BLOCKING THE BREACH
GETTY IMAGES
GIVING GUIDE | 2022
NONPROFITS WORK TO SHORE UP CYBERSECURITY VULNERABILITIES TO CUT RISKS | BY SHERRI WELCH
W
hen a Southwest Solutions accounting employee turned on his computer that summer day three years ago, he found something nobody saw coming. There on his screen was a message from a hacker, demanding hundreds of thousands of dollars in bitcoin ransom for the return of Southwest Solutions data. The employee had opened a phishing email by mistake, inadvertently giving the hacker access to the nonprofit’s accounting system and network — forcing the agency which serves thousands at-risk youths and adults each year to pay up or put their clients at risk. The whole thing didn’t seem real when the insurance company said it was going to hire someone to negotiate with the attacker, COO Michelle Sherman said. “It was like something out of TV.”
Nonprofits, which hold highly confidential identifying, health and payment information for employees, clients and donors, are often among the most vulnerable to cyberattacks, experts say. They rely on part-time employees and volunteers, along with full-time staff, increasing the number of access points to their system. And often, they haven’t put cybersecurity training in place for them. With little or no funding for technology investments, many nonprofits also have dated IT infrastructure that can’t be updated with the latest security patches, making them easier targets. The resulting ransomware attacks on nonprofits can not only interrupt the services provided by charitable organizations, but also take money away from mission and compromise personal identifying information of employees and clients. They can provide an opportunity for hackers to extort donors, as well as nonprofits. See SECURITY on Page 16
Tips for protecting against cyberattacks Protecting your nonprofit from hackers and phishing scams doesn’t have to be costly. Here are some low-budget tips: Use stronger, unique passwords: People often use the same passwords for everything they do, but if that email and password get out online, hackers will use them to see where else they can log into, including work systems. Use multi-factor authentication: A secondary login code sent to an alternate email or cellphone provides an extra layer of security that a hacker cannot get their hands on. Train your staff: Provide training on phishing scams and passwords to all staffers, including volunteers. There are plenty of free training videos on YouTube and services like KnowBe4. com won’t break the bank. Keep laptops up to date on security updates and patches: This will prevent
vulnerabilities in the system as new viruses and scams emerge. Make backups: Take the time now, before a breach, to back up important files in the cloud through applications like Google Drive or SharePoint and on physical external hard drives kept both on-site and off-site in case of fire or flood. Plan ahead: Call your insurance company to get a better understanding of what your nonprofit’s risk profile looks like and where the security gaps are. Contract out IT services: It can be less expensive to contract information technology services than to hire internally to fill these positions. JUNE 13, 2022 | CRAIN’S DETROIT BUSINESS | 15
