At Dog & Bone, our research, gained through workshops with a wide range of NFP organisations, indicates that securing system access and donor data presents a significant challenge. This is due to the combination of several factors, including limited budgetary resources for cybersecurity measures, a rise in cybercrime activity, and the inherently sensitive nature of the personal information they collect from donors and benefactors.
This article looks at several low-cost or no-cost measures that NFPs can implement to strengthen their cyber security posture. Each of the suggestions is in line with common challenges we discovered during our Pro-Bono Security Impact Round workshops, as well as the six key security functions found in industry standards: Govern, Identify, Protect, Detect, Respond, and Recover.
Develop a Cyber Security Policy
Creating a comprehensive cyber security policy is the first step towards protecting your organisation. This policy should outline acceptable use of technology, data protection procedures, a cyber response team and response procedures in the event of a cyber-attack. Once you have it written ensure that all staff and volunteers are familiar with the policy and understand that maintaining security is an organisation wide responsibility and everyone has an important part to play.
The majority of organisations who took part on our workshops did not have a Cyber Security Policy or Strategy. They were aware of the need to bolster their security measures but had no formal plan as to how to systematically go about raising their defences or recovering from an attack.
Regularly Update Software and Systems
Keeping your software and systems up to date is crucial in defending against cyber threats. Most updates address known vulnerabilities that could be exploited by attackers. Regularly review systems and install updates and “patches” for operating systems, applications, and security software.
Implement Strong Password Practices
Enable Multi-Factor Authentication (MFA) wherever it is available to add an extra layer of security. Encourage staff and volunteers to use strong, unique passwords for their accounts. Implement a policy requiring regular password changes and use a password manager to store and manage passwords securely.
Conduct Regular Cyber Security Training
Sign up for the Australian Signals Directorate (ASD) cyber alerts and educate your team about common cyber threats such as phishing, malware, and social engineering. Regular training sessions can help staff and volunteers recognise and respond to potential threats, reducing the risk of successful attacks. Low cost and free online resources and webinars can be excellent tools for keeping staff cyber aware.
Many organisations we spoke to were unaware of the many types of cyber security resources available to them government agencies and security organisations.
Back Up Data Regularly
Regular backups of critical and sensitive data are essential for protecting your organisation’s information. Schedule backups of critical data and store copies in a secure location away from the original data source. Periodically test the integrity of the backed up information make sure it is usable should any incident render the main data unusable. This ensures that data can be recovered in case of a cyber incident, hardware failure, or other disaster.
Most organisations place their trust in their system providers or backup copies but have never actually been through the process of restoring their backups and testing their integrity of the information they contain. It’s fine to have a backup schedule but what if the information being backed up turns out to be unusable?
Use Encryption
Secure sensitive data when it's stored and when it's being communicated. Encryption protects information from being accessed by unauthorised parties even if it is intercepted or stolen. Many operating systems and software applications offer built-in encryption features that can be enabled at no additional cost.
Establish Access Controls
Limit access to sensitive information and systems to only those who need it to perform their roles. Implement the “principle of least privilege”, ensuring that users have the minimum level of access necessary. Regularly review and update access permissions to reflect changes in roles or responsibilities (and especially when a staff member is leaving the organisation).
Monitoring and adjusting levels of access to systems and information is not front of mind for many organisations. Most organisations have little or no regular reviews of user access and are not as diligent as they should be when off-boarding staff.
Create an Incident Response Plan
Develop a clear and concise Incident Response Plan that outlines steps to take in the event of a cyber security incident. This plan should include procedures for identifying, containing, and mitigating the impact of an incident, as well as communication procedures for notifying stakeholders. Regularly review and update the plan to ensure it remains effective and relevant to the current cyber threat landscape.
As with the Cyber Security Policy and Strategy, most organisations have no clear plan for what they will do if a cyber security incident occurs. Most of the responsibility resides in key individuals who may be absent when trouble strikes.
Monitor Systems and Networks
Regularly monitor your organisation’s systems and networks for unusual activity. Where available use built-in tools to check system logs and network traffic for signs of potential threats. Early detection of suspicious behaviour can help prevent small issues from becoming significant security breaches.
Secure Remote Work
Ensure that remote workers use secure connections to access your organisation’s systems and data. Require the use of Virtual Private Networks (VPNs) and educate staff on the risks of using public Wi-Fi. Provide guidelines for securing home networks and personal devices used for work purposes.
Due to the nature of their work, many NFP staff work from home or remote locations. This often leaves them vulnerable to having to use insecure networks or devices.
By implementing these measures, non-profit organisations can significantly enhance their cyber security posture in a practical and cost-effective way. Focusing on protecting sensitive information and maintaining the trust of donors, clients, and stakeholders.
At Dog & Bone, we believe that robust cyber security doesn’t have to come with a hefty price tag, and we’re here to support NFPs in their journey towards better security practices.
Get in touch
We'd love to chat with you on how we can help through technology and telecommunications strategy, procurement and management.
Kommentare