraudsters to access your systems.
Increasingly, cybercriminals are using phishing emails to perpetrate ransomware attacks. They gain control of an organization’s network and data and lock legitimate users out. They then hold the data hostage until the victim organization pays a ransom. The criminals might leak some confidential information to the public or on the “dark web” to show they’re serious and to encourage quick payment. Ransomware perpetrators usually release the data after they receive a ransom — but not always.
Criminals have hacked everything from government agencies to hospitals to large charities, so it’s critical that all nonprofits act defensively and provide training to staffers. Training should cover various phishing schemes and include testing so employees can see how easy it is to fall for scams. Other ways to contain potential cyber threats are:
Look for emails flying red flags. Everyone in your organization should look out for suspicious emails, including messages with a sense of urgency, such as a subject line that says, “Respond ASAP.” Phishing subject lines might also include references to upcoming meeting agendas, payroll questions and password verifications. They may appear to come from HR, tech support or your executive director.
Phishing messages frequently are peppered with bad grammar and misspelled words. They may use numbers and special characters that look like letters to dodge anti-phishing software and include URLs that are close, but not identical, to the addresses of legitimate sites.
Use password managers. Your organization should consider using password managers. A surprising number of employees still use easily hacked passwords such as 1234 and PASSWORD. Password managers generate complex passwords and store them for users. At the very least, require employees to come up with difficult passwords and change them frequently. For greater security, implement two-factor authentication. This requires users to log in normally and then confirm their identity via text or phone.
Stay current. Implement hardware and software updates on a timely basis and stop using programs that are no longer updated and supported by their makers.
There are plenty of affordable (if not free) cybersecurity tools available to nonprofits. So there’s no excuse for you to simply hope your organization won’t be hacked. Work with your IT provider or cybersecurity consultants to put safeguards and training in place.
As you protect your nonprofit from data breaches, you should consider protecting your finance data in a secure cloud service and setting up internal controls to safely capture and report on accurate accounting data. Contact Cordia for more information about accounting software designed with nonprofits in mind.