4 steps for nonprofits to protect against cybersecurity attacks

ARTICLE | July 31, 2021

Authored by RSM US LLP

Cybercriminals are looking for quick, easy scores. They want to be able to steal and encrypt data without leaving a trace, then use that data to profit.

Unfortunately, their desire for ease means that nonprofits have become a target.

Andrew Weidenhamer, a principal at RSM US LLP who leads the security testing team, said that most small- and mid-sized nonprofits believe that they’re too small to be targeted. But these organizations, which often lack the budgets to invest in cyber protection, are low-hanging fruits for bad actors.

“The ability for someone to break into an organization has become significantly easier,” Weidenhamer said. “There are intelligent threat actors who are developing exploit kits and other services and then selling them on the dark web to less technical attackers for nefarious purposes. The end result is more opportunistic attacks against organizations perceived to have less security controls. Unfortunately, many nonprofits end up falling into this category.”

The RSM US Middle Market Business Index survey found that in the first quarter of 2021, 28% of middle market executives said that their organization suffered a data breach in the past year. This is the highest percentage since RSM started tracking this information in 2015.

At nonprofits, a data breach might mean losing containment of personally identifying information of employees, volunteers or donors. Their names, addresses, emails and even credit card numbers could end up in the wrong hands.

Troublingly, a large portion of nonprofits lack standard security controls. For example, multifactor authentication (MFA)—an electronic authentication service which only grants a user access to a sensitive area on an app or a website after they provide two or more pieces of disparate information—is commonly used to protect sensitive data online. But many nonprofit organizations fail to implement MFA on critical applications such as membership and donor portals.

And while many nonprofits believe that they lack the budget for cybersecurity, a breach of any size—especially one that affects donors—could devastate an organization’s reputation. This could cause immense financial loss.

But just because nonprofits may be behind in protecting themselves now doesn’t mean they have to stay that way. Here are four steps that nonprofit organizations can take toward security now and for years to come:

1) Maturity or risk assessment

The first step is to perform an initial risk or maturity assessment, according to Ryan Duquette, partner and Canadian lead for RSM Canada’s security and privacy risk consulting practice. It’s akin to a gap analysis, something that will let nonprofits see how they can become more secure.

“My logic is that you start with understanding your data and its use,” Duquette said. “For example, donor and distribution information is typically vital, and needs protection. But a lot of organizations don't even understand how to identify these crown jewels. First, you must understand: What are you looking to protect? Let's do an analysis on that, to see if you have proper controls in place.”

Weidenhamer said that risk assessments are especially important for nonprofits interested in gaining an initial understanding of their security measures in place. Often, Weidenhamer said, organizations find that what they thought was protected is not actually protected.

2) Technical validation testing

Technical testing is much like the risk assessment process, according to Weidenhamer. But in this phase, organizations will technically validate the effectiveness of their security program and any new security tools they’ve adopted.

“Technical testing is the best way to validate the effectiveness of the broader information security program,” Weidenhamer said.

Weidenhamer also said that nonprofits will often purchase security software that becomes “shelfware,” or unused, due to the lack of expertise needed to configure the software appropriately to be useful. Monitoring solutions are often a good example of this. “Many organizations configure these tools either too open or too restrictive. This results in either too many alerts or not enough. Having a good understanding of what is considered normal traffic within an environment to then configure these tools to identify anomalous behavior, is key to overall effectiveness” Weidenhamer noted.

Testing should happen once or twice a year and with technology changes, according to Duquette. He said that there should be both procedural tests (are the tools properly deployed?) and penetration tests (are the tools serving their purpose?).

3) Road map development

If the assessment helps a nonprofit find where they are on a map, the road map gives them the exact directions for where they must go.

Weidenhamer said that the road map phase helps organizations find out where they need to put more employee assets and investment, what areas need to be secured, and what should be done right now versus what can wait a year or two. Each road map is built individually for each nonprofit based on their risk profile. It’s more art than science, he said, as the needs and budgets of every organization are different.

But there’s a common first move on road maps for nonprofits, according to Duquette: MFA. “Something as simple as that can provide a lot of protection and mitigate a lot of risks,” he said.

Duquette then said that organizations can map out a phased adoption of security tools such as endpoint detection and response software, cloud storage and security architecture.

4) Vendor contract review

Many nonprofits outsource their IT to third-party providers. During the contract review phase, nonprofits need to be sure that they’re getting all of the services they are paying for and all the protection that they need from these providers. In other words, it’s important that nonprofits align their expectation to contract terms and conditions, Weidenhamer said.

This phase is especially important, as contracts often don’t include language for penetration testing and information security. In addition, Weidenhamer said that the contracts sometimes don’t match up with what the nonprofit thought that they paid for. Often, nonprofits will believe that they paid for services from a provider, see in the contract review process that the service isn’t happening, and when asking the provider about it, hear that this service wasn’t included as part of their services.

In addition to reviewing contracts, periodic third-party testing to ensure the vendor is meeting their obligation is of utmost importance, Weidenhamer said, because taking a vendor’s word that they’re doing what’s in the contract is akin to a teacher allowing a student to grade their own papers.

“They're not going to provide you a report saying that they've done a bad job,” he said.

Being prepared

Duquette said that nonprofits should form their own plan of what happens if they’re breached. Most nonprofits don’t have a plan and end up scrambling. He suggests having a team of employees, vendors, consultants and perhaps other outside counsel planning what to do in case of a cybersecurity attack.

Breaking in: A case study

While working with a large nonprofit organization, Weidenhamer found something disturbing during an external penetration test: Some accounts from the nonprofit had been leaked to the dark web from a breach.

“The client had a donor portal that was externally exposed,” Weidenhamer said. “We identified a few usernames that were a part of other breaches. Then, we tried those credentials against that portal to see if we were successful. We were able to break into a couple of accounts that way. And once we broke in, we were able to see the donor information, like how much they contributed and personal information.”

The client wanted to assess the security across its entire population of 70,000 accounts. Weidenhamer and RSM were able to break into about 150 accounts just by finding usernames on the dark web.

To shore up its security, the nonprofit implemented MFA, CAPTCHA (which stand for completely automated public Turing test to tell computers and humans apart) functionality, improved password functionality and a web application firewall.

“We stressed to them that you're never going to prevent breaches, and there's always going to be a certain amount of breaches that result in leaked usernames and passwords,” Weidenhamer said. “The best way to protect yourself is by implementing a defense-in-depth strategy through the implementation of best practice security controls such MFA and ongoing monitoring among others.”