Cybersecurity for your Nonprofit: How to Manage Passwords

 

Free Nonprofit Webinar! Cybersecurity for Nonprofits: How to Manage Your Passwords

 

Your nonprofit organization was created to do great things. The  organization was built to help make the world a better place. And we know your mission continues to strive to do just that. 

But there are some people out there who don’t always have the best intentions. 

And sometimes, those people target businesses and even nonprofits in what’s known as cyber attacks. 

Thankfully, there is always something you can do to make sure your nonprofit organization and donor portfolio is all protected. 

We’re discussing cybersecurity for nonprofits in this article, and you won’t want to miss it: 

Why Does Cybersecurity Matter for Your Nonprofit?

According to a report done by NTEN, experts predicted that financial damages from cyber attacks were to hit $6 trillion by the end of 2021. 

Any businesses or people who are on the internet are subject to cybersecurity attacks. That includes nonprofit organizations. 

It’s hard to think about someone doing something malicious to people and nonprofits who are only trying to do good for the world. 

But the reality is, cybersecurity for nonprofits does matter. Simply because nonprofits are not immune from cyber attacks.  

 

Why Do People Target Nonprofits for Cyber Attacks? 

Why do people target nonprofits in their cyber attacks? The answer is simple. Donor data. In fact, The Economist claims that data and information is the most valuable resource on Earth. 

And many people know that nonprofit organizations operate by collecting donor data. 

The information of your supporters may include things like debit and credit card information, home addresses, and email addresses. 

All of those are gold in the eyes of a cyber attacker. 

 

What Type of Cyber Attacks Are Nonprofits Subjected To?

Don’t worry! There are ways to keep these kinds of attacks at bay. But first, we need to know what kind of attacks are nonprofits typically up against:

 

1. Data Theft

As we mentioned, donor data is one of the biggest things that cyber attackers want to get ahold of. 

This is precisely what happened with the Blackbaud cyber attack, as well. 

At some point, a hacker obtains access to donor databases. Then, they pull the donor information from it. They sell it to the highest bidder. They’re looking for things like personal passwords, social security numbers, and private banking information. But, many will take whatever they can get. 

 

2. Forced Downtime

Another common cyberattack is forced downtime. This involves a hacker crashing your site by sending bots to overwhelm your servers. No true supporters of your nonprofit can get through to your site while it’s down. 

 

3. Malware

This is a very common cyberattack that most people think of when they consider cybersecurity for nonprofits. 

Attackers will create viruses or “Trojan horses” as a means to gain entry to your nonprofit data. They often disguise the malware as emails that look legitimate for your nonprofit organization. This might trick staff and volunteers into clicking on them. 

Once that happens, the virus or malware attacks the computer and causes problems throughout your entire system. 

 

Cybersecurity for Nonprofits: How to Prepare Your Organization

The point of the information up until now is just to inform you of what’s out there. We know it can seem scary and overwhelming. 

But cybersecurity for nonprofits does exist. And it can keep your organization and your donors’ information safe. 

Here’s a quick guide to help you prepare cybersecurity for your nonprofit: 

1. Risk Assessment

The first thing to do is better understand your organization. How do you collect data? What data do you collect? Where do you store it? Who is responsible for keeping it secure? 

Understanding all of these questions will help you prevent and prepare for any cyber attacks. It will also keep cybersecurity for nonprofits streamlined, so you’re not scrambling in the event of an attack.

Doing risk assessment and taking a look at the kind of data your organization does collect can also help you understand what you do and don’t need. Maybe, currently, your nonprofit collects home addresses. But, at the moment, you’re not sending out direct mail. If that’s the case, perhaps your nonprofit doesn’t need to collect home addresses. 

Reducing the information your nonprofit collects can reduce the risk of a data breach. 

To better help you do a risk assessment, try using NTEN’s data risk inventory template.

 

2. Provide Proper Cybersecurity for Nonprofits Training to Your Staff

Any staff members or volunteers at your nonprofit that are not trained in cybersecurity for nonprofits are potential liabilities. 

It doesn’t have to be an entire degree’s worth of information on cybersecurity training. Maybe it’s a simple training video on how to spot a scam or phishing email. Perhaps it’s a training on what’s allowed to be discussed in terms of nonprofit donor information. 

Keeping your staff updated on the best cybersecurity for nonprofits practices is a great way to ensure cyber attacks don’t happen at your organization. 

Cybersecurity Nonprofit (CSNP) also provides free cybersecurity training, webinars, and resources. 

And, of course, we at CharityHowTo offer training, webinars, and resources, too! 

 

3. Implement Cybersecurity Software to Prevent Attacks

Preventing cyber attacks before they even begin is the best way to keep your nonprofit organization safe. 

Investing in quality virus and malware nonprofit cybersecurity software is a great way to stop cyber attackers in their tracks. 

4. Use Cybersecurity Software or Hire IT Staff or Consultant

If your nonprofit organization has the budget to hire cybersecurity experts, it may be a great idea to have them as a part of your team. 

You have plenty of other things to work on to grow your mission. Having someone else who can handle cybersecurity for nonprofits for you can give you extra peace of mind. 

5. Always Take Basic Precautions

Finally, always make sure you and your nonprofit staff and volunteers are taking every basic precaution you can. 

That includes not discussing donor information online through emails or social media accounts. 

It also includes keeping passwords for your nonprofit organization safe. 

 

We have a free nonprofit webinar training from CyberJutsu all about how to protect and manage your nonprofit’s passwords. 

 

Watch it below!

 

Cybersecurity & Your Nonprofit: How to Manage Your Passwords - Video Transcript 

0:00

So much for the introduction, I'm excited to be here today with everybody, to talk about passwords and nonprofit cybersecurity, because this is what I do for a living, and I'm very passionate about it! So, glad to have this opportunity.

0:14

So, a little bit about myself, I work as a senior security researcher and emerging threats lead for a top cybersecurity company here in the United States.

0:27

I'm also sir in cybersecurity at a couple of different universities, and I am very passionate about supporting the community. So these days, I'm very engaged in various non-profits that all have something to do with cybersecurity, although in my past, I have worked for other non-profits, my previous career.

0:52

So, I totally respect how difficult this can be for many nonprofit organizations. So, the group that brought me here today is the Women Society of Cyber Jitsu.

1:03

I'm on the board of directors there, and we are actually using charity, how to, as a customer. So, so, that's how that all evolved. But, as you can see on the screen, I'm involved with many different groups, and I have four degrees, and, like, 15 industry certifications, something like that. So, I know my stuff and death, and I really love sharing it to sell.

1:26

So let's get into it.

1:29

Alright, so the first thing we're gonna do is to kick off with a check-in question. And what I want to see is, if you have any idea about what percentage of data breaches, or hacks, whatever you wanna call it, start with an attack on credentials. So in other words, the threat actors are using your login information that they've gotten somehow, or the other, right?

1:52

How many attacks do you think come from that, and we'll launch the poll if we haven't already?

2:02

I can do it.

2:05

I'm trying. But for some reason, it doesn't work out there. I think it's good, yeah.

2:10

So, yeah, so just select one of those percentage ranges, and we'll give you all a quick sector to do that.

2:34

Very curious to see what everybody thinks about this.

2:39

Alright, we're getting some feedback here, looks like.

2:45

Most people are guessing in the 61 to 80% range, which is very good because that's the right age range.

2:52

So, let's get back to, Um, yeah, here's the results, yes. So 61 to 80%, you will see in a second, you are spot on.

3:04

So, let's, let's get back to the deck here.

3:08

And, oops.

3:11

See where my deck with your gut is, OK. So, yes, the answer is 61% of breaches start with leveraged credentials as somehow or the other.

3:23

And really, it depends on who statistics you look at. I have seen the numbers up as high as in the eighties, percentage-wise, so. so that number can vary. But the point is, it's a pretty high number. And one of the things that, you know, I think is really important for companies to to understand is that your organization is a target.

3:43

Like, never think that it's not the threat actors who are doing cybercrime activity and that sort of thing. Do not really care necessarily what your business is.

3:57

You're, you're literally a target, and I've had many people say to me, Well, you know, why would anybody care about my data? Or why would anybody care about, you know, what, my non-profit does, or whatever, and they might not, right, but like it. So it shows on the screen there. First of all, first and foremost, the threat to your nonprofit cybersecurity right now is ransomware attacks. And ransomware is basically when somebody hacks into your environment, and encrypt all your files and then you have to pay a ransom to get access to your files back.

4:31

These days there's an additional wrinkle where not only do the threat actors do encrypt all your files, but they also will steal information before they do that, and then they also hold that information hostage to increase the probability that you will pay the ransom. So it's not a good situation. It's so prevalent and it just seems to get worse every day and the threat actors don't care. Even non-profits will go after. I've seen it time and time again.

5:06

So also cryptocurrency mining.

5:08

So if you're familiar with cryptocurrencies like bitcoin or whatever, you need a fair bit of processing power in order to be able to do the mining, doing air quotes that you can't see around that. But, but it's, it's processing power.

5:23

So threat actors will also get into your environments, and utilize your equipment, too to do this kind of processing. And so you might notice things like your systems running, really slow, or whatever. You don't know. Why that. That can be what's happening in the background.

5:42

It's really more of a nuisance thing, But if somebody can get into your network to do that kind of activity, it means that they can get into doing really anything. So that's a compelling reason to be aware of it.

5:55

Then also, just delivery of malware in general. There's so much malware floating around there and malware Justine's, malicious software, right? So I'm sure everybody is familiar with phishing e-mails where you might click on a link and get some malware delivered to your computer, or you might visit a malicious, or it might just be a good attachment, actually.

6:18

There are plenty of malicious attachments, things that you know, or Word Docs or Excel spreadsheets or PDF files, and you can download them from the e-mail end Presto Manifesto.

6:33

You've got an infection on your computer, so that's very common as well.

6:39

Then people will also leverage your company website and I see this so much, especially if you're running like WordPress, which is particularly vulnerable to exploits.

6:52

But really, it doesn't matter.

6:54

It could be any kind of platform that you're using as a threat actor will access your web account. Excuse me.

7:02

In order to do things like, have your, your website, be the website that's delivering these malicious links, or maybe is distributing a spam campaign behind like your mail server or something like that. So this is what I see time and time again and we describe this as compromised websites.

7:24

So, as a threat researcher, what I'm looking at a website, like, is this a malicious website, as it, like the threat actor, created it for the purpose of big malicious, Or it's a compromised website.

7:37

Which means that the legitimate website, that the threat actor has gained access to, and is using it to host no malicious files or whatever, from basically the root directory of, of your web server.

7:50

So that is something that's very, very common, OK?

7:57

So that's basically why we care about passwords when several reasons.

8:01

So what I'm going to cover today for the how-to piece of this is how to assess your organization's security posture with regard to passwords.

8:12

How to implement best practices for password management, how to create a password security policy, how to check for compromised e-mail accounts, and how to explain to your stakeholders the importance of password management, And that one is probably the most tricky of all the things.

8:28

So let's start with How to assess your organization's security posture around passwords.

8:33

So the most important thing, really, in any kind of cybersecurity assessment is, is evaluating what your assets and resources are.

8:43

And you might be familiar with like, Asset inventory, from, you know, sort of more of an Accountings viewpoint, where you're saying, You know, I have either this Windows Server, and it's worth $2000, whatever.

8:55

But, but we wanna look at it from another perspective, which is basically, who has access, and how do they get into it, and in that kind of thing.

9:05

So, these resources and assets can be any number of things, but website access to your website. Also, accounts that you have, different services like your Amazon account, for example. Does everybody in your company share a password for that?

9:22

You have two-factor multi-factor authentication, things like that are what I want to know about.

9:28

Obviously, Office 365, Google Workspace, are very big buttons in most corporate environments, access to servers and computers, remote access.

9:39

Especially with the pandemic, that's been a huge attack vector, Just threat actors using credentials to get into like VPNs and things like that, which, you know, a couple of years ago, we might not have been that familiar with roadmap access, but with everybody, more or less working from home these days, it's much more prevalent and much more exploited.

10:02

Then just really anything that you have to log into would be something that I would consider, a resource or an asset.

10:10

So how do you go about assessing your posture, here is the first thing is, I want you to use either the asset inventory template that I provided, or another one of your choosing, it's up to you.

10:26

You want to make a list of all your resources, and include information on how those resources are accessed and who has access to them, And whoever has access to your resources, or who I would consider to be your stakeholders, right? So stakeholders could be, you know, your staff, it could be your board of directors, it could be vendors.

10:49

Like, maybe your IT support company, when you start thinking about it and looking at it, you will potentially be surprised, like, how many people have access. And all these people need to be engaged in the process of protecting your organization?

11:07

So, also, another thing to check, and this is very common, and in many organizations, not just non-profits, by any stretch, is making sure that people don't keep access if they don't need it anymore. So like, maybe you had somebody who left your board of directors, you know, as a cycle out, or whatever, do they still have no access to your Office 365 resources?

11:32

This is something that you need to be fairly diligent on checking.

11:38

So, in your bonus materials, there, in, the, the, the link for the session today. You will find an Asset Inventory Sheet that I dreamed up for you, and, like I said, not an accounting once so much. Although, I suppose you could combine the two.

11:54

But just a simple one here, says, you know, the item number, which you couldn't, number.

12:00

However, you went to 1, 2, whatever, any kind of naming or numbering convention, a description of that item. So, like, you know, Windows Server 2012.

12:12

Purpose and use so maybe is that server is hit your Web server, It is your mail server, is that your Active Directory Server, things like that. Hopefully it's not all of those things.

12:24

It's good split these things up a bit.

12:27

Any kind of identifying information, you know, some organizations will use asset label's tags in that, that kind of thing where you can just use a model number and the manufacturer. Then this is an important part like who is the acid owner? So, in your organization, there should be somebody who is responsible for tracking this information.

12:47

So, this is where you would identify this person.

12:50

And really, it's going to be probably, you know, an executive director or, you know, IT support person, office manager, type person, things like that.

13:01

Um, whether or not you have multi factor authentication enabled, then access Control check. Like, periodically, you should be going through and just seeing, you know, who has accounts on this.

13:12

Who's using the accounts, so on and so forth. And you can do this for cloud services, as well, like saying, Google Workplace.

13:20

I will include that in this inventory, even though, you know, it's not a computer that you have access to, but it's still software that you have access to software as a service in the cloud.

13:35

Then also, just some thoughts around how to set of passwords well, so definitely length is a very important consideration.

13:47

Length should be at least eight characters, I really recommend more than that, like 12, at least, complexity is, Start having a mix of uppercase, lowercase numbers. Actually, the government guidance, now, is, is going away from these special characters, because it's harder for people to remember, and it doesn't really add that much to the security aspect of it.

14:11

And then aging like, how often should you change your password?

14:15

Because you shouldn't be changing your passwords on some kind of regular basis, whether that's yearly, at a minimum, or maybe every six months. I will say you don't want to do it too often.

14:27

Because then your, your users will have password fatigue and we'll lose interest in trying to keep up with, you know, like good passwords or whatever. So I gave her some examples here on the screen.

14:42

And the ones that I have on there, for weak passwords, are actually used time and time again. And there are lists that various people compile each year.

14:52

Like the top, worst passwords, better use. These are always on there. But some examples of strong passwords. 

15:04

Like this top one, my son Tom was born in 19 99, so this is a really good password, It's got a mix of uppercase, lowercase numbers, and it's very long.

15:15

And it's actually pretty easy to remember, you know, your son's name, You know, when he was born. So I do not have a son named Tom who was born in 19 99, by the way. So this is not my password. The next one is live, from a poem.

15:29

And the next one is a quote. So, so, you can use something that resonates with you, that you can remember, and that really is the best way to go about it. You'll hear these called passphrases as well, but, I mean, they're still just passwords.

15:45

Alright, so we also want to discourage the re-use of existing passwords and require users to come up with new passwords as opens age out.

15:52

So, one of the things that we see a lot two is, you know, somebody would be like doing passwords, like seasonal ones, like you know, password, summer, 21 password vault, Honeywell, and threat actors are kind of onto our little tricks about how we create passwords.

16:12

So that kind of thing is not great. Then multi-factor authentication, which I've touched on months and I'm going to touch on it again. But wherever you can implement that, do it. It will save you a lot of grief in the long run and then require the use of a password manager and password generator.

16:27

So that is another key thing.

16:31

Then again, performing annual checks and compromised passwords. So if I have time at the end, I'll share this website.

16:37

But there's a website, You can Google it. It's called, How Secure is My Password?

16:42

And you can put in your password, and it will tell you whether it's a good password, or a bad password, or whatever. They swear they're not using these passwords for anything. I don't know if I believe, though, maybe I do a variation of whatever password you normally use, but it's very eye opening. and you can have your users do this, too.

17:03

So multi factor authentication.

17:05

Number one recommendation in my organization, and we do tons of incident response engagements where basically, we go in to help companies recover after they've been breached, or hacked or whatever. And there's so many times that if multi factor authentication had been set up, it would have stopped the threat actors from getting in, and the threat vectors.

17:26

Or hacker's, you might call them, are very opportunistic. They're gonna go for like the easiest target. So, they hit your network, and there's multi factor, and they're going to move on to the next one probably. And what I mean by multi factor, then I have some an example there. Excuse me.

17:44

So, there's, there's three primary factors. It's what you know, such as password, who you are, so, biometrics, like if you use your fingerprint or the face staying on the i-phone.

17:55

And what you have like a token, um, which in most cases is a smartphone. So, what you see there is a screenshot from my phone of Amazon sending me my one-time password.

18:09

Do not share it with anybody. I am sharing it with you, but it's no longer good because they also have an element of timing. So that code is only getting be good for a certain amount of time. It really is not hard at all once you get used to it so I cannot recommend it enough. And there's many different software applications out there that you can use a Microsoft authenticator Google authenticator duo. I actually use all of these are all on my phone.

18:38

Alright. So, password managers. This is an absolute must as well. Storing passwords on paper is no Bueno, storing passwords or sending passwords back and forth by e-mail or chat or whatever. It's also terrible.

18:55

Even storing passwords in the browser, when like a browser like Chrome or something, is like, do you want to save this password?

19:01

That's an upgrade either because threat actors have figured out how to access those. So if somebody gets into your environment and knows your credentials, they're going to be able to access those passwords too.

19:10

So, so definitely go with a standalone password manager, and there's a link there to Wired Magazine article that talks about the best password managers.

19:21

So I would recommend checking that out or some other, you know, reliable source to get some idea to which password managers you could use.

19:30

Then how to create a password policy. I've provided a template for you. You can customize it for your own organization.

19:36

And it is a living document that's going to, you know, evolve as, as things change in your, your, your organization. But definitely at a minimum, you're going to include the rules around the password, so that length, complexity, aging, re-use all those things I talked about before. Sort of setting forth.

19:55

And this is just a little screenshot of the sample password policy.

20:02

Then how to check for compromised passwords. So this is another one I'll show you if I have some time at the end. For half an hour such a short time, I could talk to you for hours and hours about passwords. Not to mention all the other cybersecurity things, that there's a service called, have I been ... dot com, and you can put your e-mail or phone number in there, the phone number thing as viewer.

20:24

And it will tell you if you've been in any kind of breach. So, say, for example, LinkedIn got a few years ago, and user credentials were stolen.

20:36

All these credentials are out there in the world, being sold and re-used and whatnot. So, so, you know, if you use those credentials for LinkedIn, and you maybe also use them for your, I don't know, VPN Access, or whatever threat actors there this.

20:52

And they will do something called credential stuffing, where they'll use existing credentials that they've gotten from whatever source and try them against other resources.

21:04

Very common activity.

21:06

You can also subscribe to monitoring. A lot of credit cards and banks will offer, sort of like, dark web monitoring, will let you know if you, your e-mail address has popped up in any kind of breach And, same thing with password managers.

21:19

Any decent password manager will alert you say, it'll be like Marcel, Your e-mail address popped up and, you know, the latest XYZ breach, you should probably consider changing your credentials. So, this is a really important thing to do on some kind of regular basis.

21:38

All right. Explain to your stakeholders, the importance. So, using the different resources that I've provided here.

21:46

I would recommend creating, like, a short presentation, or maybe even a video or something where you can explain the importance of protecting passwords as a means to protect your organization. I, I'll say this now, it's the last thing, but you're potentially gonna get pushback, right? Nobody wants to do anything that's harder than what they're already doing. But the difficulty compared to the security and safety that you'll get, it's just there's no comparison. So if you have a password policy, you, everybody should have to follow that.

22:25

And one way that I've found people to get engaged is, is to have them do this in their personal lives to actually teach a lot of kids and, like different workshops and stuff about this. And I always tell them to tell their parents to do like that have been Ponce to check their e-mails and everybody's always super surprised by the results on that.

22:47

So, that was super, super fast breezed through of password protection. So, I think we have a few questions.

23:00

And How much time do I have for questions?

23:04

This is like two minutes, That's what I'm thinking while Streaming is for the end of the webinars, But if you need more time, he took it.

23:12

Oh, OK. Perfect.

23:13

In that case, I'm going to show you these other sites, and let me this for a second.

23:19

Um, so how secure is my password?

23:22

So, let's say, for example, let's use the word password and you can see there it says your password would be cracked instantly. So the red isn't that good.

23:34

If I add 1, 2, 3 at the end of it, would take a computer about a month to crack your password.

23:40

Now keep in mind, when somebody's trying to crack a password, they're not using a computer. They're using something that's called the cracking rig, right?

23:48

So there's gonna be a lot more processing power involved but I'm gonna put in let's see, usually, this is where I would have people just give me examples of passwords to try, but I'll just makeup something, let's try.

24:05

The quick brown Fox jumped over the lazy.

24:13

So, that would take 600 million. I don't even know that merge. It's some kind of master or numeric term years. And, you know, I didn't use any special characters.

24:24

I didn't do upper-lower numbers or anything, but it's very long and this works because a lot of tools are just doing this by brute-forcing character by character by character. So you think about the possibilities for a character. You've got, you know, the 26 letters of the alphabet, uppercase lowercase, that's 52, plus the digits 0 through 9 at 62 plus maybe you'd like 10 special characters that people use, that's 72.

24:50

So, you know, from a mathematical perspective, if you only have to try 72 things for each, um, each character and a password, if your password is short, that just makes it so much easier. Bits long like this, it's going to take much, much longer.

25:07

All right, let's see. That was the Wired article.

25:11

Password policy, I already showed you, Have I been out?

25:15

Alright, so, I'm going to put in here, an e-mail address of mine.

25:21

It's like my old Gmail address that I've had for forever.

25:25

And I'm just going to click on this button, and it'll tell me that, yes, this e-mail address has been found in a variety of different breaches, Right?

25:34

So you can scroll down and see theirs, one involved with the Dropbox, E vite, LinkedIn, the one that I mentioned before, My Fitness Pal. So a lot of times you don't even know that you're you've been in these breaches, right?

25:55

It's just not apparent to you companies are supposed to notify, but that doesn't necessarily always happen.

26:07

I think now is probably the time for me to go into questions and, and let me know, do I need to like stop anything, or if you got it from your end?

26:20

I will close the webinar, but you can go ahead and answer the questions.

26:25

OK, sounds good. Alright, so let's see.

26:29

What kind of credentials are we talking about? Hopefully, I've answered that one by now, Jodi, Because I covered kind of all the different possible resources.

26:36

Um, leverage credentials.

26:38

Yeah, that's just where the threat actors are using login credentials against your systems.

26:46

Password manager that I recommend.

26:49

There's LastPass.

26:51

There's one pass, key pass, you know, There's a number of different good ones out there.

26:57

If you hit that Word article, you'll see I forget how many they have in there, but there are quite a few listed.

27:06

Oh, thank you, Sarah.

27:08

And I think I think that's about it.

27:13

Does anybody have any final questions before we wrap it up?

27:20

Yeah.

27:20

Sure.

27:22

All right.

27:24

Then, Ah, well, once you lookout, as you would receive a survey on the presentation, as this is the first time we're doing this webinar, we really appreciate it if you could complete it and provide your thoughts on today's webinar. And well, that's it! Thanks, everyone, and have a great rest of your day!

27:45

Thanks by all.