Cyberattacks hit nonprofits every day. From local organizations to international ones, like the United Nations, hackers are always trying to benefit from vulnerable systems. Given that nonprofits store valuable financial and personal information about their donors, their databases have become an attractive and lucrative target for ill-intended users.
This blog post will introduce you the latest cyberattack trends and walk you through ways to prevent security threats.
Top 3 Common Types of Cyberattacks:
SQL Injection
SQL injections is code-based attack that give ill-intended users the ability to read, access, and potentially administrate sensitive data from the database. Hackers bypass security measures and use their newly gained privileges to add, delete, and update records in a database.
How can SQL injection attacks put your nonprofit at risk?
The most common risk of an SQL injection is the theft of sensitive user data. Personal information from your staff, volunteers, and partners, such as login credentials, emails, and personal identifiable information (PII) can be sold on the dark web. In the event of a successful SQL injection, your users and operations could be at risk.
Rootkits
Rootkits are hidden software that provides privileged access to a computer. Once a computer gets infected with a rootkit, the hacker has the ability to remotely execute files, change configurations, and act as spyware.
Unfortunately, in most cases, commercial antivirus can’t detect and remove rootkits. Despite this, some cyber hygiene habits can be put into practice to avoid rootkit infection, including verifying files and email sources before you open or download them.
How can Rootkits put your nonprofit at risk?
– Potential exposure to ransomware: Rootkits allow ill-intended users to infect compromised devices with ransomware.
– Stolen credentials: Hackers can use their privileged access to your device to steal sensitive information without being detected.
Emotet
After being taken down in 2021, Emotet has resurrected with the help of TrickBot – a trojan-type of malware that steals users’ data. Emotet first appeared in 2014 to compromise financial services, and since, Emotet attacks have been found in almost every industry. This type of Trojan spreads through malicious emails and persuades users to click into corrupted files which are usually Word or Excel documents. Once the computer is infected, there is a risk of data/credential theft, downtime, and ransomware infection.
How can Rootkits put your nonprofit at risk?
Email thread hijacking: Emotet replies to old conversational emails with a malicious email. There is a high possibility that your contacts will open and click on the attachments, thinking that is a legitimate email. This can lead to an infection of your database in a matter of seconds!
Other risks for nonprofits:
– Exposure of sensitive information: Cyberattacks impact your reputation as a nonprofit, reduce potential donations, and may carry legal implications depending on the data breach.
– Downtime: Hackers seeking to compromise the mission and operations of an organization can bring down your website and servers. This type of attack can financially damage your nonprofit – especially in the middle of a fundraising campaign!
– Ransom demand: Often hackers corrupt databases and servers with the purpose of seizing sensitive information and asking for ransom. According to Sophos, these types of attacks can cost up to $2 million.
How To Prevent Cyberattacks
Penetration Testing
Penetration testing helps your organization stay a step ahead of cybercriminals by identifying security weaknesses. According to our CEO and President, George Makaye, nonprofits should perform a pen test every quarter to ensure your organization is never caught off guard in case of any cybersecurity incidents.
When performing a pen test, ensure the following steps are covered:
– Planning and Preparation: Identify your nonprofit’s valuable assets and risk areas – consider including donor, organizational sensitive information, and operations. In this step, it’s critical that your nonprofit sets security goals for each risk area you’ve identified.
– Discovery: Gather information about each of your targets. This can range from donor, to staff, to volunteer information, to IP addresses.
– Penetration Attempt: Simulate attacks against your network to discover hidden internal and external vulnerable spots. This will allow you to gather a comprehensive understanding of your cybersecurity infrastructure and serve as a starting point to map a cybersecurity strategy.
– Analysis and Recommendations: This step will include details on your security weaknesses, potential threats, and provide recommendations for remediation.
– Remediation: Close security gaps!
– Retest: With all security weaknesses fixed, retest to ensure cyber risk remediation was effective.
Additional Resources:
This guide will help you understand how to protect your nonprofit from cybersecurity threats.
This checklist will help you understand where your organization is vulnerable. Use them as a starting point in your next cybersecurity meeting.
This article will help you understand what the main differences between IT and InfoSec professionals are.
Understand your organization’s current security posture. The knowledge gained through this assessment will help guide the decisions that will need to be made to improve your security and align your risk with acceptable tolerance levels.
