Nonprofit organizations handle volumes of sensitive data every day—from donor information to client financial records to confidential emails. It stands to reason, then, that cybercriminals are targeting nonprofits at an alarming rate—trade associations, professional associations, and 501c3 organizations alike.
In a previous blog, we investigated the top cybersecurity threats to nonprofits. We discussed malicious attacks and points of entry, the greatest of which was malware. What we didn’t cover in that article was how you can best protect your nonprofit from this very real (and very damaging) threat.
The good news is this: if you’re asking how to prevent malware from affecting your nonprofit, you’re already on the right track to protecting your organization and the data inside of it. Below we’ll walk through how exactly malware can impact your organization, and provide actionable steps for protecting against it.
How is malware putting your nonprofit at risk?
What exactly is malware, and how can it affect your organization’s data? Here are some quick definitions:
- Malware is actually not a specific threat itself, but rather a blanket term that encompasses any software that gets installed on your machine to perform unwanted tasks for a third party’s benefit. Spyware, viruses, and ransomware are all forms of malware.
- Viruses are types of software that can self-replicate and spread to other computers on your network—hence them being likened to an infection. Viruses are programmed to damage a computer by deleting files, reformatting a hard drive, or using up computer memory.
- Spywareis software that gathers information from your computer, data, and system, and transmits it to interested parties. We’re talking your web history, browser and system information, and IP addresses. Advanced spyware can even monitor your keyboard for any personally identifiable information (PII). If your nonprofit handles sensitive information on a regular basis, this brand of malware is of particular concern.
- Ransomware is a type of software that hackers use to hold individuals’ data hostage until they pay for its release. CryptoLocker, the first form of ransomware, appeared in September 2013 and circulated by way of infected email attachments. Here, your files are encrypted until you pay a certain price—and the only way around it (without paying) is to restore a backup of your data.
The best ways to prevent malware for nonprofits
Here are a few of the best ways to protect your organization from malware. As you’ll see, not all of these solutions are technical in nature.
- Keep anti-virus and anti-malware up-to-date. Sure, almost all organization have this software in place in one capacity or another. But is it being updated on a continual, consistent basis? Your protection is only as good as your maintenance.
- Keep your operating systems, firewalls, and firmware up-to-date. Are your servers and workstations running operating systems that are still being supported? Is your firewall current? Is everything being automatically updated and patched on a consistent basis? What about your firmware? It is important that these elements stay current to protect against evolving threats.
- Create and enforce password policies. Good, difficult-to-guess passwords are essential to computer security. What makes a strong password? In a nutshell, they (1) are at least eight characters long; (2) include letters, numbers, special characters and capitalization; and (3) are changed infrequently. Create a company policy that outlines these tips, and hold your staff to it. (Have a fussy Executive Director? Get them a password manager before you let them off the hook.)
- Create and enforce an equipment use policy. Set boundaries as far as what your staff members are permitted to do on company-owned equipment. To what extent can they use things like laptops and phones for personal purposes? Can they install software of their choosing? Will there be mandatory scans, backups, or encryption? Establish clear rules, and wrap them into your onboarding process.
- Create and enforce an employee separation policy: Is your nonprofit doing anything to ensure that access to your network is effectively revoked immediately upon an employee’s departure? When an employee leaves—whether they’re an ED or support staff member—this termination policy must be enforced so that disgruntled former employees cannot introduce malware to your system or access confidential data.
- Educate employees: This is the kicker. An essential part of practicing secure computing is educating employees to make smart computing decisions. For example, what would your staff do if someone called and asked for their social security number? Create regular, security training sessions for your employees that cover security basics, including:
- Avoid clicking on suspicious links in emails
- Avoid going to suspect websites
- Ensure all downloads are automatically scanned by anti-virus
- Create multiple strong passwords—and don't change them too often
- Do not run programs from which you cannot identify an origin
In today’s world, your reputation—and prospects for business longevity—are only as good as your security policies. Make cybersecurity a top priority—and make security awareness part of your company’s culture. Once you establish the basics (investing in a robust anti-malware software), create comprehensive policies and user training programs to complete your organization’s anti-malware efforts.
Beyond that, we also strongly recommend periodic security audits as a way to keep your organization secure. After all, the best way to make sure you’ve remediated all existing vulnerabilities is to have an outside resource actively prod your systems for vulnerabilities. Your provider will run scans, they’ll analyze your existing policies, and they’ll set forth prioritized recommendations to reinforce any weaknesses. (For more on this, check out this article on security audits and how much they’ll cost your nonprofit.)
True, this all is an investment of time (and sometimes money) that your nonprofit might not readily have at its disposal. But when it comes to the security of your data and the overall success of your mission, you have to at least ask yourself: what price are you actually willing to pay?