Category

cyber security

The Role of Security Champions in Your Organization

By | cyber security, Nonprofit | No Comments
person sitting in office chair in front of several computer monitors with fists in the air

The Cyber Peace Institute calls nonprofits “cyber poor, data-rich.” According to the Tech For Good 2023 report, 27% of nonprofits worldwide have experienced a cyberattack.

This combination of enticing targets and low preparation for cyberattacks makes nonprofits especially vulnerable. Whether hacking, phishing, email scams or other forms of cyberattack, nonprofits fall victim to them the same as for-profit companies, but often lack the tech resources to ward off attacks or fight back.

This is where having a security champion in your organization can help. A security champion is a member of the team who takes on added responsibilities for cyber security. Even if they do not have advanced training in this field, they can still do a great deal to help your organization fend off, prepare for, or respond to an attack. Here’s how appointing a security champion can benefit your organization.

Keeping Security Top of Mind

The main responsibility of a security champion is to keep cybersecurity at the forefront of the entire organization’s mind.

Everyone is busy, and it’s easy to forget about cyber security amid a workday with phones ringing, emails and text messages every minute, meetings and more. The cyber security champion ensures that everyone, in every department, is aware of the latest threats, understands how to spot them, and knows what not to fall for when criminals come knocking at the virtual door.

These responsibilities may include:

  • Education: Many cyberattacks succeed not through sophisticated technology but by tricking employees into divulging passwords and other sign-on credentials. Security champions spend time learning the tricks, then teach their teammates how to spot and avoid them. This education is ongoing. It is never “once and done.” It raises awareness of potential threats and teaches everyone how to spot and avoid them.
  • Best Practices: Criminals find new ways to infiltrate systems and steal data. The security champion reads up on the latest findings and ensures that everyone is aware of the latest best practices.
  • Risk Assessment and Threat Modeling: The champion identifies potential risks and provides threat modeling and risk assessment.
  • Incident Response: Security champions create incident response plans. They evaluate risks and provide a framework to respond if a breach occurs.
  • Other areas in which a security champion may be helpful include security evaluation, code testing, and continuous improvement suggestions.

But My Organization Is Too Small for a Security Champion!

No organization should take cyber security for granted. The average cost of a data breach, according to IBM and the Ponemon Institute, is $4.45 million dollars. And while you may do all the right things to protect against a breach, including appointing a security champion, the risk remains. It is vital for nonprofits to take every possible step to prevent cyber security breaches, and having a champion on the team is a good step towards achieving this goal.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

How to Stop Cybercriminals In Their Tracks: Prevent Cyber Crime

By | cyber security, Nonprofit | No Comments
person at keyboard with lock overlay to convey cyber security

The Board Effect, which publishes key stats that nonprofit board members need to know, released starting figures on cybercrime. According to their report, 50% of NGOs have been the victim of at least one cyber-attack. Even more surprising is that 9 out of 10 organizations do not train their staff on cyber security.

When nonprofits fall victim to cyber-attacks, it does more than create a headache. It can harm their reputation beyond repair. It can be costly to remediate the systems that are breached. It can result in lawsuits from disgruntled members or donors whose personal information has been stolen. And, given that The Board Effect report states it can take 22 days to recover from an attack, it can severely disrupt daily operations.

You don’t need to hire costly consultants or install expensive equipment to ward off most attacks. In fact, the most common way for criminals to get beyond your firewalls and first lines of defense is by tricking your own staff into divulging their information! Here, we have put together a brief list of steps you can take to mitigate many of the dangers of cybercrime. Bear in mind that no amount of preparation can ward off every danger, but with the right systems and training, you can prevent many instances.

Seven Steps to Prevent Cybercrime

Nonprofits can fall victim to many types of cybercrimes. Among those most commonly encountered, you may find phishing attacks, which try to trick people into clicking links and divulging personal information such as user names and passwords; ransomware attacks, which lock systems until a ransom is paid; malware, trojans, and viruses, all of which “infect” a computer and make the computer do something you don’t want it to do (like spam others, redirect you to a specific website, or infect other machines). The key to avoiding most of these common crimes lies in the seven steps to preventing cybercrime.

  1. Train employees in the basics of internet security. Teach employees how to spot phishing emails and how to avoid clicking malicious links. Educate them on why they need to choose strong passwords and change them frequently. Once you’ve provided employee training, host refresher sessions. People tend to get complacent over time. All it takes is one slip to pick up a nasty bit of ransomware or enable crooks to breach personal information in the system.
  2. Keep systems updated. Do you know those annoying notices to update your system? They are there for a reason. As new cybercrimes emerge, software programmers tweak the code in their systems to close gaps and protect against attacks. By updating your software to the latest version, you’re closing those gaps, too. This includes updating operating systems, specific software (accounting, payroll, operations, productivity), and software running on your peripheral devices, such as printers.
  3. Install the best security protection you can. Install antivirus software on every machine for your organization and ensure it is always updated and running.
  4. Enable firewall protection. Firewalls are sets of programs that prevent outsiders from accessing networked systems. Your organization’s network should have a firewall running to protect systems. If employees work from home, they should also have a firewall installed.
  5. Secure WiFi networks. Make sure your WiFi network is password protected, and do not allow employees to share passwords outside of the organization. Change passwords regularly.
  6. Enable 2FA on sensitive accounts. Two-factor authentication sends a code or uses special mobile authenticator apps to ensure that whoever is logging into an account is a valid user. Many social media and cloud-based platforms now use 2FA. They offer another layer of security to prevent unauthorized users who may guess a password. If the system does not recognize the device accessing it, it may prompt 2FA, resulting in a lockout that can prevent access to the platform.
  7. Limit employee access; set up role-based access. If your system enables role-based access, it’s a smart move, as it enables you to control who has access to which areas of a system. You may be able to set permissions so that only senior level team members can access sensitive data, reset passwords, access financial information, etc. Work with your software consultant or IT service provider to set permissions for your system.

The best defense, as they say, is a good offense. Be on the offensive when it comes to attacks against your organization. While many consider nonprofits a lesser target than large for-profit enterprises, the truth is that nonprofits typically have fewer resources to fight back against ransomware attacks and other cybercrimes. This makes them easy targets. You make your organization a much harder target for crooks by taking these seven steps to prevent cybercrime.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.

Improve Cyber Security for Remote Employees

By | cyber security | No Comments
remote employee working on home computer

Many organizations that eschewed remote work embraced it during the pandemic. Now, despite the abatement of the virus in many areas, organizations realize that adding a remote or hybrid work option to their policies is to their benefit. Not only can they attract more qualified applicants, but they can retain employees who might otherwise leave them without the availability of remote work.

Given that remote work is here to stay, it is important to look more at the cons as well as the pros. We know that remote work is attractive to employees. But on the flip side, as more people log in virtually, remote work is attracting cyber criminals, too. Criminals are finding remote workers an easier target. It’s vital to take steps to safeguard your organization against cybercriminals who can exploit remote workers and tap into sensitive data.

Scammers on the Rise

Scammers have always plagued organizations with all sorts of ploys, but the pandemic seems to have increased their number. Here are some of the newer scams hitting corporations and organizations nationwide. Many of the victims are remote workers.

The gift card scam: In this scam, someone pretending to be an employee, manager, or even the president of an organization messages an actual employee and asks them to purchase a gift card or debit card. The story is typically that the manager/president is in a meeting and wants to surprise someone with a gift card, but they can’t leave the meeting to purchase it. They ask the employee to purchase the gift card online and send them the information via a text or email. The scammers, of course, make off with the information needed to redeem the gift card, leaving the employee with the bill.

The” I lost my password” scam: Criminals know that executive assistants are often entrusted with sensitive information by senior-level executives. Many executive assistants know their supervisor’s birthdate, social security number, or computer password, for example. In this scam, someone purporting to be the manager contacts the assistant and pretends they’ve lost their password. If the assistant is working remotely, they may not be able to ask the account holder if indeed they are looking for their password. Unwary assistants have divulged passwords to criminals who can then enter sensitive systems and make off with data they can resell.

Phishing scams: Phishing scams are still active, and some have gotten more sophisticated. Many arrive in workers’ inboxes and look like documents sent by HR departments. Often, the email includes a link to click to update personal information such as a W9. The link directs the person to a site that captures the personal data and can lead to identity theft.

Other Security Steps to Take

In addition to the proliferation of scams, few organizations have improved their cyber security to protect systems during remote work access. Steps your team can take to secure access to critical information include:

  • Teaching remote workers basic home cyber security, such as protecting their SSID (home network) name and password, not accessing public Wi-Fi to link to organization systems, and not sharing a computer with open access with other family members.
  • Asking workers to either use company-issued hardware, such as computer purchased laptops, for work related matters, or locking user accounts on shared equipment with other family members by using a password.
  • Updating software, including operating system (Windows 11/MacOS) and commonly used applications.
  • Avoiding free software and non-company approved downloads of apps or software to organization-owned hardware. Some downloads contain viruses, while others just contain bloatware (excess computer code that slows machines down).

Communication Can Stave Off Many Cyber Attacks

One of the best ways to avoid compromising sensitive data is to ensure that remote workers feel connected to their teammates and free to ask questions at any time. Set up instant messenger platforms such as Slack, WhatsApp, or others to enable coworkers to reach out quickly to colleagues. One quick note (“Hey, are you at a client’s office, and are you really asking me to buy you a gift card?”) can save a lot of headaches later.

Remote workers may be more vulnerable to scams than those working in-person simply because they don’t have easy access to supervisors to check on the story given to them by the scammers. By improving awareness and communication, you can do a lot to prevent cybercrimes at your nonprofit organization.

About Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

A Fresh Approach to Cybersecurity

By | cyber security, Nonprofit | No Comments

Cybersecurity remains a topic of critical importance for nonprofits. Attacks have risen dramatically, with the costs associated with cyberattacks increasing from $3 trillion in 2015 to an estimated $10.5 trillion in 2025. Nonprofits are especially vulnerable given their smaller staffs and often, a lack of IT resources to combat the threats.

Added to these vulnerabilities is the sheer feeling of being overwhelmed from dealing with multiple security layers and platforms required for modern cybersecurity. False alarms, confusing error messages, and other issues can also make managing cybersecurity a challenge for nonprofits.

Strong Security Depends on Employee Vigilance

The best defense is a good offense, as they say. Employee vigilance is your offensive game against potential cyberattacks. Offer a brief refresher annually one how to spot potential scams and attacks including:

  • Avoid opening emails that look suspicious
  • Do not click on password reset links unless you initiated the reset request
  • Do not click on links from emails that look like they are from reputable companies but have telling mistakes in the copy, such as grammatical errors, slight misspellings of the company name, etc.
  • Never give your password out to anyone

If anyone on your team has your password and is authorized to log in on your behalf to any system, be sure to let them know that you will never ask anyone to call them for the password itself. A recent scam is a caller pretending to be someone who works with or knows the CEO, President, or CFO, and then asking for the password on behalf of that employee. This is typically an attempt to gain easy entrée into banking, credit card, and records systems in the company that could be worth thousands on the dark web (digital black market).

Leverage New Technology to Keep Security Simple and Strong

Cloud computing offers stronger and simpler security defenses that can be leveraged by organizations of all sizes. Cloud service providers install multiple security layers and alert systems intended to protect both their own cloud infrastructure and the businesses that rely on it. And, because they have multiple customers and millions of dollars invested in their delivery architecture, they take great pains to protect it from external attacks.

Another way to shield your organization from attack is to leverage a good web hosting company. Such companies have in place many detection methods to protect your site from denial of service (DOS) attacks and other direct attacks on your website.

Lastly, consider upgrading your virus protection systems. Real-time protection may include website scanning as employees use search engines for their work as well as scanning downloads, using cloud-based document storage systems with built in virus protection, and similar systems.

Update Your Software, Systems, and Platforms as Needed

Most major software companies conduct threat monitoring and intelligence, scanning the digital environment for new and emerging threats and developing protection against it. Every software maker and computer manufacturer issues periodic updates to its programs and platforms. These updates are essential to close known security gaps and issue patches to protect against new threats.

Look for security updates for the following systems:

  • Operating systems (i.e., Apple/Mac, Microsoft)
  • Office productivity suites (Microsoft Word, Excel, PowerPoint)
  • Mobile phone operation systems (Android, iOS)
  • Web browsers (Chrome, Edge, Firefox, Safari, and many others)
  • Specialized nonprofit systems such as accounting or grant management systems
  • Website updates (WordPress themes and plugins, for example)

Be sure to confirm that your software company did indeed issue that update. Some systems do update automatically. But others that prompt you to update your software should be investigated. You can often find news of updates published in tech journals online as well as on the software manufacturer’s website.

Although many nonprofits are small, they can take mighty steps to protect against cyberattacks. You can do a great deal to protect what you have built in your organization by using these tips.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.