How Nonprofits Can Protect Themselves from Cyberattacks

Cybersecurity experts say the prospect of cyberattacks is increasingly likely due to the war in Ukraine and advise consumers and organizations to brace for that possibility and take precautions. 

So, what exactly can nonprofits do right now to prepare?  Turns out, quite a lot, actually. 

Create a plan of action  

MNA Tech specialist Yuriy Flit says the first thing Michigan nonprofits should do is to create a plan of action for their organization. He says the first step in this process is to designate a person to oversee this information. It can be a person at your organization—or if you have a contract with a tech company, make sure you know who your contact person is. "Someone that they can reach out to if they have questions or if they get things like a suspicious email or anything like that," Flit explained. "Have someone that they (nonprofits) can get a second opinion on those types of things."

Flit also addressed the issue that many nonprofits are facing when it comes to tech services: lack of money.  Many organizations don't have tech resources due to budget constraints and the size of their organization.  "Technology and especially security in the nonprofit sector sometimes is put on the backburner because there are so many other more important and pertinent things that the nonprofit has to worry about in terms of daily operations," Flit said.

Turn on Multifactor Authentication on all accounts and create stronger passwords

The next two steps that nonprofits can take right now to protect themselves is affordable: multifactor authentication and stronger, unique passwords. Flit advises that organizations turn on multifactor authentication on all accounts and create stronger, unique passwords. "The use of [multifactor authentication] for as many accounts, especially all the important accounts such as emails, finance accounts like QuickBooks, any of those types, that would be a great first step," Flit said.

Utilizing strong passwords and not recycling passwords is crucial. Flit says many people will keep reusing the same password when we're prompted within a 30- or 90- day window to reset a password. "It's common human nature for us. We just kind of add a digit or a different symbol, and then we just keep going with it."

Flit also pointed out that there are programs to generate and store strong passwords for you.  Some of these services can be found with Norton Security as well as the newest IOS system on Apple Products. "If you can use those, do so in as many places as possible. I know some password managers, like one that some organizations use is called LastPass. Those work the same way where there's one single login and password that you log into, and then everything else is stored there securely."

Maintain up-to-date staff lists and create a comprehensive incident plan

Experts say cutting off communications can happen during a cyberattack. Flit recommends "having a current and up-to- date staff list of where you can contact everyone via alternative methods." Beyond this, he recommends that every organization have a comprehensive incident plan that goes a step further beyond that.

"Another part of our security program that we do here at MNA Tech is to create an incident response plan for organizations. A lot of organizations don't have plans like that, or even something as simple as a technology and data use policy. Together both of those plans outline the way that staff should be using the organization's data as well as technology and equipment," Flit said.

"The incident response plan goes a little bit beyond that. It outlines and guides you on different various cyber incidents that have occurred. Then if you were to experience it, this gives simple steps that you can take in order to follow along and prevent that incident from causing more damage than it already did. Once you get back to a normal state, learn from the incident, see what happened, and hopefully prevent it from happening again."

Think before you click—and watch out for phishing and spoof emails

In a cyberattack, spammers can spoof IP addresses to make it look like a charity donation request is coming from Ukraine.  Scammers will also utilize phone calls and banner ads to ask for donations that may seem legitimate. Even the phone number and name on the caller ID may look right. But experts say more often these communications are coming from cybercriminals. Flit says always double-check the address and verify information elsewhere online.  You can verify the relief effort through sites such as:   BBB Wise Giving Alliance, Charity Navigator, and CharityWatch. Or enter the URL of the charity yourself to confirm for yourself that the organization is legitimate.

Spoof or spam emails are an ongoing issue, even outside of a cyberattack. Flit has this advice: "The first step usually is just to take a look at where that email is coming from. What is the email address? Oftentimes, you'll see there's a character missing, or they use a zero instead of an o, or some type of variation. They try to look like they are the source.”

Second, Flit says to look at the body of the email. The goal of the email and the language they use could also be a dead giveaway that it is spam. If you receive a suspected spam email, ask yourself a few questions:

• What are they asking for?
• Is this a legitimate person or company?
• Is this a vendor or a sender that we work with regularly?

"Usually, eight or nine times out of 10, if it's someone that's completely unrecognized, they'll have either attachments or links in those emails. We usually recommend to not click any attachments or links, especially if it's someone that you don't recognize as a verified sender that you worked with before."

If the email is coming from what looks like someone you know or have worked with, Flit recommends contacting them via telephone to verify if they sent the email. "If you have an IT team or someone on staff, you can report to them. If not, the best case of action is usually to just contact whoever they are attempting to be and say, hey, did you send me an email asking me this, this, and that?"

Oftentimes, the other sender may not know they were hacked, and the situation can provide safety for both yourself and the other organization.

Back Up Important Documents and Files

Take the time today to back up all important files now in the cloud and on external drives.  MNA Tech suggests a couple of options: "What we recommend is to have a solution that's on-site, whether that's a cloud solution like Google Drive or SharePoint, or a physical, hard drive that's getting backed up. At least one on-site is perfect. We also recommend one off-site somewhere just in case there's a flood, a fire--- you will have another copy of the data somewhere else," Flit explained.

Update all systems

Another way for organizations to stay safe is to update all antivirus and computer software. Flit says nonprofits don't need a tech team on staff to check for updates. "There's a section under File or Settings or under the Help tab--within those applications there's a check for updates section that you can hit and then it will reach out and see if  there's an update available. And if there is, it will apply that update and install it." 

Flit also had this tip to ensure that your operating system is up-to-date: "For Windows 10, which is the majority of the computers that we deal with in the nonprofit sector, you just go to the Start menu and you hit updates. Another check for updates window will pop up to that will allow you to make sure that you're on the most recent version of Windows there as well."

It can take a lot of time and effort to recover from a cyberattack.  So, take the necessary measures now to secure your organization. Don't wait for an attack to happen to test to see if your protocols will work. Review your cybersecurity policies and protocols today.

• Check your software, systems, and servers to ensure your nonprofit is fully secured.
• Access your backed-up files and download them today to see how the recovery process will work.
• Review your cybersecurity policies and protocols on a regular basis.

If you would like to be featured in our blog or have a story idea, please contact Tammy Pitts or fill out this form.

Contact Tammy