Protecting Your Nonprofit from Cyber Threats

By Michael Fleischer

Senior Vice President, SterlingRisk

The cyber-attacks that make headlines are often aimed at large corporations and financial institutions with household names. The sad truth, however, is that no one is safe from cyber activity, including today’s nonprofit. In fact, a growing number of charitable organizations that engage in online fundraising and giving campaigns have discovered the hard way that cyber criminals don’t discriminate when targeting victims.

While ransomware and phishing pose a growing threat to all organizations, the following tips can help protect your agency or association from cyber-attacks, cybercrime, and online fraud.

Plan for Worst Case Scenarios

If someone orchestrates a cyber-attack against your nonprofit, it is important to be able to respond quickly. All organizations should have cyber protocols and testing in place. You should be systematically testing your business for cyber weaknesses and entry points, and if a hack or mistake shuts down a vital system, have a plan B. Find a workaround that allows you to keep as much of your business running as possible.

Assess Your Vulnerabilities

You might not always know the risks you and your employees are taking. Bringing in an independent contractor to audit your technology systems and processes is one way to get ahead of those risks. A contractor can uncover hidden dangers such as unpatched software, insecure processes, or compromised systems.

Be Mindful of Emails

Research has found that more than 90 percent of detected malware arrived via email. This is due to the number of ways email can be manipulated.

An employee might receive a seemingly innocent email attachment, only to discover it carries malicious software, known as malware. This malware could take down a single computer or your entire network. Emails can also contain links leading users to websites that automatically download malicious code onto their computers. This type of code cannot always be prevented using traditional antivirus software alone. If an employee’s email account gets broken into, a hacker can pose as a trusted sender and dupe you into sharing valuable information.

Train Your Employees to Detect Threats

Another reason email is such an effective way into an organization is that employees don’t always know what to look for and are not fully aware of the risks they are taking when they check their messages.

Phishing emails, which are messages sent by someone posing as a reputable sender, often have small details changed or contain odd phrasing. With good training, employees will know to ask questions, double-check procedures, and verify requests via other sources. One effective technique is to send test emails that can track whether employees click links or follow a direction contained in a message. If they do, then the system can display educational materials or you can follow up to make sure they understand their mistake.

Require Strong Procedures for Payments

When COVID-19 first emerged, many of the usual processes and procedures had to be reimagined. This created new opportunities for invoice fraud.

For example, after COVID-19 started, businesses and nonprofits saw an increased number of invoices sent via spoofed, disguised, or hacked email addresses. Cyber attackers who spent time observing workers were able to imitate language and processes perfectly. Due to this, it is recommended that employees be skeptical of all invoices and to have client, vendor, and bank phone numbers readily available in order to easily verify any payment or bank charge.

Use Strong Passwords

Passwords should be complex, but they don’t need to be hard to remember. Rather than pasting your passwords into a spreadsheet or writing them down, consider using a password manager with strong encryption. Password managers can assist with password protection, giving the ability to store encrypted passwords for multiple sites in a secure vault. These high-tech tools can keep hundreds of passwords safe and are easy to use.

While no system is foolproof, following the above cyber tips will go a long way towards safeguarding your nonprofit. If you experience any unusual requests or think you might be a victim of fraud, contact me at mfleischer@sterlingrisk.com or call me directly at 516-719-8759.

Michael Fleischer is Senior Vice President at SterlingRisk, one of the nation’s largest privately held insurance brokers. He brings over 35 years of insurance and risk management experience to his clients at SterlingRisk. Michael’s understanding of cyber insurance, claims, risk management, complex coverage issues, and carrier relationships enables him to develop and implement complete and comprehensive solutions to his clients’ exposures. To learn more about SterlingRisk, visit www.sterlingrisk.com.

Log4j and the “ER” Cybersecurity Challenge for Nonprofits

As we head into 2022 with Delta and Omicron on our minds and cautious hopes that this will be the year we finally put this disruptive pandemic in our rearview mirror, the impact of the log4j vulnerability continues to be felt across the technology and cybersecurity world.

(If you don’t know anything about log4j, you might want watch this short explainer video first.)

For nonprofits of all sizes, but especially smaller nonprofits (meaning under 100 staff), log4j exposed a weakness that has always been there, but could loom larger as vulnerabilities like log4j continue to emerge. And bear with me here, because I’m going to drop two eye-glazing words on you: enumeration and remediation.

Let’s use the (quite apropos) acronym ER to refer to these two terms. I like ER because it makes most Americans immediately think of “emergency room” (and, perhaps even better, makes Americans of a certain age think of the television series E/R’s George Clooney).

Emergency Room is appropriate because when there is a critical vulnerability disclosure such as log4j, technology personnel need to respond immediately by doing two (2) triage-like actions as thoroughly and rapidly as they can. And these two things are enumeration and remediation.

Think of it like this – let’s say someone threatened to throw a cream pie in the face of any of my colleagues who display the color blue.

Vulnerability – displaying the color blue
Threat – cream pie to the face.

Here’s a picture of my colleagues:

Enumeration would involve going through my staff and seeing who displays any blue. I would immediately see that I have two people with blue showing, one with a blue shirt and one with blue hair.

Remediation would involve having those staff people prevent any blue from showing. I’ll have the person in the blue shirt change to a red shirt and have the person with blue hair change it to red.

Voila! No one gets a cream pie in the face.

How ER applies to log4j and other vulnerability disclosures

The log4j vulnerability was first publicly disclosed on Thursday, December 9th, 2021 and, within hours, attackers were actively scanning the Internet for systems with the log4j vulnerability present and launching attacks against systems discovered to have the vulnerability.

For you to be able to defend your organization against attackers in these kinds of scenarios, you first need to know if you have any systems that are vulnerable to this exploit (e.g. anyone showing the color blue from the example above).

You have to have some way of searching through your systems and software and knowing if you have any devices or software that might be vulnerable and, if so, what they are and how exposed they may be. The process of identifying systems that have vulnerabilities and how exploitable they are is the essence of enumeration.

Enumeration

A typical nonprofit of, let’s say thirty-five (35) staff may have a couple of servers, a firewall (or two), some wireless access points, a few printers, and thirty-five (35) or so laptops and desktops (typically one per staff person). This nonprofit would also have dozens of software applications such as Microsoft Office, Windows and Mac OS operating systems, Adobe Reader, Quickbooks, and so on.

The Cybersecurity & Infrastructure Security Agency (CISA) provides many resources for responding to log4j, with an entire GitHub repository for guidance. This includes a list of all known vendors and software with vulnerabilities.

Even if our typical thirty-five person nonprofit has the best of intentions and goes to the CISA repository looking to take action, they are quickly going to find themselves facing a number of challenges:

  1. They have no current inventory of all these systems
  2. They have no person(s) with clear responsibility for leading the process
  3. There is limited or zero ability to automate this process
  4. It is extremely difficult for the decision-makers to make appropriate decisions about resource allocation:
    • How urgent is it to do this?
    • How much risk is there?
    • How likely is it that my organization will be targeted?

That is part one of the ER challenge. How would your organization perform enumeration in a scenario like this? Would it even be possible?

Remediation

Part two of the ER challenge is remediation. Once you have enumerated your vulnerabilities (going back to our cream pie example, the two people displaying the color blue), you need to remediate. This typically means eliminating the vulnerabilities by either patching (running updates that fix the vulnerabilities) or making system changes that render the vulnerability unexploitable.

If your enumeration process reveals many vulnerabilities, you will need to prioritize your remediation efforts. Let’s say, for example, that you discovered a vulnerability in one of your servers and also in software applications running on 10 out of your 35 workstations. How do you decide what to remediate first?

In this instance, an Internet-facing server (such as a web server or database server) with the log4j vulnerability present is probably the most critical, since all it would take for an attacker to exploit it is to find it themselves (through their scans of the Internet) and then send it a single packet of data.

The workstations would not typically be Internet-facing (meaning they would not accept unsolicited input from the Internet), and therefore would be less vulnerable, since some kind of user action would be required for an attacker to exploit the log4j vulnerability on those workstations. Note that you will still want to remediate these vulnerabilities, because they can be exploited by getting a user to click on a malicious link, such as through a phishing email. Note that further remediation could include training your staff on how phishing emails work and educating them on how to identify potentially malicious email messages.

The Crux of the Challenge

At this point, unless you’re an IT professional or just incredibly curious about this sort of thing, your eyes have most likely glazed over. Alternately, you might be experiencing minor heart palpitations (if so, my apologies!).

And that’s the issue, in a nutshell. Most nonprofits are in no way prepared to respond effectively to these kinds of major vulnerability disclosures.

What to Do

If your organization does not have in-house capabilities that allow you to keep a current and accurate inventory of your systems and perform some reasonable version of the ER process we’ve described here, think about whether your organization is comfortable accepting that risk or if you’d like to do better. If you would like to be better prepared, consider working with a third-party technology provider (such as RoundTable) that has tools and expertise to respond appropriately to present and future threats.

Also, having an automated digital asset management system (not simply a spreadsheet you update manually) is not only incredibly helpful for day-to-day IT needs, but is increasingly a critical tool in your cybersecurity defense arsenal, without which, you’re left to either guess & hope or do a lot of manual work to perform enumeration and remediation when needed.

If you would like to talk with someone at RoundTable about how we could help your organization with improving your cybersecurity or any other aspect of your technology management, please reach out.

LISTEN TO A PODCAST ON LOG4J

Types of Penetration Testing – A Cybersecurity Guide

Cybersecurity

To start off we need to define penetration testing. What is it?

What is a penetration test?

Penetration testing (sometimes called a pen test) can be extremely useful in finding vulnerabilities in your organization’s cybersecurity protection. Basically, a team of experts attempts to “penetrate” your defenses, as if they are a bad actor, who actually wants to steal your data. If you’ve heard the term “ethical hacking” before, this is one of the ways that it is done. Think of it as hiring a hacker to conduct a simulated cyber attack in the form of a penetration test.

Through this process, your weaknesses can be identified and methods to shore up defenses will be recommended. Typically, it’s a good idea to do some type of penetration testing annually, to make sure that your systems are holding strong against the latest forms of cyberattack. You can do this yourself with online penetration testing tools, or you can hire a third party who will perform a more thorough test for you, and help you effectively respond to the results.

Why is penetration testing important?

Cyber attacks are on the rise. Technology is more widespread than ever before in our culture and our world —especially in our more remote hybrid workspace— and as a result, we rely more and more on it. Can you imagine waking up one morning and none of your accounts work, your website has been taken over and ransomed, your customer data sold?

That’s a worst-case scenario, but it happens every day to people just like you. Even smaller organizations and nonprofits are becoming the target of these attacks. Attacks of opportunity, when your passwords and data are leaked through a larger cyberattack, such as an attack on your web host, are some of the most common, and no one is safe from these.

Increasing your layers of cybersecurity and protection is the only way to stay ahead and mitigate the risk of an attack. Penetration testing is a great way to identify your weaknesses and fix them before a bad actor has the chance to leverage them.

Types of Penetration Testing

Let’s discuss a few of the different types of penetration testing that your organization can utilize. Generally, there are three main types of penetration testing, black box, grey box, and white box.

Black Box Penetration Testing

In a black box pen test, no information is given to the person or group performing the test. They go in on their own and attempt to penetrate defenses without prior information from you. This type of test is one of the most popular as it can be seen as truly authentic, seeing what defenses can be breached when an unknown attacker makes their first attempts. It can, however, be more costly as it is usually more extensive.

White Box Penetration Testing

White box penetration testing is opposite to black box, the tester is given full access to your system, network, and credentials and then identifies weak points as an outside 3rd party. This type of test is typically more affordable, as it takes less time and effort on the tester’s end. However, given that so much information is shared it can be seen as a less accurate method to black box penetration testing.

Grey Box Penetration Testing

As you may have guessed by now, a grey box penetration test is a mixture of white and black box. A tester goes in with a limited amount of information usually in the form of login credentials. This is a good balance between the two other penetration testings, and some believe it to be more realistic, as many times, a bad actor will do some reconnaissance and scope out an organization before attempting an attack, making a grey box test potentially the most realistic.

Subcategories of Penetration Testing

Each of the different types of penetration testing can be further broken apart into sub-categories of infrastructure, such as:

  • Web Application
  • Wireless
  • Social Engineering
  • Network
  • Client Side

When choosing what kind of penetration test is best for your organization, you can choose to do some subset of these either through white, grey, or black box penetration testing, or if deemed necessary, you could choose to do them all.

Typical Penetration Test Cost

The typical penetration test costs are dependent on many factors, making the most reasonable answer to this question, it depends… On average for a small nonprofit organization, the cost of a penetration test could be in the realm of $4,000. For extremely large organizations, the spectrum swings all the way up to $100,000. Likely, if you’re reading this you are part of a small to medium-sized company, where a penetration test would cost on average $4000 – $10,000.

If you’re concerned about the cost there are other ways to increase your cybersecurity defenses outside of a penetration test. Take our free Cybersecurity Self-Assessment to get tips and recommendations on what your organization can do to increase its security.

If you do think a penetration test would be useful, you can contact us to get a more personalized quote for penetration testing services and a free cybersecurity assessment.

Or if you’d just like to stay up to date with the latest in cybersecurity tips, you can sign up for our Cybersecurity Tip of the Week.

Cybersecurity Readiness to Protect Against Today’s Top Threats

About

Cybersecurity skills training is one of the easiest, most cost-effective, and urgently important things you can do to help ensure the safety of your nonprofit organization. Join cybersecurity experts, Joshua Peskay and Destiny Bowers from RoundTable Technology for a cybersecurity awareness training targeted to nonprofits.  

You’ll learn how to recognize threats, stop social engineering, and understand the multiple layers of defense that are an ideal form of protection (and have fun in the process). RoundTable’s cybersecurity training will scare you and provide plenty of laughs. Think of us as the thrill ride of cybersecurity training. 

This free program is made possible by

GUEST ARTICLE: LET’S TALK ABOUT “REASONABLE” CYBERSECURITY

Cyber Security graphic

NEW PRIVACY REGULATIONS ARE MAKING CYBERSECURITY A LEGAL REQUIREMENT

Let’s start with the good news. Many states within the USA are implementing privacy regulations to protect our individual data. As individuals this is good for us. Finally, companies will face serious consequences in the form of substantial fines for collecting more information than they disclosed, for sharing our information without our explicit consent, or for failing to take reasonable measures to protect our information. Keep that word, “reasonable,” in mind. We’ll be coming back to it.

GDPR GOT THE DATA PRIVACY BALL ROLLING

This started with the European Union implementing the General Data Protection Regulation (GDPR) back in May 2018. California was next, with the California Consumer Protection Act (CCPA). New York has joined the party with its (awkward acronym award winnerStop Hacks and Improve Electronic Data Security Act (SHIELD) in March 2020. Of course, something else was going on in March 2020? No wonder we weren’t paying such close attention to new data privacy laws… There are many, many more laws to come, and federal legislation is in the works as well. You may think that in this highly partisan political environment it’s unlikely federal legislation will pass, but this issue has significant bi-partisan support.

LET’S BE REASONABLE

For purposes of this article, we are only focusing on one aspect of these new laws, something they all have in common. The requirement of “reasonable” measures to protect information. So, what do “reasonable” measures look like?

Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most responsible for the “reasonableness” standard was, no joke, named “Learned Hand). For purposes of “reasonable” cybersecurity measures, the Federal Trade Commission provides this language:

“Employing reasonable safeguards to protect the confidentiality, integrity, or availability of data given the type, amount, and sensitivity of that data in relation to the size, sophistication, and capability of the organization.”

IF YOU COLLECT IT, PROTECT IT

But SHIELD provides more specific details, which is quite helpful for those looking to achieve compliance. SHIELD suggests that a “reasonable” cybersecurity program should include, at a minimum:

  • Designation and training of employees to coordinate cybersecurity compliance;
  • The use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
  • Risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission, and storage;
  • Processes and physical safeguards to detect, prevent, and respond to attacks or system failures;
  • Monitoring and testing of the effectiveness of the cybersecurity program;
  • Processes to safely, securely, and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes; and
  • Updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.

IF YOU FAIL ME, TELL ME

But SHIELD provides more specific details, which is quite helpful for those looking to achieve compliance. SHIELD suggests that

Also note that these regulations have requirements for data breach notification. In plain English, if you expose my data to an unauthorized party, you have to tell me about it within a reasonable timeframe. That timeframe ranges from law to law, but typically is between 72 hours at the minimum and 30 days at the maximum.

One aspect of the NYS SHIELD law that is ground-breaking is in how it defines what constitutes a breach. Under the law, a breach refers not only to unauthorized acquisition of protected information, but any unauthorized access to protected information.

For example, access would apply to a situation where an employee of an organization is the victim of a phishing attack, his or her credentials are compromised, providing a cybercriminal with access to personal information that the organization is storing. The cybercriminal does not have to obtain or copy information for it to be considered a breach by SHIELD standards.

If you want to take a deeper dive on these privacy regulations, I recommend you take a look at the terrific guide put together by Whole Whale, A 2020 Pragmatist’s Guide to US Digital Privacy Laws: CCPA, SHIELD.

If you want to get your cybersecurity program in shape (or start a cybersecurity program from scratch), then prepare for a shameless plug:

RoundTable’s Cybersecurity Program provides the very definition of “reasonable measures” for cybersecurity. To learn more about RoundTable’s Cybersecurity Program, book a brief discovery call with one of their experts or give them a call at 866-784-3543.

Whatever you do, please be reasonable.

This article was also featured in our newsletter NFP Advisor Vol. 24.

JOSHUA PESKAY

vCIO/Cybersecurity

RoundTable Technology

Cybersecurity Panel

cybersecurity panel

Cybersecurity has continued to be a hot topic thanks to aggressive hackers and working remotely has certainly increased hacker’s ability to cause damage. With a second wave of COVID-19 closures coming back, more users and changes to the day-to-day business processes will push the limits of your technology infrastructure especially when it involves implementing new software applications to handle internal processes that were once done in person and manually. Is your IT operations set up to handle the changes? Training, bandwidth issues, making sure anti-virus and anti-malware updates are being regularly pushed out to all users, decreased availability of getting new equipment such as laptops and Chromebooks, shortages of people to maintain the IT infrastructure: all major stresses. Add on top that hackers know that you are stressed and may not have everything is up to code, and bam, they send out phishing emails in mass and deploy as many tactics as they can to get into your system.