140 – Cybersecurity basics every organization needs now

Episode Transcription

David Pisarek: Are you worried that your non-profit could be one click away from a cyber incident? From weak passwords to sneaky phishing emails, on this episode, I’m talking about cybersecurity basics that every non-profit needs to protect their data, donors, as well as their reputation.

Stay tuned. This is one episode that you’re not going to want to miss.

Welcome to the Non-profit Digital Success Podcast. I’m your host, David, and today I’m going to be talking about cybersecurity basics for non-profits like yours and others. So I’m going to talk about staff training, passwords, phishing, and backups, without fearmongering or tech overwhelm.

So before I continue, I just wanted to mention that our podcast really does need your help. If you find this episode or any of our others insightful, interesting, or helpful, please like, subscribe, share, and comment. It helps the podcast immensely and helps us reach more non-profits who are doing awesome, amazing, and important work.

So one of the questions I’m asked somewhat frequently is: why are non-profits increasingly targeted by cyberattacks, and what does this actually mean for their organizations?

Well, first, let’s talk about why organizations and businesses are targeted, right? They’re targeted because of the data that they have. So specifically, non-profits hold really valuable data like donor information, payroll details, and potentially health or client records.

But there’s often a little bit of a lack or disconnect in enterprise-level defences because of budgets. So attackers see non-profits, charities, and such as what I’m going to call soft targets. So limited IT staff, potentially old, legacy, outdated systems that maybe haven’t been patched recently, and high-trust environments.

So breaches can lead to reputational damage, potential legal exposure, and donor mistrust. Even if the immediate data loss seems to be small.

Ransomware and phishing are often very common. Cybercriminals know that downtime hits non-profits harder because they depend on public trust and continuity.

The next question that I’m often asked is, what are the most common cybersecurity mistakes that non-profits make without realizing it? Well, you’re basically assuming that they might be too small to be a target, that like, who’s gonna know about this little non-profit, right? The issue is that there’s something called a spray-and-pray type of thing that’s happening.

And what that means is they will send out hundreds of thousands of emails hoping that 1 or 2 or 3 people out of that actually click through and provide their credentials. So they’re putting it out there hoping that somebody actually does something. So what can— what, what are some of these mistakes?

Having shared login credentials, maybe one email account that’s like an info@ or help@ or support@ that multiple people have the same login access to. So that’s a bit of an issue. Or maybe there’s a shared login for your WordPress website, and the 10 people who work on it are all using the same login and reusing passwords across multiple systems. So if your email, your website password, and your financial platform password are all the same, that’s a really big risk.

One other thing is, you know, not enforcing regular software updates or patching. There are a lot of times when there are holes, security issues, and the like that software vendors provide patches for over time, and those need to be applied to the systems.

Sometimes that means you need to replicate systems where you can apply those patches, test them, and make sure that they work okay before applying them to your live systems.

Many non-profits don’t have the time or budget to bring systems like that online.

Ultimately, relying on volunteers. So you might have some volunteers that are helping with IT or even, you know, third-party tools. So those are some significant risks that a lot of non-profits have. And while I’m thinking about it, not having policies or procedures on what is the proper response to follow should they think that there’s an issue or they know for sure that there’s been some kind of breach.

So making sure you’ve got backup and recovery plans and that the backups have been tested is a really big thing as well.

Okay, so what cybersecurity basics should every non-profit have in place regardless of their size or budget? The biggest one is multi-factor authentication. So that would usually be a 6- to 10-digit code sent by text or from an authenticator app, such as Microsoft Authenticator or Google Authenticator. There’s a handful of them out there.

Basically, you scan a QR code, it gives you a code, and that rotates every 30 seconds, I think, 25 seconds, so that you need to provide that in addition to the password. So that would be held, for example, like on your mobile device.

The next thing is updating software—maybe it’s a weekly, monthly, or quarterly plan. It really shouldn’t be an annual plan to patch software. It really should be reviewed as it comes in, and then a plan should be made based on the risk assessment of that patch to make sure you’ve got it in place. There are ways that you could implement automatic updates.

However, you need to make sure that your backups are working properly, because if that automatic patch breaks something, you need to be able to roll back to that as soon as you identify that.

Just a quick example here. One of our clients, I’m not gonna mention any names, I don’t wanna throw them under the bus. They had over $100,000 transferred from their Canadian bank account to another Canadian bank account because they didn’t have 2FA (multi-factor authentication) enabled on their banking account.

They obviously went right away and did that. They filed whatever reports with the RCMP, because it went to a Canadian account, and they were able to grab that money. And when you open a Canadian account, you need to provide a Social Insurance Number. So it could have been a fake number that a fraudster had used, but I’m sure that they found out pretty quickly who it was that did that. So they were able to recover their money. But yeah, they’re not going to make that mistake again.

We have someone who comes to help us with our landscaping and snow removal in the winter. He asked for us to send e-transfers to him. So Interac email transfers, and somebody hacked into his email, and they ended up transferring, depositing the money from his email into their accounts. He lost about $10,000 because he didn’t have what’s called auto deposit enabled on his account. So he went in and enabled auto deposit and that kind of solved it. So he’ll get a notice that I sent him money, but it’ll go directly into his account. There’s no other waiting or period there.

So there’s— yeah, these are just some of the like actual real things that do happen. Make sure that you have multiple sets of backups.

I really do believe in triplicate. So that would be maybe a network drive being backed up to another network drive. That might be your computer backed up to a USB drive, and then that’s also backed up to a network drive. And then having an off-site backup. So that could be online, in what we call the cloud. That could be in a safety deposit box at a bank. That could be at whoever’s managing your IT. That might be, maybe it’s at their home or in a safe or something like that.

You want to make sure that any devices that are being taken with any kind of data, maybe it’s a USB key or portable hard drive, whatever it is, have encryption on them.

You want to make sure the drives are encrypted because if somebody loses that or they’ve got their bag and they go out for dinner and somebody steals the bag or breaks into their car or breaks into their home and steals it, you want to know that that data is encrypted. It can’t be decrypted without the code.

Speaking of which, you don’t want to store the code with the drive, right? You don’t want to have like an elastic with a piece of paper or Post-it note on the drive because if somebody steals it, they’ll have the encryption code. We don’t want that to happen.

Okay, the next one is making sure that people only have access to the systems that they should actually have access to. So, for example, if you think about your website, do everybody need administrative-level access, or could they just have editor- or author-type roles? I’m talking specifically about WordPress there. Does everybody in your management team, for example, need administrative access to your LDAP or network system, or do they just need access to a specific folder? That type of idea.

And then, you know, having a clear cybersecurity policy which everybody in the organization has to go and review on an annual basis, make it part of an annual training plan, so that way everybody stays up to date and they are reminded and refreshed about that. One of the other things that we’ve talked to a couple of organizations about is actually doing some testing with staff and setting up some fake email addresses to send emails to see whether or not they open the emails, click on the links, open the PDF files that are attached. That’s kind of like one step beyond. But you want to make sure that the staff are being vigilant, right?

So, in terms of training staff, we know that, realistically, a lot of these problems stem from human nature, right? You get an email, oh, an outstanding invoice. You click on it, then you click on something that looks like a PDF, and then it goes to a page that looks like it’s a form, but you have to enter in your email address or sign in with your Microsoft or your Google account. And when you do that, the problem is it’s not a real document. It’s called a phishing scam. You’re actually just giving them your credentials so that they can then go and log in.

So, for example, we had a client a couple of years ago who clicked on an email very much like that. They were taken to a page that said, “Oh, you need to log in to the secure page.” To see it and ask for their email and password. Thankfully, they had two-factor authentication enabled. So when they went to log in, the criminal weirdo hacker people who set this thing up couldn’t actually get into their accounts because those folks didn’t have their 2FA codes. So that’s great.

That prompted us to ensure we went in and enforced password refreshes. So, depending on your comfort level, depending on the type of data that your organization handles, you might want to have a 90-day rolling password where everybody has to update their password every 90 days. I think that’s probably a little bit too much. I would say, at a minimum, once a year, they need to go and do that.

I could see arguments for every 6 months to make sure people go and do that. The key, though, is to make sure that people are not just adding like the number 1 to the end of their password. There are recently a lot of password and data breaches that have happened. And this, these software, these, you know, AI platforms and software and, you know, high-powered computational servers and computer systems, they can go through a ton of logins really quickly. And so they go through the typical things like the password being password or 1234 or 12341, or adding an exclamation mark to the end of it. It can go through that really quickly.

So you want to make sure you’re changing other parts of the password, not just adding a character to the start or end of it. So I would say, you know, a minimum once-a-year review by all the staff; get them to sign off that they have read and gone through it.

If you have an LMS (learning management system), create a course and make everybody go through it once a year. Or bring everybody together in a room, boardroom, a Zoom room, something like that.

Have somebody come in and teach, train, and explain to everybody the importance of it and refresh them on that. So that’s going to help build awareness and ultimately create a sense of shared responsibility.

So let’s talk about passwords. You can definitely use password managers because of the number of passwords—and systems — that we all log into, whether it’s personal or work. There are a number of different platforms out there for password management. I really like Bitwarden. In terms of a password manager, there’s 1Password, there’s LastPass, there’s a whole bunch of them out there.

I would just check the history of those password managers to make sure there haven’t been any data breaches.

There was one, I think it was about 3 or 4 years ago, where hackers got in through shared credentials, and they downloaded everybody’s password files. So I’m not going to name names, but just be careful of the system that you’re using for that.

So using a password manager, that will help you generate really great, strong, long, and unique passwords where you don’t have to memorize them all. The last thing you want to do is keep a Post-it note under your keyboard or under your telephone on your desk with your computer password or password for any of your systems. You want to have it on a platform that is secure. And a lot of these platforms, what’s really cool is there’s mobile apps for them. And you can actually look up your passwords and stuff right from the mobile app, which is pretty great.

Second thing you want to do is enforce MFA or 2FA on all of the accounts that you have for everything. So treat everything as if it was your personal bank account. You want to make sure that it is secured so that it has the most amount of defences on it.

The third thing you want to do is limit admin access and accounts. Only give those to people that actually need them. Otherwise, create or use other rules and permission levels in those systems for people based on the actual access that they need. I would also recommend maybe once a year a review of who has access to what systems and what level of access. So that could be somebody in your IT team or your marketing communications team, depending on the platforms, just going through and going, ‘Oh yeah, okay, these are the 6 people that need admin access, these are the 8 people that need content developer access. These 2 volunteers aren’t volunteers here anymore. Yeah, let’s deactivate their accounts.’

And speaking of that, you want to have a really great offloading process for your organization. So you have a list of, okay, this person has left either voluntarily or not voluntarily. What are the systems, platforms, and everything that needs to be revoked? So do they have a phone extension? Do they have an email? What systems do they— can they log into?

If somebody left on, you know, not so great terms, if they walked back into the facility, would they be able to log into a computer and then access the data? We want to make sure that you have the right systems and processes in place to prevent that from actually happening.

Okay, so you’ve got strong passwords, you’ve been doing periodic reviews, you’ve got great backups, you know that those work. You need to test the backups, make sure they work. But like I said earlier, it really does come down to human error. So what can staff do to spot phishing attempts before kind of any damage is done? So if an email comes in saying, ‘Hey, there’s an invoice due,’ if you’re not expecting it or you are not part of finance team and you have nothing to do with that, chances are it’s a phishing email.

So what I would recommend is take a look at the email address that it came from. Take a look at what the email actually looks like. So sometimes they’ll send an email and it looks like it’s a Microsoft email, but something looks a little bit weird. The colours are off, or the logo isn’t there. They are getting more sophisticated now, so that’s not always a dead giveaway. I would not click on the link in the email.

If it came from, let’s say, a vendor that you often work with, I would pick up the phone and call them and say, ‘Hey, I got this email from this person, I just want to find out if this is legitimate.’ And I know that’s really kind of like old school, picking up a phone. Sometimes, what we’ve seen is that once they gain access, once these hackers get access to your email account, they actually set up rules in the email. So what that means is when an email comes in, they will set up a rule to forward it to a Hotmail or Gmail account or Yahoo email, something like that. And then they set up another rule to delete that email from your inbox.

So you will actually, if you’re the victim, you won’t actually ever see that email come in. It’ll forward it somewhere else, an email that kind of looks like that. So it looks like your name, whatever. It’s really easy to fake those. Anybody can go and set up an account, and then they reply as if they were you from your email account.

So sending an email isn’t always the best idea because it might give them some clarity that, oh, you know, they’ve been caught, and they’re going to stop it. So instead, the best thing to do is to call actually talk to somebody at that business, make them aware of this issue so that way their IT team can go in and do all the stuff that they need to do, or they can hire a security firm to come in and make whatever fixes, patches, repairs, remediation that needs to be done, and then conduct their investigation to find out how much was potentially leaked or at risk. So that’s that thing.

When you– In your email browser, also, I believe in Outlook, when you roll over, when you move the mouse over a link, it should show you in the bottom left, for I guess, North American browsers, what the URL is that that actually goes to without actually having to click on it.

If it looks like a weird spammy link, chances are it’s a weird spammy link. Don’t click on it.

And you want to let other people in your organization know, ‘Hey, you know, I did get this email.’ There are— I’m going to get a little bit techie here. There are some systems that you could put in place on the backend to try to prevent any of these phishing emails from actually getting through to your inbox. Those are all pay-per-use platforms. You’re interested in any of those, just reach out, [email protected], and I’d be happy to connect with you over those.

All right. So backups, really, those should be kind of the last line of defence, right? You want to make sure you’ve got systems, processes, software platforms, and other things in place. Training and education are really important so that nobody gets infected or has an issue.

Backups protect against a few things. It protects against ransomware, it protects against accidental or intentional deletion, as well as it protects against hardware failure.

Imagine you have like one drive, let’s say I don’t know, I’ve got this sitting on my desk here, a little USB drive sitting, and you’ve like backed your stuff up to there. Let’s say that drive fails. If you’re storing all of your Word docs, PowerPoints, spreadsheets, whatever, on that drive, and that drive fails, your stuff is gone, right?

This just happens to be for me, just a backup of my computer. I run this once a week, so I keep it here, but I have other backups. I’ve got a network drive, cloud drive, and logs in a safe deposit box. As I said, I believe in triplicates, and there’s something called the 3-2-1 rule. So you want to make sure you’ve got 3 copies, 2 formats, and one of those is actually offsite as well.

And then, probably once a month, once every 3 months, maybe once a quarter, you actually test the backups and make sure they’re functional for you. Once you’ve got a really great process in place, that’s when I would say start looking at how you can automate those schedules and how you can automate—and validate—the backup statuses.

So the first step that you could take as a non-profit this month, like today, like right now, after listening to this, is to turn on MFA on all of your key logins. That’s probably going to stop about 90% of common attacks. So that would be the number one thing.

The second thing, if you’re looking for a second step, is to review who has access to which systems and have conversations around who actually really needs that access versus who just has it because of a legacy reason. There might not be any specific reason that they need that.

So yeah, I hope some of the things I talked about on this episode about cybersecurity basics have been helpful and insightful for you. I hope that you found at least one thing that you can take back and have a conversation with somebody in your team, or actually just implement yourself immediately. And I want you to implement today.

Do something today to make sure that your stuff is being secured better than it was. If you’re not sure how secure your organization is, head over to wowdigital.com/consult and book a free strategy call with me. I’d be happy to walk through your current setup, identify risks, and help you prioritize items so you can make a real improvement. Thanks for tuning in to this episode of the Non-profit Digital Success Podcast. Everybody listening, if you want anything that I talked about, just head over to nonprofitdigitalsuccess.com. Click on this episode for all the details.

And until next time, keep on being successful!