The COVID-19 pandemic has resulted in numerous risks for nonprofit organizations. In addition to health-related risks and financial challenges, the pandemic has intensified the threat of cyberattacks. Hackers have grown more sophisticated in recent years. They often target nonprofits because charities hold confidential donor data but may fail to safeguard such data.
And the cost of a cyberattack can be steep. According to the IBM Security “2021 Cost of a Data Breach Report,” breaches initiated through phishing schemes had an average total cost of more than $4.65 million per incident. You owe it to your stakeholders to stay current on hacking threats and do what’s necessary to secure your systems.
Most attacks are made via phishing schemes, where cybercriminals dupe victims into providing personal information (including login credentials). Phishing emails generally include links or attachments that, when clicked, infect computers with malware that enables fraudsters to unlock your systems.
For example, someone on your staff might receive an email with a link to a “spoof” (a fake site that looks like that of a reputable company) of a legitimate document-sharing site, such as Dropbox or Office 365. Once the criminals obtain that employee’s login information, they’ll have access to all of the information stored on the staffer’s computer, as well as access to your nonprofit’s network. This can include donor data, accounting records and HR information about employees.
Increasingly, cybercriminals are using phishing emails to perpetrate ransomware attacks. They gain control of an organization’s network and data and lock legitimate users out. They then hold the data hostage until the victim organization pays a ransom. The criminals might leak some confidential information to the public or on the “dark web” to show they’re serious and to encourage quick payment. Most ransomware perpetrators release the data after they receive a ransom — but not always.
What prevention training can be done?
Don’t think that nonprofits are immune from cyberattacks, including ransomware demands. Criminals have hacked everything from government agencies to hospitals to large charities, so it’s critical that you act defensively and provide training to all staffers. Training should cover various phishing schemes and include testing so employees can see how easy it is to fall prey to scams.
Red flags of phishing include messages with a sense of urgency, such as a subject line that says, “Are you available right now?” Or subject lines might include references to upcoming meeting agendas, job applications, payroll questions and password verifications. Still others may reference important messages from HR regarding vacation or COVID-19 policies.
In addition, phishing messages frequently are peppered with bad grammar and misspelled words. They may use numbers and special characters that look like letters to dodge anti-phishing software. And, of course, they usually include URLs that are close, but not identical, to the addresses of real company sites.
Are there other security steps?
To fend off cyberattacks, your organization should consider using password managers. A surprising number of employees still use easily hacked passwords such as 1234 and PASSWORD. Password managers generate much more complex passwords and store them for users. At the very least, require employees to come up with complex passwords and change them frequently.
Two-factor authentication — which requires users to log in normally and confirm their identity via text or phone — is also advisable. And be sure to implement hardware and software updates on a timely basis. Finally, stop using programs that are no longer supported by their makers.
Ask for help
Staying on top of your cybersecurity takes effort. We can help you take the next steps.