Top 10 Questions for Your Cybersecurity Checklist for Nonprofits:
Does your organization use secure file-sharing tools?
File sharing is important to run a nonprofit, both for operations and fundraising efforts. Yet, what many organizations don’t know is that sharing or downloading a simple PDF document can potentially infect your network and jeopardize your mission. As staff and volunteers use technology to share files, ill-intended users have seen an opportunity to hack and expose sensitive data.
Therefore, secure file sharing platforms appear as a network security solution for tech users. With platforms such as SharePoint, WeTransfer, and Dropbox, you can ensure that the data you share is clean and doesn’t fall into the wrong hands. It’s also possible to set up passwords and two-factor authentication methods to strengthen your privacy and security practices.
Do your staff and volunteers use one password per account? And do they have at least 8 characters and 1 special character?
Did you know that ‘123456’ continues to be the most used password in the world? As identity thefts and data breaches become more common, having a secure password management policy has become a must in cybersecurity.
Passwords will not only protect your nonprofit’s email or social media accounts, but also serve to secure your fundraising platforms and donor information.
For example, Little Red Door, a small Indiana
nonprofit that provides support to cancer patients, was the target of a cyberattack in 2017. Hackers entered their network and managed to seize all client and financial data and asked for $43,000 for its return.
The best way to avoid ill-intended users intruding on your network is by creating unique and complex passwords of at least 8 characters, including numbers and special characters. Change your passwords at least 4 times a year and use a password manager tool to safely store your credentials.
How often do you train your staff and volunteers on cyber hygiene practices?
Cybersecurity awareness training should a central element in every organization’s remote and on-site access policy. Take the time to educate your staff and volunteers on the current cyberattack methods, like malware or pharming used by ill-intended users to gain access to your devices. This is also an opportunity for your organization to review its disaster and recovery policies and to use this checklist!
Also, since remote work is now the norm in most cases, your organization should also devote some
time to do a security check on incoming and current staff and volunteers. This way, you’ll ensure all work-related devices are clean and minimize the occurrence of a cyberattack.
Does your organization email awareness training sessions?
Did you know that phishing attacks went up by 31.5% over 2020? While it’s no secret that cyberattacks have heavily increased since the start of 2020, phishing remains the most common attack in recent years. In fact, according to Proofpoint, 60% of organizations lost data as a result of a phishing attack and 52% had their credentials compromised.
Organize seasonal email awareness training sessions with your staff and volunteers to teach them how to spot a phishing email and how to report it. It will save your nonprofit time and money!
Are your backups up-to-date?
Making seasonal backups is a must in network security. Backups not only help your organization against events like power failure or natural disasters, but they also play a key role in cyber disasters recovery and virus attacks.
Having both local and cloud-based backups is the best strategy, especially in the case of ransomware.
Even if they hijack your files and manage to reach your cloud), your local backup will save your nonprofit from stopping operations while your team solves the cyberattack.
Is there a policy to prevent intrusion via mobile devices?
As more people use their mobile devices for work-related purposes, cybercriminals have used this opportunity to create new ways to steal data and spread malicious activities. The two main vectors hackers use to infect devices are emails and apps. With more than 80% of all emails being opened on a mobile device, the chances that someone in your team falls victim to a phishing scam are high.
When it comes to downloading apps, the risk could be even greater. Cybercriminals create malicious apps that may seem harmless, such as games or
even productivity apps to spread malware. Depending on the type of malware, your phone could end up being infected with ransomware or spyware, which can put at risk both your personal and professional data.
The number one tip for all mobile device users is to install an antivirus. Nowadays, antiviruses, like McAfee, have app versions designed to protect smartphones and tablets. Depending on your subscription, you can use a VPN and block certain apps for more security. Do you have an antivirus installed already?
Does your organization keep all antivirus and antimalware software updated?
It goes without saying that having antivirus and antimalware software is a must, right? It may be because it takes time, but many people don’t update this software regularly. Yet, the risks of having an outdated antivirus/malware are much greater than you think.
Cybercriminals are constantly looking for ways to bypass network security tools and platforms by creating new versions of malicious files and links. Therefore, when you forget to update antimalware and antivirus software, you’re leaving the door wide open to improved versions of spyware, ransomware, or worms that are ready to damage your organization.
Does your organization have a Remote Access Policy in place?
Having a set of shared guidelines to organize the way remote access should be implemented is a first step to minimize network security risks. If you don’t have a Remote Access Policy, don’t panic, as you still have time to create one. When you do, make sure you include items such as password protocol, encryption policies, and hardware and software configuration standards.
Is there a disaster recovery policy to put in place in case of a cyberattack?
A disaster recovery policy will allow your nonprofit to continue operating after an unplanned incident, such as natural disasters or cyberattacks. While this type of document varies depending on the organization, it usually includes inventories of all your devices, backup procedures, and recovery processes for restoring your entire system.
When was the last time you performed a Cybersecurity Assessment?
Cybersecurity Risk Assessments provide an in-depth understanding of the existing risks and vulnerabilities your nonprofit is currently facing. It’s the most accurate way to map out how to better protect your organization from cybercriminals.
How is it performed and what to expect from it?
Through research and interviews, your nonprofit will obtain a cybersecurity score and a detailed report indicating your current situation. Once you have everything outlined, you should receive a
1-year roadmap to guide your nonprofit to improve its security and align your risk with acceptable tolerance levels.
Additional Resources:
Use this Guide as a starting point to put into practice the 10 questions from our cybersecurity checklist for nonprofit.
We’ve prepared another 10 questions to help you understand where your organization is vulnerable. Use them as a starting point in your next cybersecurity meeting.
This article will help you understand what are the main differences between IT and InfoSec professionals.
As we mentioned in our cybersecurity checklist for nonprofits, a maturity assessment is the only way to understand your organization’s current security posture. The knowledge gained through this assessment will help guide the decisions that will need to be made to improve your security and align your risk with acceptable tolerance levels.
