Category

cyber security

Jul 08
0

Responsible by Design: Building Guardrails for Safe Generative AI Use in the Workplace

By | cyber security, Data, Nonprofit | No Comments
Safe Generative AI Use

According to a McKinsey report, 8 in 10 companies report using GenAI. The question isn’t whether your organization uses GenAI, but how it will use it safely. And, if you are not in front of that question, leading and guiding your team in responsible generative AI use, they may inadvertently use it in ways that compromise data security.

Who Uses GenAI and Why?

Ask your team who is using GenAI and then dig into the reasons why they are using specific platforms. The answers will help guide you as you craft a GenAI use policy and consider paid versions of individual platforms.

Free platforms offer decent web searching, with some, like CoPilot, providing source links. If your team is using these tools to quickly find information, that’s fine. But be sure they understand the ramifications of uploading data or text into any of the “free” and public GenAI tools such as ChatGPT and CoPilot. Most, if not all, free tools ingest data for training purposes. This may or may not expose the data to others. It’s always best to err on the side of caution and limit the use of public, free AI tools to find or use publicly available data. For optimal data protection and security in AI platforms, the best recourse is to select paid, enterprise versions and ensure that security settings protect your organization. is.

The Basics of Business AI Use

Does your organization have a policy for using AI? If not, it’s time to draft one. Such a policy spells out for employees how generative AI may be used, under what circumstances, and which tools employees may use.

If you do not explicitly tell people which platforms they can and cannot use, they will use whatever tools they wish, including platforms that are not controlled as part of your company’s technology systems. These non-company-sanctioned platforms are referred to as “shadow IT.”  They can be problematic in that accidentally misusing them can expose your data to unwanted third parties.

Give Employees Access to Approved Platforms

Evaluate your company’s needs and examine workflows. Where might AI tools be helpful? The results of this evaluation can be used to select one or two AI tools to pilot.

Enterprise-level paid subscriptions to common AI platforms, such as paid Microsoft Copilot and Chat GPT, offer multiple benefits. They can be integrated with existing platforms, such as Copilot integration with SharePoint, to maximize efficiency and usage. They can also come with added privacy guardrails that ensure no sensitive data leaks from your company’s systems.

Be sure to read the fine print on any platforms you use. Some enterprise-level subscriptions still do not let users opt out of using data for training purposes, which means your data can be stored on the platform to train the LLM model (Large Language Model). If there is any chance of exposing sensitive data when using your GenAI tools, and it’s set to use them for training, you should skip that tool and find another.

Discuss with your IT team how to secure your data even further. Enterprise-level systems have multiple safeguards, too many to discuss in this article. And each tool differs in what is available and how it is used. The goal is to ensure privacy and security for all your data without compromising productivity.

Limit Access to Sensitive Files and Systems

Another step to maintain data confidentiality is to limit access to it. If users can’t download or view sensitive data, they can’t use it. And, if your AI tools are blocked from specific files, or the files are housed in a separate system that AI cannot access, you are protecting it from unauthorized use. Payroll and HR, for example, may be kept on entirely separate systems to ensure that no sensitive personal information is accidentally leaked through the AI.

Data Loss Prevention

Consider adding data loss prevention tools to your tech stack, too. Data loss prevention is a cybersecurity strategy that helps your company identify, monitor, and protect sensitive data. It helps prevent confidential information from being shared either accidentally or intentionally. It also prevents unauthorized users from accessing data. The tools can block, encrypt, or alert users when they sense risky behavior.

Depending on the data loss prevention platform chosen, they can protect laptops, cloud services, email, and more. These tools are great at helping companies maintain data compliance policies. They can reduce the risk of data breaches and improve overall security.

Employee Training

Lastly, employee training is vital to ensuring responsible AI usage. Just as you provide (or should provide) frequent cybersecurity training to make sure cybersecurity best practices remain top of mind, AI training helps employees understand all the ramifications of using these tools. It also ensures that you set the rules before employees become entrenched in their own way of accessing and using AI.

Responsible AI Usage

As companies continue to adopt AI, it’s vital to maintain safeguards to protect sensitive data. Choosing the right platforms, purchasing enterprise-level licenses, working with your IT department to safeguard data, and even housing sensitive systems and files separately are all possible ways to protect data. Never forget employee training, which is also a key element to keeping data safe.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Jun 17
0

Imagining the Unimaginable: Recovery from a Personal Data Breach

By | cyber security, Data, Nonprofit | No Comments
"data breach" with locks over data pieces

Can you imagine losing $43 billion? It’s hard to imagine losing $43, let alone $43 billion, but that’s what AARP claims American adults lose to identity theft and fraud each year. That’s a staggering number. And it doesn’t matter whether this information is lost by an organization that failed to protect customer data or an individual who fell for a phishing scam—the results are the same. Lost time, lost reputation, and yes, often blame and shame.

Cybercriminals continue to grow increasingly sophisticated in using both technology and psychology to trick victims into disclosing sensitive personal or financial information that can lead to theft and fraud. If you’ve fallen victim, please don’t blame yourself. Instead, act now to recover from the situation.

An Ounce of Prevention

The old saying “an ounce of prevention is worth a pound of cure” is very apt when it comes to identity theft. Many organizations, including the IRS, have published information to help people whose identities were stolen as part of a tax fraud scam. But did you know that there are 20 types of identity theft? Credit and debit card theft, stealing mail to gain access to confidential information, and other types of theft are common ways in which criminals gain access to personal information.

Many credit card companies now have safeguards against such theft by locking cards and contacting the cardholder when card activity suddenly increases past the cardholder’s typical activities. Still, it’s not foolproof. Consumers should monitor their credit cards, bank accounts, and credit scores frequently and guard against phishing emails or phone calls designed to trick the unwary into revealing sensitive information through a sense of urgency or familiarity.

How Do You Know If Your Data Is Compromised?

When personal data is compromised, it can lead to serious consequences, including financial loss, identity theft, and ongoing security risks. Consumers may notice unauthorized transactions, unfamiliar login attempts, or receive password reset emails they didn’t request—all potential signs of a breach. Additionally, a surge in spam calls or phishing emails could indicate that personal information has been leaked to third parties. In some cases, unexplained changes to security settings, such as modifications to two-factor authentication, may suggest that an account has been accessed without permission.

To identify whether personal data has been exposed, individuals can closely monitor their financial accounts, review credit reports for unusual activity, and utilize online tools designed to detect breaches. Many organizations offer data breach notification services that alert users if their information appears in leaked databases. If suspicious activity is detected, immediate action is necessary—this includes updating passwords, enabling additional security measures, and reporting the incident to the relevant financial institutions or authorities.

Recovering from a personal data breach requires a proactive approach. Establishing strong security habits, such as using unique passwords for each account and enabling multi-factor authentication, can help mitigate future risks. Consumers should also remain vigilant against phishing attempts and fraudulent communications, as cybercriminals often exploit compromised data to launch further attacks.

Recovering from a Data Breach

Although there is a lot of information published online to help individuals recover from a data breach, it can feel overwhelming to sort through it all. One helpful tool provided by the Federal Trade Commission is an interactive website, Identity Theft, which can help you create a personalized recovery plan.

If you suspect your personal data has been compromised, acting quickly can help minimize potential damage. Here are the key steps to take:

  1. Confirm the breach: Check for unusual activity in your accounts, such as unauthorized transactions, password reset emails you didn’t request, or unfamiliar logins. If a company notifies you of a breach, verify the details through their official website.
  2. Secure your accounts: Change passwords for affected accounts. Don’t reuse passwords across multiple sites. Mult-factor authentication also adds another layer of protection.
  3. Monitor financial activity: Review your bank and credit card statements for suspicious transactions. You can also place a fraud alert on your accounts or freeze your credit.
  4. Watch for phishing attempts: Scammers often use leaked data to send convincing emails or texts asking for personal information. Don’t click links in emails. Instead, close the email and navigate to a new browser tab before logging in and checking to see if the email is legitimate.
  5. Check for identity theft: If sensitive information, such as your Social Security number, has been exposed, monitor your credit reports and consider enrolling in an identity theft protection service.
  6. Report the breach: Notify your bank, credit card issuer, or relevant authorities if you detect fraudulent activity. If the breach involves your workplace or a service provider, follow their recommended security steps.
  7. Stay informed: Keep an eye on updates from the breached company and cybersecurity experts. They may provide additional guidance or offer free credit monitoring services.

Taking these steps can help protect your personal information and reduce the risk of further harm.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Apr 16
0

Cybersecurity Priorities for CFOs

By | cyber security, Nonprofit | No Comments
two people in front of laptop, lock overlay to represent cybersecurity measures for CFOs

The recent flurry of FBI warnings against new malware, ransomware, and other cybersecurity threats should have every CFO on edge. Nonprofit databases may contain sensitive data such as personally identifiable information, health records, and more that attract attacks. And, if you think you are immune because your organization is small (and therefore, in your mind a lesser target), think again: cyber attacks against nonprofits grew by 30% in 2024.

Given this information, what cybersecurity priorities should you focus on? The following list offers general guidance. In addition to this information, it may be prudent to speak with your IT director, managed services provider, or technology consultant so that you have a sound plan to protect your valuable data.

Four Cybersecurity Priorities for Nonprofits

The most pressing cybersecurity issues facing CFOs today include ransomware threats, human error, third-party access, and ensuring systems are updated.

Ransomware Threats

Ransomware typically enters a system through users clicking infected links. So-called phishing attacks spoof, or fake, a well-known website, such as Amazon, a bank, or another trusted and frequently used site. The user may be taken to an infected page or prompted to enter login credentials by clicking the link. This can then infect their computer and possibly the entire network. The ransomware encrypts data, effectively locking it until a ransom demand is paid.

Human Error

Most ransomware enters systems through human error. Clicking the wrong link, entering credentials without considering the validity of the request, or downloading infected material all puts your company at risk.

New attacks are even more sophisticated. Some include text messages and phone calls from someone purporting to be from IT asking the user to reset their password. The “IT person” asks the employee for their password to “verify it.” This enables the caller to log into the system themselves, reset the password, and begin whatever crime they want to commit. Some companies report their executives as the target, with the criminals contacting executive assistants and pretending to be helping the CEO with their password reset.

In all cases of human error, the criminals rely on human psychology to trick their victims into making mistakes. They present a sense of urgency, often hinting that something dire will happen if the victim doesn’t respond quickly. Or, they pretend to be a trusted colleague, such as an IT person, to fool the end-user.

Third-Party Risks

With the rise of cloud computing, it’s easier than ever to allow others to access your system. Auditors, for example, are often given access to accounting and financial systems so they can complete some of their work offsite. You may have vendors who access shared cloud drives, instant messaging apps, or other systems. Each person outside of your company who can access your system represents another potential risk.

Operating Systems and Software

Outdated software and operating systems pose a security risk. Criminals exploit known vulnerabilities. Systems that aren’t updated or patched are akin to leaving the front door of your house wide open to let a burglar inside.

Your team must ensure that all operating systems and software are updated whenever the system vendor makes patches or updates. This includes operating systems (like Windows), software (nonprofit accounting software, donor relationship management, and others), and even websites.

Systems that are no longer supported by the vendor should be replaced. For example, Microsoft has announced it is ending support for Windows 10 on October 14, 2025. While computers running Windows 10 will continue to work, Microsoft will no longer issue security patches, leaving machines running version 10 potentially vulnerable to attack. Updating the operating system to Windows 11 ensures that as new vulnerabilities are discovered, you will receive the appropriate updates and patches to address them.

Addressing Cybersecurity Challenges

This list is just the start of a much bigger list of potential cybersecurity risks and challenges that CFOs face. To address them, consider creating a cyber risk and proactive protection plan that addresses common pain points such as:

  1. Keeping abreast of the latest ransomware attacks and communicating information to employees.
  2. Frequent training and awareness programs to help employees identify possible phishing attacks.
  3. Addressing third-party access by reviewing who has access to what and removing permission once the need is gone.
  4. Working with IT to identify and update vulnerable points within your systems and platforms, including a schedule to update aging software and equipment.

As a CFO, you are entrusted with a great deal of responsibility. You are one of the organization’s leaders who knows and understands the risks. But you are also in an excellent position to address these and other emerging threats.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Sep 24
0

The Role of Security Champions in Your Organization

By | cyber security, Nonprofit | No Comments
person sitting in office chair in front of several computer monitors with fists in the air

The Cyber Peace Institute calls nonprofits “cyber poor, data-rich.” According to the Tech For Good 2023 report, 27% of nonprofits worldwide have experienced a cyberattack.

This combination of enticing targets and low preparation for cyberattacks makes nonprofits especially vulnerable. Whether hacking, phishing, email scams or other forms of cyberattack, nonprofits fall victim to them the same as for-profit companies, but often lack the tech resources to ward off attacks or fight back.

This is where having a security champion in your organization can help. A security champion is a member of the team who takes on added responsibilities for cyber security. Even if they do not have advanced training in this field, they can still do a great deal to help your organization fend off, prepare for, or respond to an attack. Here’s how appointing a security champion can benefit your organization.

Keeping Security Top of Mind

The main responsibility of a security champion is to keep cybersecurity at the forefront of the entire organization’s mind.

Everyone is busy, and it’s easy to forget about cyber security amid a workday with phones ringing, emails and text messages every minute, meetings and more. The cyber security champion ensures that everyone, in every department, is aware of the latest threats, understands how to spot them, and knows what not to fall for when criminals come knocking at the virtual door.

These responsibilities may include:

  • Education: Many cyberattacks succeed not through sophisticated technology but by tricking employees into divulging passwords and other sign-on credentials. Security champions spend time learning the tricks, then teach their teammates how to spot and avoid them. This education is ongoing. It is never “once and done.” It raises awareness of potential threats and teaches everyone how to spot and avoid them.
  • Best Practices: Criminals find new ways to infiltrate systems and steal data. The security champion reads up on the latest findings and ensures that everyone is aware of the latest best practices.
  • Risk Assessment and Threat Modeling: The champion identifies potential risks and provides threat modeling and risk assessment.
  • Incident Response: Security champions create incident response plans. They evaluate risks and provide a framework to respond if a breach occurs.
  • Other areas in which a security champion may be helpful include security evaluation, code testing, and continuous improvement suggestions.

But My Organization Is Too Small for a Security Champion!

No organization should take cyber security for granted. The average cost of a data breach, according to IBM and the Ponemon Institute, is $4.45 million dollars. And while you may do all the right things to protect against a breach, including appointing a security champion, the risk remains. It is vital for nonprofits to take every possible step to prevent cyber security breaches, and having a champion on the team is a good step towards achieving this goal.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.