Category

cyber security

Apr 16
0

Cybersecurity Priorities for CFOs

By | cyber security, Nonprofit | No Comments
two people in front of laptop, lock overlay to represent cybersecurity measures for CFOs

The recent flurry of FBI warnings against new malware, ransomware, and other cybersecurity threats should have every CFO on edge. Nonprofit databases may contain sensitive data such as personally identifiable information, health records, and more that attract attacks. And, if you think you are immune because your organization is small (and therefore, in your mind a lesser target), think again: cyber attacks against nonprofits grew by 30% in 2024.

Given this information, what cybersecurity priorities should you focus on? The following list offers general guidance. In addition to this information, it may be prudent to speak with your IT director, managed services provider, or technology consultant so that you have a sound plan to protect your valuable data.

Four Cybersecurity Priorities for Nonprofits

The most pressing cybersecurity issues facing CFOs today include ransomware threats, human error, third-party access, and ensuring systems are updated.

Ransomware Threats

Ransomware typically enters a system through users clicking infected links. So-called phishing attacks spoof, or fake, a well-known website, such as Amazon, a bank, or another trusted and frequently used site. The user may be taken to an infected page or prompted to enter login credentials by clicking the link. This can then infect their computer and possibly the entire network. The ransomware encrypts data, effectively locking it until a ransom demand is paid.

Human Error

Most ransomware enters systems through human error. Clicking the wrong link, entering credentials without considering the validity of the request, or downloading infected material all puts your company at risk.

New attacks are even more sophisticated. Some include text messages and phone calls from someone purporting to be from IT asking the user to reset their password. The “IT person” asks the employee for their password to “verify it.” This enables the caller to log into the system themselves, reset the password, and begin whatever crime they want to commit. Some companies report their executives as the target, with the criminals contacting executive assistants and pretending to be helping the CEO with their password reset.

In all cases of human error, the criminals rely on human psychology to trick their victims into making mistakes. They present a sense of urgency, often hinting that something dire will happen if the victim doesn’t respond quickly. Or, they pretend to be a trusted colleague, such as an IT person, to fool the end-user.

Third-Party Risks

With the rise of cloud computing, it’s easier than ever to allow others to access your system. Auditors, for example, are often given access to accounting and financial systems so they can complete some of their work offsite. You may have vendors who access shared cloud drives, instant messaging apps, or other systems. Each person outside of your company who can access your system represents another potential risk.

Operating Systems and Software

Outdated software and operating systems pose a security risk. Criminals exploit known vulnerabilities. Systems that aren’t updated or patched are akin to leaving the front door of your house wide open to let a burglar inside.

Your team must ensure that all operating systems and software are updated whenever the system vendor makes patches or updates. This includes operating systems (like Windows), software (nonprofit accounting software, donor relationship management, and others), and even websites.

Systems that are no longer supported by the vendor should be replaced. For example, Microsoft has announced it is ending support for Windows 10 on October 14, 2025. While computers running Windows 10 will continue to work, Microsoft will no longer issue security patches, leaving machines running version 10 potentially vulnerable to attack. Updating the operating system to Windows 11 ensures that as new vulnerabilities are discovered, you will receive the appropriate updates and patches to address them.

Addressing Cybersecurity Challenges

This list is just the start of a much bigger list of potential cybersecurity risks and challenges that CFOs face. To address them, consider creating a cyber risk and proactive protection plan that addresses common pain points such as:

  1. Keeping abreast of the latest ransomware attacks and communicating information to employees.
  2. Frequent training and awareness programs to help employees identify possible phishing attacks.
  3. Addressing third-party access by reviewing who has access to what and removing permission once the need is gone.
  4. Working with IT to identify and update vulnerable points within your systems and platforms, including a schedule to update aging software and equipment.

As a CFO, you are entrusted with a great deal of responsibility. You are one of the organization’s leaders who knows and understands the risks. But you are also in an excellent position to address these and other emerging threats.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Sep 24
0

The Role of Security Champions in Your Organization

By | cyber security, Nonprofit | No Comments
person sitting in office chair in front of several computer monitors with fists in the air

The Cyber Peace Institute calls nonprofits “cyber poor, data-rich.” According to the Tech For Good 2023 report, 27% of nonprofits worldwide have experienced a cyberattack.

This combination of enticing targets and low preparation for cyberattacks makes nonprofits especially vulnerable. Whether hacking, phishing, email scams or other forms of cyberattack, nonprofits fall victim to them the same as for-profit companies, but often lack the tech resources to ward off attacks or fight back.

This is where having a security champion in your organization can help. A security champion is a member of the team who takes on added responsibilities for cyber security. Even if they do not have advanced training in this field, they can still do a great deal to help your organization fend off, prepare for, or respond to an attack. Here’s how appointing a security champion can benefit your organization.

Keeping Security Top of Mind

The main responsibility of a security champion is to keep cybersecurity at the forefront of the entire organization’s mind.

Everyone is busy, and it’s easy to forget about cyber security amid a workday with phones ringing, emails and text messages every minute, meetings and more. The cyber security champion ensures that everyone, in every department, is aware of the latest threats, understands how to spot them, and knows what not to fall for when criminals come knocking at the virtual door.

These responsibilities may include:

  • Education: Many cyberattacks succeed not through sophisticated technology but by tricking employees into divulging passwords and other sign-on credentials. Security champions spend time learning the tricks, then teach their teammates how to spot and avoid them. This education is ongoing. It is never “once and done.” It raises awareness of potential threats and teaches everyone how to spot and avoid them.
  • Best Practices: Criminals find new ways to infiltrate systems and steal data. The security champion reads up on the latest findings and ensures that everyone is aware of the latest best practices.
  • Risk Assessment and Threat Modeling: The champion identifies potential risks and provides threat modeling and risk assessment.
  • Incident Response: Security champions create incident response plans. They evaluate risks and provide a framework to respond if a breach occurs.
  • Other areas in which a security champion may be helpful include security evaluation, code testing, and continuous improvement suggestions.

But My Organization Is Too Small for a Security Champion!

No organization should take cyber security for granted. The average cost of a data breach, according to IBM and the Ponemon Institute, is $4.45 million dollars. And while you may do all the right things to protect against a breach, including appointing a security champion, the risk remains. It is vital for nonprofits to take every possible step to prevent cyber security breaches, and having a champion on the team is a good step towards achieving this goal.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

May 21
0

How to Stop Cybercriminals In Their Tracks: Prevent Cyber Crime

By | cyber security, Nonprofit | No Comments
person at keyboard with lock overlay to convey cyber security

The Board Effect, which publishes key stats that nonprofit board members need to know, released starting figures on cybercrime. According to their report, 50% of NGOs have been the victim of at least one cyber-attack. Even more surprising is that 9 out of 10 organizations do not train their staff on cyber security.

When nonprofits fall victim to cyber-attacks, it does more than create a headache. It can harm their reputation beyond repair. It can be costly to remediate the systems that are breached. It can result in lawsuits from disgruntled members or donors whose personal information has been stolen. And, given that The Board Effect report states it can take 22 days to recover from an attack, it can severely disrupt daily operations.

You don’t need to hire costly consultants or install expensive equipment to ward off most attacks. In fact, the most common way for criminals to get beyond your firewalls and first lines of defense is by tricking your own staff into divulging their information! Here, we have put together a brief list of steps you can take to mitigate many of the dangers of cybercrime. Bear in mind that no amount of preparation can ward off every danger, but with the right systems and training, you can prevent many instances.

Seven Steps to Prevent Cybercrime

Nonprofits can fall victim to many types of cybercrimes. Among those most commonly encountered, you may find phishing attacks, which try to trick people into clicking links and divulging personal information such as user names and passwords; ransomware attacks, which lock systems until a ransom is paid; malware, trojans, and viruses, all of which “infect” a computer and make the computer do something you don’t want it to do (like spam others, redirect you to a specific website, or infect other machines). The key to avoiding most of these common crimes lies in the seven steps to preventing cybercrime.

  1. Train employees in the basics of internet security. Teach employees how to spot phishing emails and how to avoid clicking malicious links. Educate them on why they need to choose strong passwords and change them frequently. Once you’ve provided employee training, host refresher sessions. People tend to get complacent over time. All it takes is one slip to pick up a nasty bit of ransomware or enable crooks to breach personal information in the system.
  2. Keep systems updated. Do you know those annoying notices to update your system? They are there for a reason. As new cybercrimes emerge, software programmers tweak the code in their systems to close gaps and protect against attacks. By updating your software to the latest version, you’re closing those gaps, too. This includes updating operating systems, specific software (accounting, payroll, operations, productivity), and software running on your peripheral devices, such as printers.
  3. Install the best security protection you can. Install antivirus software on every machine for your organization and ensure it is always updated and running.
  4. Enable firewall protection. Firewalls are sets of programs that prevent outsiders from accessing networked systems. Your organization’s network should have a firewall running to protect systems. If employees work from home, they should also have a firewall installed.
  5. Secure WiFi networks. Make sure your WiFi network is password protected, and do not allow employees to share passwords outside of the organization. Change passwords regularly.
  6. Enable 2FA on sensitive accounts. Two-factor authentication sends a code or uses special mobile authenticator apps to ensure that whoever is logging into an account is a valid user. Many social media and cloud-based platforms now use 2FA. They offer another layer of security to prevent unauthorized users who may guess a password. If the system does not recognize the device accessing it, it may prompt 2FA, resulting in a lockout that can prevent access to the platform.
  7. Limit employee access; set up role-based access. If your system enables role-based access, it’s a smart move, as it enables you to control who has access to which areas of a system. You may be able to set permissions so that only senior level team members can access sensitive data, reset passwords, access financial information, etc. Work with your software consultant or IT service provider to set permissions for your system.

The best defense, as they say, is a good offense. Be on the offensive when it comes to attacks against your organization. While many consider nonprofits a lesser target than large for-profit enterprises, the truth is that nonprofits typically have fewer resources to fight back against ransomware attacks and other cybercrimes. This makes them easy targets. You make your organization a much harder target for crooks by taking these seven steps to prevent cybercrime.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Jan 06
0

Improve Cyber Security for Remote Employees

By | cyber security | No Comments
remote employee working on home computer

Many organizations that eschewed remote work embraced it during the pandemic. Now, despite the abatement of the virus in many areas, organizations realize that adding a remote or hybrid work option to their policies is to their benefit. Not only can they attract more qualified applicants, but they can retain employees who might otherwise leave them without the availability of remote work.

Given that remote work is here to stay, it is important to look more at the cons as well as the pros. We know that remote work is attractive to employees. But on the flip side, as more people log in virtually, remote work is attracting cyber criminals, too. Criminals are finding remote workers an easier target. It’s vital to take steps to safeguard your organization against cybercriminals who can exploit remote workers and tap into sensitive data.

Scammers on the Rise

Scammers have always plagued organizations with all sorts of ploys, but the pandemic seems to have increased their number. Here are some of the newer scams hitting corporations and organizations nationwide. Many of the victims are remote workers.

The gift card scam: In this scam, someone pretending to be an employee, manager, or even the president of an organization messages an actual employee and asks them to purchase a gift card or debit card. The story is typically that the manager/president is in a meeting and wants to surprise someone with a gift card, but they can’t leave the meeting to purchase it. They ask the employee to purchase the gift card online and send them the information via a text or email. The scammers, of course, make off with the information needed to redeem the gift card, leaving the employee with the bill.

The” I lost my password” scam: Criminals know that executive assistants are often entrusted with sensitive information by senior-level executives. Many executive assistants know their supervisor’s birthdate, social security number, or computer password, for example. In this scam, someone purporting to be the manager contacts the assistant and pretends they’ve lost their password. If the assistant is working remotely, they may not be able to ask the account holder if indeed they are looking for their password. Unwary assistants have divulged passwords to criminals who can then enter sensitive systems and make off with data they can resell.

Phishing scams: Phishing scams are still active, and some have gotten more sophisticated. Many arrive in workers’ inboxes and look like documents sent by HR departments. Often, the email includes a link to click to update personal information such as a W9. The link directs the person to a site that captures the personal data and can lead to identity theft.

Other Security Steps to Take

In addition to the proliferation of scams, few organizations have improved their cyber security to protect systems during remote work access. Steps your team can take to secure access to critical information include:

  • Teaching remote workers basic home cyber security, such as protecting their SSID (home network) name and password, not accessing public Wi-Fi to link to organization systems, and not sharing a computer with open access with other family members.
  • Asking workers to either use company-issued hardware, such as computer purchased laptops, for work related matters, or locking user accounts on shared equipment with other family members by using a password.
  • Updating software, including operating system (Windows 11/MacOS) and commonly used applications.
  • Avoiding free software and non-company approved downloads of apps or software to organization-owned hardware. Some downloads contain viruses, while others just contain bloatware (excess computer code that slows machines down).

Communication Can Stave Off Many Cyber Attacks

One of the best ways to avoid compromising sensitive data is to ensure that remote workers feel connected to their teammates and free to ask questions at any time. Set up instant messenger platforms such as Slack, WhatsApp, or others to enable coworkers to reach out quickly to colleagues. One quick note (“Hey, are you at a client’s office, and are you really asking me to buy you a gift card?”) can save a lot of headaches later.

Remote workers may be more vulnerable to scams than those working in-person simply because they don’t have easy access to supervisors to check on the story given to them by the scammers. By improving awareness and communication, you can do a lot to prevent cybercrimes at your nonprofit organization.

About Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.