Top 5 Non-Profit Cyber Risk Exposures

Social engineering is a technique used by cybercriminals to manipulate and deceive individuals into divulging sensitive information or performing certain actions. In the non-profit industry, where trust and personal relationships play a pivotal role, social engineering attacks can be particularly effective.

Examples of social engineering techniques may include:

• Spear Phishing: Spear phishing is a targeted form of phishing in which cybercriminals craft personalized and convincing messages tailored to specific individuals within a non-profit. For example, an attacker might send an email to a non-profit agent posing as a potential buyer, referencing a specific property of interest. The email may contain malicious links or attachments designed to infiltrate the recipient's system or steal their login credentials.
  
  
• Business Email Compromise (BEC): Business email compromise attacks target specific employees within non-profits who have access to financial transactions or sensitive information. Cybercriminals use social engineering techniques to deceive employees into believing they are communicating with a trusted source, such as a company executive or vendor. Through fraudulent emails, the attackers manipulate employees into transferring funds to fraudulent accounts or divulging sensitive information.
  
  
• Vishing: Vishing, or "voice phishing," consists of a cybercriminal calling a target's phone to elicit personal or financial information. These scammers frequently masquerade as trusted entities, such as bank representatives or attorneys and use urgency or fear tactics to deceive victims into surrendering sensitive information. Vishing scams have become more convincing due to technological advancements that allow phone numbers to be spoofed to match local businesses and organizations. As most organizations’ phone numbers are available online, the possibilities are endless.

• Impersonation of Clients or Vendors: Attackers may impersonate clients or trusted vendors to gain the confidence of non-profit agents or property managers. They may use information gathered from social media or other sources to convincingly pose as legitimate parties. Once trust is established, the attackers can request sensitive information, such as account details or login credentials, under the guise of a routine transaction. This information can then be used for financial fraud or data theft.

Non-profit professionals must remain cautious and skeptical of unexpected or unusual requests, especially those related to financial transactions or sensitive information. Regular training and awareness programs can help employees recognize and defend against social engineering attacks, protecting both their organization’s interests and their clients' data.

Read More >

Many non-profit organizations rely on technology, systems and applications, which may be subject to technical security vulnerabilities and weaknesses. These types of technical vulnerabilities are commonly exploited by malicious actors, and can lead to unauthorized access to the organization’s networks, systems, applications and/or data. This type of unauthorized access is often the first step in a cyberattack, which can ultimately lead to a data breach, ransomware event or other significant cyber incident.

Ransomware attacks can cause significant business interruption, financial losses and reputational damage. Non-profit organizations often handle sensitive financial and personal information, making them attractive targets for such attacks. Cybercriminals can gain unauthorized access to a company's network by exploiting vulnerabilities or using social engineering tactics. Once inside, they can deploy ransomware software to encrypt critical files and databases, rendering them inaccessible to the organization’s employees.

It is crucial for non-profit organizations to prioritize cybersecurity measures. This includes regular data backups, robust network security, employee training on recognizing phishing attempts and the implementation of strong security protocols across all devices and systems.

Read More >

Non-profit professionals rely heavily on mobile devices and web applications for seamless communication with clients, and efficient management of crucial tasks like maintaining donor databases, event registration listings and agreements, grant information and applications, financial documents and employee records. Additionally, the potential compromise of sensitive information, including personally identifiable information (PII), poses a significant threat. Electronic devices, such as smartphones, tablets and laptops are susceptible to physical theft, making it vital for non-profit professionals to implement robust security measures.

Non-profit professionals can prioritize data security by implementing strong encryption, anonymization and secure access controls, which can help protect sensitive information even if a device is stolen. Regular security audits, employee training on data protection best practices and the use of secure communication channels can further bolster the industry's defenses against cyber threats.

Outsourcing information storage and maintenance to third-party service providers has become a common practice in the non-profit industry due to its simplicity and cost-effectiveness. However, this convenience also brings potential cybersecurity risks. Even reputable storage providers can be vulnerable to cyberattacks, underscoring the critical importance of partnering with organizations that prioritize security.

When selecting a third-party service provider for information storage, non-profit organizations must conduct thorough due diligence to ensure the chosen provider adheres to stringent security measures. Verifying the provider's track record, certifications and security protocols can instill confidence in the protection of sensitive data.

Read More >

Organizations should regularly review their incident response plans and ask the following questions: Is the scope of the existing plan sufficient, based on recent changes to the organization’s business, technology stack and population of third parties? Have the right stakeholders been engaged in the development of the plan? When was the last test or tabletop exercise, and was the scope and approach aligned with today’s most common cyber threats?

Enhance the organization’s approach to cybersecurity awareness and training by investing in more dynamic, engaging and effective training methods. A multilayered approach to training throughout the year, such as providing courses, conducting realistic simulations and offering incentives will help employees to mitigate, recognize and respond to threats.

An organization’s leadership and risk manager is integral to a comprehensive approach to risk management. This will require input from a cross-disciplined team of stakeholders to ensure the organization has truly optimized its cyber posture.

A foundation of integrated cybersecurity controls, policies, procedures and tools are critical to any organization’s cyber risk management program. It’s not sufficient to rest on the laurels of “yesterday’s controls” however. There must be ongoing monitoring of these controls, in addition to validation, independent testing, remediation and enhancement. To provide a reasonable and defensive level of cyber resilience for any organization, the level of innovation and enhancement in organizational security must consider the current and future state of cyber threat activity.