Wednesday, September 14, 2011

The Hackers Are Coming: What Steps to Take NOW To Ensure Cybersecurity of Your Non-Profit

This is an area I've been thinking about a lot lately.  Organizations and individuals at all levels are vunerable to hacking.  There is a major initiative in this country to counter "cyber terrorism" and cyber security is the hottest topic in board rooms and war rooms.  What is scarey is that many nonprofit organizations have limited ability and resources to combat security breaches.  And as more nonprofits move to online donations, online membership registrations and sales, personal information becomes more accessible to those who would exploit it.  Joseph Steinberg points out that nonprofits must be concerned with cybersecurity and should take up this issue as soon as possible.  Bunnie

The Hackers Are Coming: What Steps to Take NOW To Ensure Cybersecurity of Your Non-Profit
By Joseph Steinberg, CISSP, ISSAP, ISSMP, CSSLP

Non-profits, like most modern organizations, handle significant amounts of sensitive information – which often residesin electronic form on Internet-connected computers and networks. Donor details, information about programs run and people receiving aid, employee and payroll records, and many other forms of data are all of significant value to criminals. 

Hackers know that non-profits often don’t have the resources to invest in expensive security systems, and that computer systems in use may be several years old and designed before non-profits were being targeted with digital attacks. Cyber-thieves understand, therefore, that such systems often contain vulnerabilities and lack cyber-defenses, making them easier to hack than many systems in the commercial sector.

The consequences of compromised security may not be small. Bad press, the breach of confidentiality and embarrassment emanating from the leakage of data about people being helped by the non-profit, fines from credit card companies for failure to confirm to security requirements, or donors suffering the anguish of identity theft and blaming anorganization’s negligencecan be catastrophic.

Some cases have made the media. When the Columbia Triathlon Association website was hacked, for example, cybercriminals successfully pilfered information about over 8,000 members – including a password database in encrypted form.

So what can a non-profit do to ensure that it remains cyber-secure? While a single article is not sufficient to cover all the aspects of cybersecurity in a non-profit setting, here are several high-level pointers…
First and foremost, commit to actively ensuring cybersecurity. The cost – in terms of time, money, and aggravation – will likely be far less if a proactive approach is taken.

Create proper policies governing who has access to which resources, and implement rules and technology to enforce these policies. Access to systems and information should always be on a “need to know” basis. Systems should be used for only their intended purposes and not for others, such as reading email or accessing Facebook. Ensure that every user has her own credentials and that all systems require a login with a password that is not easily guessable or found in the dictionary.

If wireless (or wired) Internet is provided for guests within a facility, implement it on its own separate network – isolated from any non-profit systems and networks.Visitors have no need to access any internal systems. 

Don’t let them.

Branch office managers should ensure that they conform to all security policies of the parent organization and should also implement security to ensure that a breach at another branch, or at the main office, does not prorogate to their location.

Ensure compliance with all credit card security rules, and, unless truly necessary, do not store credit card data after processing transactions.Never store credit card security codes or debit card PIN numbers.

Store all sensitive data – including donor information, employee data, documents related to programs being run and beneficiaries from any charity, etc. – in encrypted formats. When in doubt, encrypt.

Select and implement security technology to meet functional and security requirements– and ensure that all technology is kept up to date. Keep in mindthat all major recent cybersecurity breaches have occurred to organizations running firewalls, anti-virus software, and other security products, and so…

Perhaps most importantly, leverage the services of a skilled cybersecurity professional to properly design your cybersecurity plan.Remember, cybercriminals have technical expertise. Shouldn’t you have it to defend your organization?

Joseph Steinberg (CISSP, ISSAP, ISSMP, CSSLP) is a respected cybersecurity expert and the C.E.O. of Green Armor Solutions, a leading provider of information security software. An industry veteran with 20 years of experience, Joseph is often sought after by organizations ranging from global corporations to small businesses to assist them with their digital security needs. He is the inventor of several cybersecurity technologies, the author of a book and many articles on cybersecurity-related matters, and a frequent lecturer on topics related to cybersecurity, technology, and business. For more information, or to contact him, please visit