By Michael Fleischer
Senior Vice President, SterlingRisk
The cyber-attacks that make headlines are often aimed at large corporations and financial institutions with household names. The sad truth, however, is that no one is safe from cyber activity, including today’s nonprofit. In fact, a growing number of charitable organizations that engage in online fundraising and giving campaigns have discovered the hard way that cyber criminals don’t discriminate when targeting victims.
While ransomware and phishing pose a growing threat to all organizations, the following tips can help protect your agency or association from cyber-attacks, cybercrime, and online fraud.
Plan for Worst Case Scenarios
If someone orchestrates a cyber-attack against your nonprofit, it is important to be able to respond quickly. All organizations should have cyber protocols and testing in place. You should be systematically testing your business for cyber weaknesses and entry points, and if a hack or mistake shuts down a vital system, have a plan B. Find a workaround that allows you to keep as much of your business running as possible.
Assess Your Vulnerabilities
You might not always know the risks you and your employees are taking. Bringing in an independent contractor to audit your technology systems and processes is one way to get ahead of those risks. A contractor can uncover hidden dangers such as unpatched software, insecure processes, or compromised systems.
Be Mindful of Emails
Research has found that more than 90 percent of detected malware arrived via email. This is due to the number of ways email can be manipulated.
An employee might receive a seemingly innocent email attachment, only to discover it carries malicious software, known as malware. This malware could take down a single computer or your entire network. Emails can also contain links leading users to websites that automatically download malicious code onto their computers. This type of code cannot always be prevented using traditional antivirus software alone. If an employee’s email account gets broken into, a hacker can pose as a trusted sender and dupe you into sharing valuable information.
Train Your Employees to Detect Threats
Another reason email is such an effective way into an organization is that employees don’t always know what to look for and are not fully aware of the risks they are taking when they check their messages.
Phishing emails, which are messages sent by someone posing as a reputable sender, often have small details changed or contain odd phrasing. With good training, employees will know to ask questions, double-check procedures, and verify requests via other sources. One effective technique is to send test emails that can track whether employees click links or follow a direction contained in a message. If they do, then the system can display educational materials or you can follow up to make sure they understand their mistake.
Require Strong Procedures for Payments
When COVID-19 first emerged, many of the usual processes and procedures had to be reimagined. This created new opportunities for invoice fraud.
For example, after COVID-19 started, businesses and nonprofits saw an increased number of invoices sent via spoofed, disguised, or hacked email addresses. Cyber attackers who spent time observing workers were able to imitate language and processes perfectly. Due to this, it is recommended that employees be skeptical of all invoices and to have client, vendor, and bank phone numbers readily available in order to easily verify any payment or bank charge.
Use Strong Passwords
Passwords should be complex, but they don’t need to be hard to remember. Rather than pasting your passwords into a spreadsheet or writing them down, consider using a password manager with strong encryption. Password managers can assist with password protection, giving the ability to store encrypted passwords for multiple sites in a secure vault. These high-tech tools can keep hundreds of passwords safe and are easy to use.
While no system is foolproof, following the above cyber tips will go a long way towards safeguarding your nonprofit. If you experience any unusual requests or think you might be a victim of fraud, contact me at firstname.lastname@example.org or call me directly at 516-719-8759.
Michael Fleischer is Senior Vice President at SterlingRisk, one of the nation’s largest privately held insurance brokers. He brings over 35 years of insurance and risk management experience to his clients at SterlingRisk. Michael’s understanding of cyber insurance, claims, risk management, complex coverage issues, and carrier relationships enables him to develop and implement complete and comprehensive solutions to his clients’ exposures. To learn more about SterlingRisk, visit www.sterlingrisk.com.