Security Threats: A Guide for Small and Mid-Sized Nonprofits

 

Security attacks — whether in the form of malicious Internet content, theft of physical devices, authentication and privilege violations, or denials of service — can catch nonprofits off-guard, especially smaller and mid-sized organizations that may be unaware of possible threats, and unprepared to deal with them once they occur.

Yet data leakage, down-time, and reputation loss resulting from such security violations can easily turn away new and existing constituents if such situations are not handled appropriately and quickly. This may, in turn, impact on the organization’s reputation and future opportunities for growth. A computer virus outbreak or a network breach can cost an organization thousands of dollars. In some cases, it may even lead to legal liability and lawsuits.

The truth is that many organizations would like to have a secure IT environment but very often this need comes into conflict with other priorities. Nonprofits often find the task of keeping the business functions aligned with the security process highly challenging. When economic circumstances look dire, it is easy to turn security into a checklist item that keeps being pushed back. However the reality is that, in such situations, security should be a primary issue. The likelihood of threats affecting your organization will probably increase and the impact can be more detrimental if it tarnishes your reputation.

This article aims to help small and medium-sized nonprofits focus on threats that are likely to have an impact on, and affect, the organization. These threats specifically target small and medium-sized organizations with “accidental techies” part-time IT consultants, rather than larger organizations with dedicated security and IT staff.

1. Practice “Security Awareness”

A large percentage of successful security attacks do not necessarily exploit technical vulnerabilities. Instead they rely on “social engineering” — a set of techniques whereby attackers make the most of weaknesses in human nature rather than flaws within the technology — and people’s willingness to trust others. Organizations may fall into one of two extremes: either employees mistrust each other to such an extent that the sharing of data or information is nil, or, at the other end of the scale, total, blind trust between all employees. Yet neither approach is desirable. There has to be an element of trust throughout an organization, but checks and balances are just as important. Employees need to be given the opportunity to work and share data, but they must also be aware of the security issues that arise as a result of their actions.

This is why a security awareness program is so important. For example, malware often relies on victims to run an executable file to spread and infect a computer or network. Telling your employees not to open emails from unknown senders is not enough. They need to be told that in so doing they risk losing all their work, their passwords, and other confidential details to third parties. They need to understand what behavior is acceptable when dealing with email and Web content. Anything suspicious should be reported to someone who can handle security incidents.

Encouraging open communication across different departments makes for better information security, since many social engineering attacks abuse the communication breakdowns across departments. Additionally, it is important to keep in mind that a positive working environment where people are happy in their job is less susceptible to insider attacks than an oppressive workplace.

2. Secure Your Endpoints

A lot of information in an organization is not centralized. Even when there is a central system, information is often shared between different users and devices and copied numerous times. In contrast with perimeter security, “endpoint” security is the concept that each device in an organization needs to be secured. It is recommended that sensitive information is encrypted on portable devices such as laptops. Additionally, removable storage such as DVD drives, floppy drives, and USB ports may be blocked if they are considered to be a major threat vector for malware infections or data leakage. Securing endpoints on a network may require extensive planning and auditing. For example, policies can be applied that state that only certain computers (such as laptops) can connect to specific networks. It may also make sense to restrict usage of wireless (Wi-Fi) access points.

3. Create a Security Policy for Your Organization

Policies are the basis of every information security program. It is useless taking security precautions or trying to manage a secure environment if there are no objectives or clearly defined rules. Policies clarify what is or is not allowed in an organization as well as define the procedures that apply in different situations. They should be clear and have the full backing of senior management. Finally, they need to be communicated to the organization’s staff and enforced accordingly.

There are various policies, some of which can be enforced through technology and others which have to be enforced through human resources. For example, password complexity policies can be enforced automatically through Windows domain policies. On the other hand, a policy which ensures that company USB sticks are not taken home may need to be enforced through awareness and labeling. As with most security precautions, it is important that policies that affect security are driven by business objectives rather than gut feelings. If security policies are too strict, they will be bypassed, thus creating a false sense of security and possibly create new attack vectors.

4. Keep Roles Separate

Separation of duties, auditing and the principle of least privilege can go a long way in protecting an organization from having single points of failure and privilege creep. By employing separation of duties, the impact of a particular employee turning against the organization is greatly reduced. For example, a system administrator who is not allowed to make alterations to the database server directly, but has to ask the database administrator and document his actions, is a good use of separation of duties. A security analyst who receives a report when a network operator makes changes to the firewall access control lists is a good application of auditing. If a program officer has no business need to install software on a regular basis, then his or her account should not be granted such privileges (“power user” on Windows). These concepts are very important and it all boils down to who is watching the watchers.

5. Establish Backup and Redundant Systems

Although less glamorous than other topics in Information Security, backups remain one of the most reliable solutions. Making use of backups can have a direct business benefit when things go wrong. Disasters do occur and an organization will come across situations when hardware fails or a user (intentionally or otherwise) deletes important data. A well-managed and tested backup system will get the organization back up and running in very little time compared to other disaster recovery solutions. It is therefore important that backups are not only automated to avoid human error but also periodically tested. It is useless having a backup system if restoration does not function as advertised.

Redundant systems allow an organization to continue working even if a disaster occurs. Backup servers and alternative network connections can help to reduce downtime or at least provide a business with limited resources until all systems and data are restored.

6. Keep Your Systems Patched

New advisories addressing security vulnerabilities in software are published on a daily basis. It is not an easy task to stay up-to-date with all the vulnerabilities that apply for software installed on the network; therefore, many organizations make use of a patch management system to handle the task. It is important to note that patches and security updates are not only issued for Microsoft products but also for third-party software. For example, although the Web browser is running the latest updates, a desktop can still be compromised when visiting a Web site simply because it is running a vulnerable version of Adobe Flash. Additionally, it may be important to assess the impact of vulnerability before applying a patch, rather than applying patches religiously. It is also important to test security updates before applying them to a live system. This is because, from time to time, vendors issue patches that may conflict with other systems or that were not tested for your particular configuration. Additionally, security updates may sometimes result in temporary downtime: for example, when they require a machine reboot. Systems administrators often have to choose between installing security updates immediately and keeping the system up and running.

7. Minimize Exposure

Simple systems are easier to manage and therefore any security issues that apply to such systems can be addressed with relative ease. However, complex systems and networks make it harder for a security analyst to assess their security status. For example, if an organization does not need to expose a large number of services on the Internet, the firewall configuration can be quite straightforward. However, the greater the organization’s need to be visible — an advocacy group, for example — the more complex the firewall configuration will be, leaving room for possible security holes that could be exploited by attackers to access internal network services. When servers and desktop computers have fewer software packages installed, they are easier to keep up-to-date and manage. This concept can work hand in hand with the principle of least privilege. By making use of fewer components, fewer software and fewer privileges, you reduce the attack surface while allowing for security to be more focused to tackle real issues.

Conclusion

As operations and management functions become more digitized and online, security threats will emerge even faster and more disruptive to the workplace. Moreover, the amount of data and devices that are used have increased exponentially, which now requires a greater sense of vigilance. While nonprofits may lack the dedicated resources and staff to actively engage these threats, taking these above measures will ensure that they minimize their exposure to these risks, and can reduce their downtime and lost productivity. Regardless of your organization’s mission, following these tips consistently throughout your organization will foster a healthy and secure computing environment.