Category

cyber security

Jan 06
0

Improve Cyber Security for Remote Employees

By | cyber security | No Comments
remote employee working on home computer

Many organizations that eschewed remote work embraced it during the pandemic. Now, despite the abatement of the virus in many areas, organizations realize that adding a remote or hybrid work option to their policies is to their benefit. Not only can they attract more qualified applicants, but they can retain employees who might otherwise leave them without the availability of remote work.

Given that remote work is here to stay, it is important to look more at the cons as well as the pros. We know that remote work is attractive to employees. But on the flip side, as more people log in virtually, remote work is attracting cyber criminals, too. Criminals are finding remote workers an easier target. It’s vital to take steps to safeguard your organization against cybercriminals who can exploit remote workers and tap into sensitive data.

Scammers on the Rise

Scammers have always plagued organizations with all sorts of ploys, but the pandemic seems to have increased their number. Here are some of the newer scams hitting corporations and organizations nationwide. Many of the victims are remote workers.

The gift card scam: In this scam, someone pretending to be an employee, manager, or even the president of an organization messages an actual employee and asks them to purchase a gift card or debit card. The story is typically that the manager/president is in a meeting and wants to surprise someone with a gift card, but they can’t leave the meeting to purchase it. They ask the employee to purchase the gift card online and send them the information via a text or email. The scammers, of course, make off with the information needed to redeem the gift card, leaving the employee with the bill.

The” I lost my password” scam: Criminals know that executive assistants are often entrusted with sensitive information by senior-level executives. Many executive assistants know their supervisor’s birthdate, social security number, or computer password, for example. In this scam, someone purporting to be the manager contacts the assistant and pretends they’ve lost their password. If the assistant is working remotely, they may not be able to ask the account holder if indeed they are looking for their password. Unwary assistants have divulged passwords to criminals who can then enter sensitive systems and make off with data they can resell.

Phishing scams: Phishing scams are still active, and some have gotten more sophisticated. Many arrive in workers’ inboxes and look like documents sent by HR departments. Often, the email includes a link to click to update personal information such as a W9. The link directs the person to a site that captures the personal data and can lead to identity theft.

Other Security Steps to Take

In addition to the proliferation of scams, few organizations have improved their cyber security to protect systems during remote work access. Steps your team can take to secure access to critical information include:

  • Teaching remote workers basic home cyber security, such as protecting their SSID (home network) name and password, not accessing public Wi-Fi to link to organization systems, and not sharing a computer with open access with other family members.
  • Asking workers to either use company-issued hardware, such as computer purchased laptops, for work related matters, or locking user accounts on shared equipment with other family members by using a password.
  • Updating software, including operating system (Windows 11/MacOS) and commonly used applications.
  • Avoiding free software and non-company approved downloads of apps or software to organization-owned hardware. Some downloads contain viruses, while others just contain bloatware (excess computer code that slows machines down).

Communication Can Stave Off Many Cyber Attacks

One of the best ways to avoid compromising sensitive data is to ensure that remote workers feel connected to their teammates and free to ask questions at any time. Set up instant messenger platforms such as Slack, WhatsApp, or others to enable coworkers to reach out quickly to colleagues. One quick note (“Hey, are you at a client’s office, and are you really asking me to buy you a gift card?”) can save a lot of headaches later.

Remote workers may be more vulnerable to scams than those working in-person simply because they don’t have easy access to supervisors to check on the story given to them by the scammers. By improving awareness and communication, you can do a lot to prevent cybercrimes at your nonprofit organization.

About Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

Jul 29
0

A Fresh Approach to Cybersecurity

By | cyber security, Nonprofit | No Comments

Cybersecurity remains a topic of critical importance for nonprofits. Attacks have risen dramatically, with the costs associated with cyberattacks increasing from $3 trillion in 2015 to an estimated $10.5 trillion in 2025. Nonprofits are especially vulnerable given their smaller staffs and often, a lack of IT resources to combat the threats.

Added to these vulnerabilities is the sheer feeling of being overwhelmed from dealing with multiple security layers and platforms required for modern cybersecurity. False alarms, confusing error messages, and other issues can also make managing cybersecurity a challenge for nonprofits.

Strong Security Depends on Employee Vigilance

The best defense is a good offense, as they say. Employee vigilance is your offensive game against potential cyberattacks. Offer a brief refresher annually one how to spot potential scams and attacks including:

  • Avoid opening emails that look suspicious
  • Do not click on password reset links unless you initiated the reset request
  • Do not click on links from emails that look like they are from reputable companies but have telling mistakes in the copy, such as grammatical errors, slight misspellings of the company name, etc.
  • Never give your password out to anyone

If anyone on your team has your password and is authorized to log in on your behalf to any system, be sure to let them know that you will never ask anyone to call them for the password itself. A recent scam is a caller pretending to be someone who works with or knows the CEO, President, or CFO, and then asking for the password on behalf of that employee. This is typically an attempt to gain easy entrée into banking, credit card, and records systems in the company that could be worth thousands on the dark web (digital black market).

Leverage New Technology to Keep Security Simple and Strong

Cloud computing offers stronger and simpler security defenses that can be leveraged by organizations of all sizes. Cloud service providers install multiple security layers and alert systems intended to protect both their own cloud infrastructure and the businesses that rely on it. And, because they have multiple customers and millions of dollars invested in their delivery architecture, they take great pains to protect it from external attacks.

Another way to shield your organization from attack is to leverage a good web hosting company. Such companies have in place many detection methods to protect your site from denial of service (DOS) attacks and other direct attacks on your website.

Lastly, consider upgrading your virus protection systems. Real-time protection may include website scanning as employees use search engines for their work as well as scanning downloads, using cloud-based document storage systems with built in virus protection, and similar systems.

Update Your Software, Systems, and Platforms as Needed

Most major software companies conduct threat monitoring and intelligence, scanning the digital environment for new and emerging threats and developing protection against it. Every software maker and computer manufacturer issues periodic updates to its programs and platforms. These updates are essential to close known security gaps and issue patches to protect against new threats.

Look for security updates for the following systems:

  • Operating systems (i.e., Apple/Mac, Microsoft)
  • Office productivity suites (Microsoft Word, Excel, PowerPoint)
  • Mobile phone operation systems (Android, iOS)
  • Web browsers (Chrome, Edge, Firefox, Safari, and many others)
  • Specialized nonprofit systems such as accounting or grant management systems
  • Website updates (WordPress themes and plugins, for example)

Be sure to confirm that your software company did indeed issue that update. Some systems do update automatically. But others that prompt you to update your software should be investigated. You can often find news of updates published in tech journals online as well as on the software manufacturer’s website.

Although many nonprofits are small, they can take mighty steps to protect against cyberattacks. You can do a great deal to protect what you have built in your organization by using these tips.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

May 12
0

What Are the Benefits of Moving to Cloud Computing?

By | Accounting, Cloud, cyber security, Nonprofit | No Comments

Cloud computing utilizes shared network hardware to mitigate against security risks and data loss. It lowers costs, improves access and speed, and is often considered the go-to option for many organizations. Let’s explore the reasons why moving to cloud computing can benefit your organization.

Improved Security

Cyber threats have increased exponentially in recent times. Only 26% of nonprofits actively monitor their network environments, a critical step to protect against threats. And more than 70% of nonprofits have not run any cyber threat assessments. Criminals know that nonprofits have neither the bandwidth nor the resources to defend against an attack, thus making them an even more appealing target.

Large cloud computing providers can afford to put into place rigid security protocols to protect donor and fundraising data. They can enact two-factor authentication, secure data transfers, and other steps to secure your data.

When selecting a cloud computing provider, look for one that has attained a Statement on Standards for Attestation Engagements (SSAE) certification, as designated by the American Institute of Certified Public Accountants (AICPA). Such cloud hosts have undergone a rigorous audit of their systems, including privacy controls, and are less vulnerable to attack.

Private cloud (instead of public cloud) servers may offer greater security. Public cloud has suffered in recent times from data breaches caused by misconfigured servers. If privacy is of deep concern to your organization, consider opting for private instead of public cloud services.

Uninterrupted Access

Many nonprofits faced the sudden shift to remote work when the pandemic arrived. Cloud computing facilitates remote work by providing uninterrupted access to data and servers 24/7. Anywhere you have an internet connection, authorized personnel can log into the system. This enables easier telecommuting and meaningful work while traveling.

Regular Backups

Regular backups safeguard data as well as systems. Increasing data limits does not affect cloud storage, as more storage space can be added easily and quickly. Redundant systems ensure that, no matter what happens or where it occurs, the systems continue to run smoothly.

Affordability

Cloud computing also offers nonprofits a more affordable entrée into enhanced computing power. Cloud systems hosted on shared or private cloud servers are maintained by the hosting company’s staff. IT staff can be deployed to solve onsite problems, provide daily IT services, and provide support for routine IT needs. There is no need for a nonprofit to invest in hardware, additional staff, or the space and equipment needed for staff.

Important Questions to Ask When Moving to the Cloud

If you’re convinced that moving to a cloud-hosted fund accounting program or another cloud-based software system is right for your nonprofit, there are several key questions to ask about the software under consideration.

  1. What is the process to migrate to the cloud? How challenging will it be? What is our organization’s participation in the process? Understand the time and money it will take to make the move to the cloud.
  2. How do the features of this system compare to what I have now? What is better, different, or will change? What remains the same?
  3. Who owns the data? Some contracts have the hosting company owning your data. Read the fine print.
  4. How difficult or easy is this software for our team to learn? When checking references with other software users, ask them this question to obtain direct feedback from other customers.
  5. Will there be any system downtime?
  6. What if we wish to stop using this system or move to a different one? What is the process?
  7. How frequently are backups made and how can we access them if necessary?

Cloud computing makes good sense for many nonprofits. It offers numerous advantages and few disadvantages. If you feel it is the next step for your organization, contact Welter Consulting for assistance.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

Jan 19
0

How to Survive a Ransomware Attack

By | cyber security, Nonprofit | No Comments

According to some estimates, a ransomware attack occurs once every 11 seconds. If you think your nonprofit is immune, think again. Nonprofits are often the target of cybercrime simply because criminals know that nonprofits have limited resources to fight back. They are more likely to pay the ransom than defend against attack.

If you find your systems locked and a message on the screen demanding a ransom, you’ve been hit with an attack. Don’t panic. Take a deep breath. It’s time to fight back.

Do You Have a Recovery Plan?

Although most organizations understand the risk of a cyberattack, few have an actual recovery plan in place should they face one. If that describes your organization, it’s time to get one in place.

An “incident response plan” or IRP outlines the teams and people responsible for various aspects of response to a ransomware attack. There are several critical areas that must respond, including IT, communications, public relations, and more.

If you do not have a recovery plan in place, it may be worthwhile to investigate the many templates available online, or work with a consultant to help you create one. Every day that goes by without an IRP in place is another day that puts your organization at serious risk should you be the subject of a cyberattack.

Identify the Source and Contain It

There are many ways in which ransomware can attack your computer systems. Clicking on the wrong link in an email, clicking on a random popup, and exposing your browser to malicious software on an innocent site are all ways that ransomware can penetrate a system.

Your IT department or cyber security response team will need to work diligently to determine the source of the attack. Then, once they figure out how the ransomware got into the system, they will need to contain it.

Think of ransomware like a wolf that gets through the fence and attacks the livestock. The immediate threat is the wolf, and it must be removed to protect the livestock. But after it is removed, the rancher will certainly scrutinize his fences to see where his defenses were down and take immediate steps to fix them so that another attack can be repelled before it advances. That’s what your IT team must do to protect your valuable commodity–your data.

Notify the Legal and Communications Teams

You should also contact your legal representatives so that they can prepare for any fallout from the attack. The communications professionals in your organization must prepare talking points for the CEO, president, and other organizational leaders who may be questioned about any potential data breaches or cyberattacks by the media. They should also prepare talking points to help leadership brief all employees about the problem and the steps being taken to address it.

Law enforcement should also be contacted, specifically the FBI Crime Complaint Center. This group tracks various cybercrimes. Go to the website and complete the online form to register the complaint and the attack with them.

Should You Pay the Ransom?

This is a tricky question. Your first instinct may be, “Oh, heck no!” but the reality may be different. If your IT department feels they can recover the systems and data safely from the attack, then you may not wish to pay the ransom. But, for other, smaller organizations with little recourse, you may have to pay the ransom.

Ultimately, the executives and potentially the board of directors may need to make the final decision about whether to pay the ransom. It may leave a bad taste in your mouth to capitulate to criminal demands, but if the alternative is to lose all your data and systems, you may not have much of a choice.

Successful Defense Starts with a Good Offense

Let’s face it–it’s not a question of if, but a question of when, you’ll encounter some form of cybercrime. A successful defense begins with a strong offense. This includes:

  1. An incident response plan
  2. Updated virus protection programs throughout your organization
  3. Updated software, including websites and third-party code (such as WordPress plugins)
  4. Training for your team on how to avoid clicking suspicious links
  5. Backups kept offline to protect sensitive data

With the right systems, teams, and plans in place, you can withstand a ransomware attack. Now is the time to begin your plan.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.