3 Steps To Protect Your Nonprofit From a Cyberattack
When we hear news of a data breach, we always picture a large corporation. Unfortunately, this image causes other types of businesses to feel they are safe from attacks. The reality is any business, regardless of its size and profile, can be the target of a cyberattack. This includes (and is definitely not limited to) the nonprofit sector. Learn why your nonprofit is at risk of a cyberattack and how you can protect it.
Victoria Nonprofits - Are You Taking Cybersecurity Seriously?
There are over 170,000 charitable and nonprofit organizations (also known as Societies) in Canada. British Columbia stands out as a host to a diverse range of nonprofits and a location where technology thrives. There is a society for nearly any interest, including agricultural, educational, environmental, political, recreational, religious, scientific, or sporting purposes. Such a variety of services makes nonprofit organizations fertile ground for cybercriminals.
Cybersecurity is top of mind these days, as instances of ransomware and other types of data breaches enter the public consciousness. Unfortunately, as these high-profile cyberattacks gain attention, nonprofits and smaller businesses assume that only large corporations are targets. It is this misunderstanding of the threat and the resulting lack of cybersecurity preparation that cybercriminals count on.
Do You Think Your Nonprofit Isn’t a Target?
While it may be common to believe that most nonprofit organizations survive on shoe-string budgets, the reality isn’t so dire. In 2018, it was estimated that there was $251 billion in total revenue for Canadian registered charities; so it’s not hard to imagine why a cybercriminal would target a nonprofit organization. However, cyber criminality has grown beyond stealing data and selling it on the dark web. Instead, today’s bad actors steal your access to the data and charge you to regain control of it. This tactic is known as ransomware, and it is becoming the dominant form of cyber criminality.
In August of 2020, a well-organized ransomware attack affected 24 Canadian charities—ranging in industries from the BC Cancer Foundation to Canada’s National Ballet—who were influenced by the breach. In some instances, the ransom was paid despite recommendations from security organizations and even Microsoft that ransom payments should never be made.
How Does Ransomware Work?
Ransomware is exactly what it sounds like: your data is held hostage until you pay the ransom to have it released. Ransomware usually starts with a phishing attack designed to gain access to your systems… more often than not, via a team member clicking on a link or downloading an infected attachment. This is why you must give your team the training they need to recognize a phishing attempt.
Once the malicious software is on a device on your network, it locks you out of your data by encrypting your files. Depending on your response, this ‘lockout’ is resolved either by you paying the ransom or the data being destroyed or exposed to the dark web if you refuse to pay.
Ransomware is successful so often because most businesses and organizations don’t think they have anything of value and, as such, won’t be targeted. This lack of preparation that cybercriminals count on leads to the weak security protections smaller businesses and nonprofits unfortunately often employ.
Why Would Nonprofits be Targeted by Ransomware Attacks?
The recent rash of ransomware attacks has targeted organizations that support the public sectors and, as such, have been relying heavily on technology to provide services. As many nonprofit organizations support under-served populations, their data access is critical to their success. As we have seen in the recent rash of ransomware attacks, organizations supporting the public have been increasingly targeted due to the urgency of need. For example, schools and hospitals struggling to provide services due to the stress of COVID-19 can find their efforts fail due to having their systems overcome with ransomware.
Many organizations, particularly smaller ones, feel that they don’t have the resources to invest in a robust cybersecurity plan and instead hope that they are small enough to slip under a cybercriminal’s radar. Unfortunately, these are the types of organizations a cybercriminal is looking for, those who don't invest in cybersecurity and who have connections to larger organizations that do.
It doesn’t cost a criminal much to attack you—the size of the target or even the success of the target has very little to do with the payoff for the hacker. In some cases, they could target you specifically, but in others, you are just one bullet on a list with a thousand other potential victims.
How To Protect Your Society or Nonprofit Organization from a Cyberattack
When it comes to protecting your data, there are a few tried and true methods to ensure your data is safe and resistant to cyberattacks such as phishing and ransomware. These methods include:
- 2FA - Two-factor authentication relies on needing two types of verification before the user is granted access. This verification can be a combination of password, device (such as a phone), or a biometric identifier such as your fingerprint. 2FA is valuable because it is challenging for a bad actor to access both forms of authentication.
- Hardened Internal IT Policies - Controlling who has access to your data is key here. The simplest way to think of access control is as if your data is in a bucket, and the more critical your information is, the smaller the bucket is that holds it. The smaller the bucket, the fewer people can fit into it. By segregating your data, you reduce the ability of a cybercriminal to access essential data because the credentials they may have stolen won’t be able to access it due to the bucket they are in. Establishing hardened Active Directory policies, access permissions, and other basic capabilities that most networks already have (but are often underutilized) can make all the difference.
- Backup your Data - The single most important method you can use to protect your data is to have current backup practices in place. Your backup is one of the few measures you can take to fight against a ransomware attack and is a critical part of your disaster planning. When it comes to backing up your data, the 3-2-1 Rule is essential to ensuring your backup is safe and secure.
The 3-2-1 backup rule states that you should have 3 copies of your data. one in-house, two backups on two different media (for example, in the cloud, and on a backup appliance in house), and one copy off-site as a fail-safe. If you are currently storing your backup on a hard drive in the office or, worse, not taking a regular backup at all, you could be one phishing attempt away from losing your business.
Victoria Nonprofits - It Could Be Too Late to Protect Your Data
While it is often said it’s never too late to have a fresh start, you can be too late when it comes to cybersecurity. Once a cybercriminal gains access to your data, it’s too late to do much of anything except paying the ransom or losing said data. The only way to protect your organization is to already have a cybersecurity plan in place, supported with a BDR (backup and disaster recovery solution).
Moreover, while these steps are standard procedures, getting them right requires the type of expertise most small to medium-sized businesses may not have in-house. Fortunately, Victoria nonprofits don’t have to go it alone. Regardless of size and industry, you can receive the same level of technical support many larger and enterprise-level organizations take advantage of, all at the attractive price point managed IT offers.
Digital Sky Solutions is Victoria, British Columbia’s IT experts, and as a local business, we are familiar with the needs of and threats to our community. Our wide range of technology services can provide your business with cybersecurity solutions designed to protect your data and your business from anything a bad actor may toss your way.
Call (250) 483-5623 today to learn more about our suite of cybersecurity services and give your business the ability to protect itself.