Cyber security is a popular term thrown around these days. We have all heard horror stories from companies that have faced ransomware or other cyber attacks. Companies typically spend days or weeks recovering after such attacks and the average ransom payment is US $111,000. On top of that, you can expect to pay $10,000 to $50,000 in consulting fees to recover your data and ensure your computers are free of compromising software.
So, how do these attacks happen? Typically they occur due to an unsuspecting colleague clicking on a link in an email that installs malware or ransomware software on their computer (referred to as phishing). From there, the virus can spread to other computers. If you are on a shared network in the office, they can spread via shared network drives. If you rely on Google Drive, this too is vulnerable to infection spread, but at least you will usually be able to restore a previous version of the infected file. Microsoft 365 also offers some protection and provides steps for recovery.
In the case of ransomware, at some point the software triggers a lock on all infected computers, preventing access to data on the computers until a ransom is paid. If the ransom is not paid, the computer is rendered unusable. Other types of malware may intercept your passwords, banking information, or send spam to your contact list.
So, how do you protect yourself and your charity from ransomware, malware and other types of infections? Here are some pointers:
1. Educate yourself and colleagues on how to identify common phishing emails. Don’t just look at the name of the sender. Hover your cursor over the email to look at the email address to verify the sender is who you think they are.
2. Don’t click on links that take you to an insecure site or will download software. If you receive a link from someone you trust and want to install software, instead go directly to the company website to download the product.
3. Make sure you have current antivirus and malware software installed. Windows Defender and BitDefender are available through TechSoup, in addition to other products.
4. Make sure your operating system is always current with the latest security patches.
5. Make sure you have Windows firewall turned on if you are using a Windows computer.
6. Make sure you regularly backup your files, or use a cloud-based solution to store copies (i.e., Google Drive or Microsoft OneDrive or SharePoint Online).
7. Use CIRA Canadian Shield for Domain Name System (DNS) resolution which is free for individuals. This is a non-profit that offers a product that blocks DNS resolution for known bad websites and actors, preventing you from accidentally following links to malicious sites.
8. If you have a budget for training, CIRA also offers a cybersecurity training course that will train your team on how to recognize phishing attempts.
9. Make sure your charity insurance policy includes cyber security coverage.
What other best practices will help protect you and the privacy of your donors?
10. Be careful with whom you share your donor lists.
11. Be sure to delete sensitive information when it is no longer needed.
12. Don’t store any sensitive files on your local hard drive. Instead, leverage cloud storage.
13. Encrypt all files prior to sending them via email, and always send the encrypting password via a different means (text, voice).
14. Do not share usernames or passwords with your colleagues.
15. Use a separate password for each online account you have, and follow recommended password complexity rules. This may seem onerous at first, but we all have heard of websites where user email/passwords have been compromised. If you use the same password for such websites as well as your email and banking information access, you are vulnerable to identity theft or financial fraud.
16. To make management of the multitude of passwords that you will accumulate, leverage a cloud-based password vault manager. Here’s a link evaluating various options of free and commercial options.
17. Probably the most critical safeguard is to leverage 2-factor/multi factor authentication (2FA or MFA) for all your internet accounts including email, cloud storage, and banks where offered. This involves two or more pieces of proof that you are who you say you are, usually a password plus a code sent to your phone via SMS or a code generated by an authenticator app. 2FA makes it very difficult for fraudsters to gain access to yours or your donors personal information.
Mike Stairs is Chief Technology Officer at CanadaHelps, a leader in providing powerful fundraising and donation technology to charities and donors since 2000. Mike has been a senior technology manager for more than 14 years, including roles at Lavalife Corp. and Synacor. www.canadahelps.org