Guest article provided by Hilary Taylor, VP of Onset Solutions
You walk into work one day, take a sip of your coffee and log in to your computer. Everything looks different. Your e-mail isn’t there and all of the data on your server has disappeared. Your client files, donor information, accounting documents – vanished. Even your logo has gone missing.
What happens next? Someone will reach out and demand a ransom, typically tens of thousands of dollars. And the longer you wait, the higher the cost escalates. You can pay the ransom, crossing your fingers that your data is released, or you can move forward with only what you have on hand.
In either case, donor and client information has been exposed to a dangerous third party with malicious motives. A situation like this can severely impact the reputation of your organization. This isn’t something you’d want to see on the front-page news.
The good news is that there are easy steps you can take to protect your organization from this and many other cybersecurity attacks. Here are four things you can do today to increase the safety of your nonprofit’s data.
1. Update Antivirus Software
Antivirus programs are designed to isolate any malware that is found on your network, including ransomware. All devices should have a current, updated and reputable antivirus program on them.
There are a lot of options on the market so aim to find a balance between cost, user experience and effectiveness. While there are discounted offerings through TechSoup, in our experience it might be worthwhile to invest in a more expensive product that is less invasive to users so they aren’t tempted to bypass the protection. Your antivirus product selection should be reviewed annually, looking for a solution that has high detection rates and low false positives.
2. Have a Comprehensive Backup Solution
Make sure your organization has at least two backup strategies in place to keep important files safe – a hard drive that is offline and off-site as well as a cloud solution that backs-up daily. The goal is to be able to quickly and easily get your office running again if faced with a worst-case scenario.
Ideally, you will have three or more off-line backups that you rotate through weekly as sometimes a virus will “hide out” on your network for a period of time before attacking. Copying your data onto an external hard drive and taking it off-site will provide an easy and fast way to restore the core of your data, whether you are hit with a ransomware attack, hardware malfunction or building fire.
When it comes to a cloud solution, pick something that is easy on your staff so it gets used. Some products, including Office 365, G-Suite and Dropbox, have nonprofit-specific offerings that are heavily discounted or free to 501c3s.
3. Strong Network Security
Have strong network perimeter security to stop unwanted internet traffic from infiltrating your network. Network security encompasses firewalls, switches, and wireless networks. These technologies are the link between the internet and your office, a crucial line of defense when protecting your data.
The complexity of your network will vary with the size of your organization. We highly recommend utilizing business grade firewalls which have their own software to protect against spam and viruses. In larger offices, even the ethernet switches run their own software which needs to remain up-to-date.
If you have staff accessing files from off-site, confirm you are using a secure remote connection. Anyone who has access to an employee’s computer doesn’t need an open invitation to your network. Similarly, consider setting up a separate wi-fi connection for guests. The more you can limit who has access to your network, the better.
An off-the-shelf solution might promise strong security, but can prove unreliable, especially when not well maintained. We highly recommend working with an experienced information technology professional, whether on staff or outsourced, to ensure your bases are covered. Ask regularly what you are doing for security and make sure they know it is a priority for your office.
4. Educate Your Users
Your employees and volunteers are the last line of defense for your network. Make sure staff is trained on what they should avoid doing while connected to the internet. You can incorporate tips into staff meetings, send a monthly e-mail or create a unique strategy that makes sense within your office. End-user best practice discussions are a crucial part of any cybersecurity plan.
In addition, it is always wise to give your users the least amount of permissions necessary to do their job. Preventing staff from installing a program might sound harsh but it can also prevent a virus from getting onto your network.
Taking these steps won’t protect your network from everything. Instead, consider this the first part of a larger plan. Ideally, every nonprofit should develop and enforce a comprehensive Network Security Policy. Investing time to create thorough cybersecurity strategy is well worth the effort because it isn’t a question of if you will be attacked but when.
Hilary Taylor, VP