NPO’s and volunteer security nightmare

 

 
Not-for-profits have an unusual issue regarding security. Firms that have trained, paid full-time employees have a strong level of control over the actions of their workers. NPOs, however, may rely heavily on volunteers whose time in the office may be minimal and sporadic. You may feel grateful for their dedication and be less likely to subject them to rigid security training. Also, a threat of punishment for those who make inadvertent errors that create security risks isn’t going to be acceptable in the “volunteer” environment.
 
Though it may seem a waste of precious volunteer time, you need to consider implementing ongoing training and reminders to all volunteers about what they can do to protect your data and digital infrastructure. The 2 most common human errors are falling for phishing scams and bringing storage devices to your office and introducing them to laptops and other devices. Think of the volunteer who creates a brochure for you in their home office, then downloads it to your office PC. This is an excellent backdoor for a virus or malware to break into your infrastructure.
 
Remind your volunteers on a consistent basis that no outside storage devices are to be brought into the office for use on the NPO’s equipment. Secondly, provide training on how to recognize phishing scams and the risks of opening unfamiliar emails and links. Finally, for volunteers who work from home, consider using safe shared software platforms like Google Drive or Microsoft 365.

Advertisements
NPO’s and volunteer security nightmare

Security and your sub-contractors

 
 
So you feel relatively comfortable that you have created cyber security around your data and your employees are trained to avoid security errors in their day-to-day business ( a MAJOR source of security breaches, by the way.) However, you may be overlooking one area where you are exceptionally vulnerable. What protection do you have from those you do business with? If you are a manufacturer, for example, you may have several vendors who provide components and raw materials. How careful are they about data security? Smaller producers and service providers may perceive themselves as not being a likely hacker target, which is incorrect. Small firms are significant targets for data hacking because they have access to larger firms. They can provide a “digital backdoor” to the firms they sell to.
 
You need to work closely with all of your vendors to ensure that they are as serious about protecting their systems as you are. If you share digital information with your subcontractors, you open a very wide door for any of their vulnerabilities.
 
And this doesn’t just apply to the manufacturing sector. Medical offices share data, for instance. Consider talking to a security expert to address your vulnerability to a security breach via the very vendors you rely upon. You need to expect as much focus on security from them as you do from yourself.
Security and your sub-contractors

Cyber Crime and Security for SMBs

 
 
Did you know the illicit trading of personal data was worth $3.88 billion last year? Cybercrime is a growing industry known for its innovation. It goes far beyond the image many of us have of some hacker kid in his basement. Many who engage in this activity are professionals and work in large teams. Some may even be sponsored by governments. If you follow the news, you can find large corporations and even government agencies who have fallen prey to hackers and had massive amounts of data compromised. Unfortunately, this has led smaller firms to feel they fly below the radar. In fact, the opposite is true. Small businesses-especially those in regulated areas such as medical, financial, and legal services-need to be hyper vigilant about security. The cybercriminals’ professional efforts will outdo your amateur efforts at security.
 
As a small business, you are vulnerable for two reasons. First, serious hackers see small business as entrances into larger entities. Small firms that have any interaction with larger firms, perhaps as a subcontractor, can be easy targets for professional criminals. Second, the clients or customers of small firms are shown to be less forgiving of data compromises that occur in small businesses.
 
Security now goes beyond buying an antivirus program online. You should seek professional advice setting up security policies and business continuity plans, or testing these policies on a routine basis. A professional can spot vulnerabilities and prevent breaches before they occur.
Cyber Crime and Security for SMBs

Government regulations

  
 
Any business that stores customer payment information must comply with a number of state and federal regulations. The legal, healthcare, and financial sectors have a number of laws tailored specifically for them (such as HIPAA or CISPA). If you run almost any kind of professional practice or agency you probably have very specific data security requirements. Running afoul of these regulations puts you at risk for legal action and probably means that you have bad security in place.
 
As a professional, your focus needs to be on your clients and running your firm. Regulatory requirements to ensure data security can be complex and include rigorous testing requirements. Ensuring compliance with the regulations can be a serious distraction for you and take you into territory where your experience is limited.
 
One of the best solutions is to work with a third party who has strong credentials in the area of regulatory compliance and data security. When you are working with a third party to set up security or data storage, make sure that they have experience working in your industry. Finding a service provider with experience in your profession can give you peace of mind knowing that you can focus on running your business without the distraction of ongoing technology concerns.
Government regulations

Cybersecurity 101: You are the problem – Seriously simple steps you already know, but you don’t do

 

Look, we’ve all been there.  Complaining about all the security policy rules and how they waste your time.  Frustrated at all the passwords we have to remember.  And just when we do, ‘they’ force us to change them.  Demanding that we make them more complicated. Stronger.  Longer. Random..er.  It’s like, why even bother with new technology?  The technology that is supposed to make us more productive is making us LESS productive.  I’m sorry, but I have some news for you.  You are the problem…or at least part of the problem.  I know that sounds like bad news, but really it’s good news.  Because you can fix you.  Psychologist Henry Cloud says, “You can’t fix a problem that’s not in the room.”  So once we are all ready to admit that we are the problem, now we can start building a solution, practicing new disciplines and forming new habits.

Here are just a few security habits that you need to stop or start doing.

  1. Your password is not secure.  I can’t tell you how many times I’ve had clients give me the puppy dog eyes regarding how simple their password is.  They know it.  I know it.  We all know it. But for those that don’t, here it goes.  Sorry, your company name with a few random numbers is not secure.  No, your favorite season and the current year is no better.   While we are at it, STOP using a word from the alphabet unless you are going to use a passphrase.  What’s a passphrase?  A passphrase is a way to make you password longer while avoiding a string of random letters, characters and numbers that are impossible to memorize.  Length of passwords matter.  Hacker @TinkerSec tweeted the other day that “8 character passwords are dead.”  They said, “…we can go through the entire keyspace (upper,lower,number,symbol 95^8) of all 8 character passwords in ~5 hours (hashtype NTLM).”  That means that no matter what your password is, if it’s 8 characters, you can be hacked in 5 hours or less.  So the new norm is going to have to be longer.  I’m seeing companies starting to enforce 15 character passwords.  How is someone supposed to remember a highly complicated 15 character password?  START using Passphrases.  The fact is that the passphrase “My father wears sneakers in the pool 1” is more secure than the password “a#IKlfpao76ee” let alone “Snowball2017”.  It’s also easier to remember.  One catch is that not all systems allow this, so it is not a silver bullet.  Which means at the end of the day, it may be unavoidable for you to START using a password manager. A password manager is an app that will securely store your passwords so you can STOP using post it notes.  LastPass is a good one that I use.  There is a free version for consumers, so now you are without excuse.  All of your super complex passwords and passphrases locked tight and at your fingertips.  When I introduced LastPass to my wife, it changed her life.  In fact, she said, “Using a password manager like LastPass has removed my anxiety of passwords.  I can generate a complex password and easily copy and paste when I need to use them.”
  2. Why just one when you can do two?  I won’t spend a lot of time on this one because it is a similar concept to the first one.  STOP using only a password, and START using multiple forms of authication.  It’s called multi-factor authentication, which basically means that you need two or more separate ways to authenticate your yourself.  The concept is simple.  You will be more secure if authentication requires 2 of the following 3 items: Something you know, something you have or something you are.  Your password is something you know, and hackers have gotten quite good and compromising that.  Something you have would be like a key card, or a phone running the google authenticator app.  Something you are involves biometrics like a fingerprint scanner or something.  Using MFA is getting easier and easier to do, and it will provide much more security.
  3. You have voices in your head, use them.  My mom used to say that, “If it makes your nose wrinkle, pay attention.”   As I have stated, you know what is secure.  You know when an email looks ‘phishy’.  There is a voice deep inside all of us that understands many of these concepts,  but disciplining ourselves to listen to it and take action (or forego taking action) can be challenging.  If something doesn’t seem right, ask someone.  STOP trusting everything.  I have heard it said that you should ‘trust, but verify’.  If you get an email that looks out of the ordinary from someone, take a couple minutes to call and check.  Let them know that it looked suspicious.  For example, “Hi Bob, I got an email from you that only contained a link to a website and nothing else.  It looked suspicious, and I was going to delete it but wanted to check with you first.”  Even if it is a legit email, you are still helping the situation by letting that person know that something they did caused suspicion which might cause them to change behavior and write a little personal note with the link the next time they forward you the latest cat video.  START listening to the voices in your head.  The voices are often smarter than you think.

These tips will help get you started on the journey ahead.  So that hopefully you can STOP adding to the problem, and START becoming part of the solution.

Cybersecurity 101: You are the problem – Seriously simple steps you already know, but you don’t do

Higher goals get dragged down by Tech: The NPO story

 
 
If you are a smaller Not-for-Profit, it is likely that your organization has been driven from its inception by individuals strongly motivated with a passion for their cause or humanitarian goal. As a result, it is also possible that the leadership has little interest in developing the administrative technology infrastructure that is necessary for any organization to function in the internet age.
 
Failure to understand and focus on technology can damage an organization’s growth and success. However, NPO leadership has to be laser focused on the day-to-day struggles of the organization such as seeking funding, keeping the doors open, and pursuing the mission. As a consequence, technology infrastructure may be cobbled together as an afterthought; resource limitations may lead to short term tech decisions that can be wasteful and more expensive in the long term.
 
An NPO, with its tight budget margins, is an excellent example of an organization that could benefit from outsourcing its fundamental tech needs to a MSP. A MSP can determine short and long term needs, assess possible solutions, and propose the most cost effective tech solutions to ensure a stable, long-term tech infrastructure. Without the time or stomach for administrative distractions, NPOs may continue to use the break/fix model, making less informed tech decisions that may ultimately waste precious resources. Good and careful planning with a professional can mean a better strategic use of organizational resources far into the future.
Higher goals get dragged down by Tech: The NPO story

Password basics people still ignore

 
 
You can have all the locks on your data center and have all the network security available, but nothing will keep your data safe if your employees are careless with passwords.
  
  1. Change Passwords – Most security experts recommend that companies change out all passwords every 30 to 90 days.
  2. Require passwords that mix upper and lowercase, number, and a symbol.
  3. Teach employees NOT to use standard dictionary words ( in any language), or personal data that can be known, or can be stolen: addresses, telephone numbers, SSNs, etc.
  4. Emphasize that employees should not access anything using another employee’s login. To save time or for convenience, employees may leave systems and screens open and let others access them. This is usually done so one person doesn’t have to take the time to logout and the next take the effort to log back in. Make a policy regarding this and enforce it. If you see this happening, make sure they are aware of it.
These are just a few basic password hints, but they can make a difference.

Password basics people still ignore