Did you know that 60% of small businesses that get hacked shut down within six months? How do you keep your nonprofit from being just another statistic?
The good news is that, as a small nonprofit, you already have one BIG advantage! You are a small target. Those kinds of crimes are crimes of opportunity, which means that just putting up small defenses can go a long way toward protecting yourselves from criminals.
Think of it this way. You’re a burglar looking at two modest ranch houses. One has an open window with no car in the driveway. The other has a large dog bowl on the front porch with the name “Killer” written on it. Which one are you going to rob?
Basically, nobody’s going to pull an Ocean’s 11 on your bungalow. Your best defense is simple deterrence, especially when most cyberattacks these days start dumb bots — programs that aren’t very smart and aren’t very crafty — but eventually will hit upon an easy target. Think of it like velociraptors testing the fences, only in this case the velociraptors are dumb, and the maintenance guy is forgetful.
With that in mind, here are a few simple things you can do to shore up your cybersecurity.
Stop Sharing Accounts
We get it, rather than create separate Salesforce accounts for your 22 volunteers, it’s a lot cheaper to just have one or two accounts they share. But that’s like giving away 22 keys to your house. Your sensitive data is only as safe as the least tech savvy person who can access it.
Don’t Make Everyone an Admin
Speaking of Salesforce, if you try to manage it on your own, you probably have a sense of how complicated its sharing rules are. That makes it very tempting to just give nearly everybody admin access. But that’s a bad idea because admins can add and remove users. The very first thing a hacker will do when they get into your system is try to lock everybody else out. And when that happens, it’s game over.
Educate Your People
Remember what we said above about your security only being as good as your least tech savvy staff? That also makes your people your number one line of defense. In this day and age, tech competence really should be a big part of your hiring decisions. But even the most tech competent people will still make mistakes, which makes this next part so important.
Have Policies
You know how your bank might communicate that they will never ask for your password via email? Most hacks start as human engineering. The vampire at the door hypnotizes you into inviting them in. Basic policies around not opening the door to people with fangs, or not using work email for personal matters, can help ensure that when Flo from fundraising clicks on a fake Amazon reset link, the rest of your system is safe.
Require Long and Unique Passwords
Brute force attacks (guessing your password) are less common than the vampire-type, human engineering attacks, but they still happen, especially once a hacker gains access. If they figure out that one of your accounts is p@55w0rd1, they will try that on other accounts. And when that doesn’t work, they will try p@55word2. That is why you need to make your systems’ password requirements long and complicated. Ideally, everyone will use password management software, like LastPass or even Chrome’s autofill settings. Apart from that, we still kind of like the Correct Horse Battery Staple method. That method has its downsides, but it’s hella better than p@55word.
Back It Up
Some time ago we spoke with a potential client whose nonprofit fell victim to ransomware. It devastated them. In our professional opinion, don’t negotiate with kidnappers. There is no guarantee you will ever see your data again. Just reset and restore. Of course that means you have to have something to restore from. Many systems can schedule regular backups to cloud services. Your tech team should also make a habit of downloading your data to physical drives at regular intervals.
Multi-Factor Everything
If you have ever tried to log into your online bank account and gotten a code texted to your phone, then you are very familiar with multi-factor authentication. Banks were some of the first companies to adopt it, which tells you something about how powerful it is. Never license any technology that does not allow you to require multi-factor authentication for all users. And always turn it on. Always. Some will complain about the extra step to access your system, which is understandable, because multi-factor authentication is annoying. But do you know what else is annoying? Alarm systems. Just like alarm systems, multi-factor authentication is an extra step, but if you care about keeping your, and your constituents’ data safe, it’s worth it.
It’s okay if all of this seems overwhelming. It is a lot to worry about. But every step you take makes a big difference in protecting your nonprofit and the people you serve. And we can help! We provide tech system assessments that include security evaluations and recommendations.
To learn more about protecting your nonprofit and the people you serve, check out The Best Protection Against Bad Tech: Your People!
Help to protect your nonprofit and the people you serve!
David J. Dunn
David is the founder of Undaunted Consulting. He specializes in data management system optimization and rapid app development for social service, social justice, and environmental justice nonprofits.