12 minute read
How nonpro ts are shoring up cybersecurity
BLOCKING THE BREACH
NONPROFITS WORK TO SHORE UP CYBERSECURITY VULNERABILITIES TO CUT RISKS
BY | SHERRI WELCH
When a Southwest Solutions accounting employee turned on his computer that summer day three years ago, he found something nobody saw coming. ere on his screen was a message from a hacker, demanding hundreds of thousands of dollars in bitcoin ransom for the return of Southwest Solutions data. e employee had opened a phishing email by mistake, inadvertently giving the hacker access to the nonpro t’s accounting system and network — forcing the agency which serves thousands at-risk youths and adults each year to pay up or put their clients at risk. e whole thing didn’t seem real when the insurance company said it was going to hire someone to negotiate with the attacker, COO Michelle Sherman said.
“It was like something out of TV.”
Nonpro ts, which hold highly con dential identifying, health and payment information for employees, clients and donors, are often among the most vulnerable to cyberattacks, experts say. ey rely on part-time employees and volunteers, along with full-time sta , increasing the number of access points to their system. And often, they haven’t put cybersecurity training in place for them. With little or no funding for technology investments, many nonpro ts also have dated IT infrastructure that can’t be updated with the latest security patches, making them easier targets. e resulting ransomware attacks on nonpro ts can not only interrupt the services provided by charitable organizations, but also take money away from mission and compromise personal identifying information of employees and clients. ey can provide an opportunity for hackers to extort donors, as well as nonpro ts.
Tips for protecting against cyberattacks
Protecting your nonpro t from hackers and phishing scams doesn’t have to be costly. Here are some low-budget tips:
Use stronger, unique passwords: People often use the same passwords for everything they do, but if that email and password get out online, hackers will use them to see where else they can log into, including work systems. Use multi-factor authentication: A secondary login code sent to an alternate email or cellphone provides an extra layer of security that a hacker cannot get their hands on. Train your sta : Provide training on phishing scams and passwords to all sta ers, including volunteers. There are plenty of free training videos on YouTube and services like KnowBe4. com won’t break the bank. vulnerabilities in the system as new viruses and scams emerge. Make backups: Take the time now, before a breach, to back up important les in the cloud through applications like Google Drive or SharePoint and on physical external hard drives kept both on-site and o -site in case of re or ood.
Plan ahead: Call your insurance company to get a better understanding of what your nonpro t’s risk pro le looks like and where the security gaps are. Contract out IT services: It can be less expensive to contract information technology services than to hire internally to ll these positions.
GIVING GUIDE | 2022
SECURITY
From Page 15
Experts say nonpro ts should be talking at the highest levels about cybersecurity risk and how they can mitigate it, from fundraising and budgeting for needed IT investments and cybersecurity insurance — should they choose that — to low-budget approaches any organization can employ, like multi-factor authentication and employee and volunteer training to help them identify threats.
“In light of all of the hacks, data breaches and just growing industry of ransomware, hundreds of millions of dollars being paid out, cybersecurity has to absolutely be a priority and it has to be a part of the boardroom discussion, or else you’re doing a disservice to your clients... your donors... (and) your employees,” said David Derigiotis, corporate senior vice president at wholesale insurance broker Burns & Wilcox. ere’s a solid case to be made to donors and funders for the return on investments in cybersecurity strategies including IT upgrades, said Jacob Koering, principal in the litigation and intellectual property groups at Miller, Can eld, Paddock and Stone PLC and founder of the rm’s cybersecurity and data privacy practice.
“You can spend $1 now on preventatives or $10 later,” he said.
If some of the things Southwest Solutions is doing now and some of the IT investments it has since made had been in place before the hack, “then it would have been harder to hack us, period,” Sherman said.
Targeting nonpro ts and donors
Charitable or not, an increasing number of nonpro ts are seeing data breaches at a time of rising need and reliance on technology for remote work and service delivery.
Nationally, a 2020 breach at Blackbaud, a cloud software provider to nonpro ts, a ected an unknown number of organizations and individuals nationally, including University of Detroit Mercy here in Detroit.
In January, more than 300,000 customers of ShopGoodwill.com were impacted by an attack. And a March breach at Partnership HealthPlan of California compromised the names and Social Security numbers of a reported 850,000 people, sparking a class action lawsuit against the organization. e list of nonpro ts breached locally is also growing. It includes: Ascension Michigan, Beaumont Health, Michigan Medicine, Trinity Health Systems and UDM.
Given that personal, protected data was compromised, either through a third-party data management company like Blackbaud or attacks on their own systems, those nonpro ts were required to disclose the breaches. ose types of larger organizations are generally targets because they have resources to pay ransoms, experts say. But mid-sized and smaller nonpro ts that have backburnered IT investments so they can put more dollars toward the mission are low-hanging fruit, Derigiotis said: “It’s just a numbers game.”
Donors can also be targets, he said.
“In some of these cases, you may have ransomware operators call (donors) to make them aware of the breach, to harass them, to threaten them and also to get money directly from them.”
Fortunately for Southwest Solutions and everyone connected with it, personal employee, donor and client data were not compromised, and it had taken out cybersecurity insurance just a year earlier, despite nancial troubles at the time. e insurance paid a team of professionals to help Southwest Solutions recover from the attack and covered the ransom, Sherman said. But nearly three years later, the nonpro t is still working to manually construct much of its nancial data that was lost when the decryption key the hacker provided failed to unlock all of its data. e intruder didn’t care that it was dealing with a charitable nonpro t, Sherman said.
“We could have collapsed in the sense that we were not able to recover all of our information,” she said. at could have halted all of the behavioral health, housing development, foreclosure prevention, nancial literacy and other services the nonpro t provides to more than 13,500 people each year, she said.
Southwest Solutions invested $500,000 to upgrade its dated sta computers
following the hack. | PROVIDED BY SOUTHWEST SOLUTIONS
An ounce of prevention
Prevention is key in helping to thwart the attacks, experts said.
Security should be part of annual planning at the board and top leadership levels, Koering said. Nonpro ts, like other businesses, should have a security plan and they should test it against someone outside their organization to help identify any weaknesses.
“Often times, nonpro ts don’t know where to start when it comes to cybersecurity protection,” said Tammy Pitts, chief communications o cer for the Michigan Nonpro t Association. e association, which provides low-cost cybersecurity assessments and training for nonpro ts through its MNA Tech division, is advising nonpro ts to start by designating a person to oversee development of a cybersecurity plan, turning on multi-factor authentication on all accounts and creating stronger, unique passwords. e latter two “are an a ordable, quick solution that organizations can take right now to protect themselves,” Pitts said.
MNA is also advising nonpro ts to take the time now, before a breach, to back up important les in the cloud through applications like Google Drive or SharePoint and on physical external hard drives kept both on-site and o site in case of re or ood.
Koering said his clients oftentimes will call their insurance companies rst when considering cybersecurity, something that can be a good process because insurers are very skilled in helping organizations understand what their risk pro le looks like.
Secure systems do involve, of course, spending and having the proper technology that can take security patches and updates, Derigiotis said.
“ ere are no silver bullets...it comes down to layers of security and training,” he said. “But the other part is making sure people are aware there are very simple things that you can do.”
He echoed MNA Tech recommendations to put multi-factor authentication in place for employees and outside volunteers and vendors accessing any nonpro t system and to encourage users to create unique passwords for them.
People use the same passwords for everything they do, from work to shopping on Amazon, signing up for newsletters or ordering lunch.
“ at email and password will be oating out there online. ey are gathered by criminal groups and di erent hackers and then they’ll simply use it to see where else they can match those credentials to log into,” Derigiotis said.
Another low-budget but critical way to mitigate risk is awareness training on phishing emails or texts which trick people into clicking on a link or providing personal information by coming o as a legitimate source.
“Phishing is a huge, huge threat. If you’re not doing the proper training and proper preparation for your employees, all it takes is one person to fall for a trick and then it gives access to the entire company,” Derigiotis said.
Cybersecurity training for employees doesn’t have to break the bank, Pitts noted.
“ ere are plenty of free training videos on YouTube,” she said, but MNA recommends nonpro ts subscribe to a service like KnowBe4.com to get the best up-to-date training.
Having basic strategies in place to mitigate cybersecurity risk can enable organizations to purchase cybersecurity insurance to help in the event that an attack does happen, Derigiotis said.
IT funding a challenge
Costs have skyrocketed in recent years, given all of the hacks happening. Where a nonpro t could have gotten such a policy for under $1,000 a few years back, the costs can run three to ve times that now, depending on the security measures a nonpro t has in place, Derigiotis said.
“Before 2020, you could just come with your checkbook,” he said. “Now carriers, insurance companies, they apply much more rigorous underwriting standards... (and) require greater security practices to be implemented.”
Insurers want to know that organizations have multiple backups of their data and disaster recovery plans in place that they are practicing, he said.
“If you have good data backups, good practices, then the likelihood that you’ll have to pay or that you will experience signi cant disruption when (an attack) occurs…dramatically goes down.”
Like peer organizations, Southwest Solutions had struggled over the years to nd the dollars needed to invest in back-o ce system upgrades, unless one of its program areas got some funding for it, Sherman said. ree-quarters of its $32 million budget comes from grants, which typically allow just 10 percent for administrative costs and the rest to programs. e lack of funding for IT upgrades led to a de-centralized, ad hoc approach that put the nonpro t in a very vulnerable position in terms of cybersecurity, she said.
“And I don’t think we’re alone,” she said.
Since the hack, Southwest Solutions is providing cybersecurity training for employees and added multi-factor authentication for its
systems, with a secondary login code sent to an alternate email or cellphone. It’s also budgeting for IT investments.
It replaced old desktop computers with new laptops for each of its 250 employees at a cost of $500,000. It’s also moved data storage to the cloud and contracted with an IT help desk for about $180,000 a year, in the absence of a centralized IT department, Sherman said.
NeighborWorks America, one of Southwest Solutions’ funders, stepped up with $40,000-$50,000 in grant dollars to help fund part of the IT upgrades that are underway, she said.
But funding for cybersecurity and IT upgrades is scarce, said Rick Cohen, COO and chief communications o cer for the Washington, D.C.-based National Council of Nonpro ts.
“It’s a huge issue and one that’s di cult to tackle,” he said.
“Too many donors…are still hearing the same old, outdated and damaging advice to give to nonpro ts that spend less on ‘overhead,’ leading nonpro ts to hesitate to invest as much as they should in key cyber infrastructure.”
Nonpro ts that feel con dent in making those investments often don’t have the funds to do so, particularly those that do a lot of work under government grants and contracts, Cohen said.
“When those contracts don’t pay the full amount that it costs to deliver a service, there just isn’t additional funding available to upgrade their technology.”
One of the biggest issues for nonpro ts in mitigating cybersecurity risks is the fact that threats move fast and change often, MNA technology director Adam King said in a statement.
Keeping systems up to date and subscribing to or purchasing security services can be expensive, he said. Funding for IT upgrades and cybersecurity initiatives is beginning to emerge, but it is moving slowly. e federally funded 2022 Nonpro t Security Grant Program, a $250 million program granting money to nonpro ts to prevent and respond to terrorist attacks, is primarily a physical security grant program but did accept grant proposals for some cybersecurity needs, provided they were included in the nonpro t’s vulnerability assessment, said Bailey Wilkins, public information o cer for the Emergency Management and Homeland Security Division of the Michigan State Police. e program, which closed out applications in late May, will consider funding requests for things like encryption software, antivirus protection and rewalls, she said.
Some nonpro t leaders don’t know they can use general capaci-
ty grants for IT needs, said Khalilah Burt Ghaston, executive director of the Song Foundation, which is funded by Linh and Dug Song, who is the co-founder of Internet security provider Duo Security.
“Technology needs of nonprofits as a part of comprehensive capacity building e orts is something the Song Foundation will be looking into as a possible funding area,” Burt Ghaston said.
