Prepare to shield your nonprofit from a cyber event more than 2,000 times today — because that’s how often hackers attack.
According to a study by the University of Maryland, a hacker tries to gain access to sensitive information every 39 seconds. Phishing is one of the most common types of attacks — it’s easy for a hacker and the consequences can be severe on the victim.
What is Phishing?
If you’re new to cyber lingo, “phishing” refers to the practice of posing as a trusted source in order to induce individuals to reveal personal information, such as passwords and credit card numbers, using fraudulent emails. This is just one of the many ways hackers try to get access to your information.
Hackers find the weakest link (spoiler alert — this is a person in your nonprofit) to gain access to sensitive information and infiltrate your organization. Being unaware or inattentive to something “phishy” can have costly consequences.
Cyberattacks Can Happen to Anyone
Take, for instance, the case of one nonprofit who recently fell victim to a phishing attack that was so simple, yet sophisticated enough to threaten an employee’s livelihood and threaten the entire nonprofit’s systems on multiple fronts.
A nonprofit’s employee received an email. It came from what seemed to be a trusted source, and everything appeared legitimate.
The email asked the employee for their username and password, and since the sender appeared to be a trusted source, they shared that information.
What the employee didn’t know, however, was that the trusted email account had been hacked and was actively sending out phishing emails.
Using the employee’s information, the hacker wasted no time creating havoc — gaining access to the employee’s email system, setting up private folders, changing preferences to hide password reset requests for various sites, and accessing the employee’s online banking and payroll information.
You can imagine how fear set in when the employee realized their paycheck was not deposited to their account. Thankfully, the employee immediately alerted their IT team, who quickly jumped in to investigate and help prevent further attack.
Luck was also on the side of the employee — this time — in getting the payroll reversed in time to go back to the employee’s account. These results are not likely in most situations.
A Compromised Network is a Major Problem
Potential consequences from phishing attacks don’t usually stop with affecting just one individual — others include, but are not limited to:
- Disruption to operations
- Costs to release your files from ransomware (being held hostage)
- Fees for IT forensic specialists
- Credit monitoring expenses
- Frozen accounts and loss of money
- Negative reputation and loss of trust from funders and community members
- Damage to or loss of assets and business-critical information
Protect Your People and Property from Cyberthreats
It’s your turn — prioritize cyber safety for your nonprofit and system users and talk to your broker about a cyber policy.
Be sure to also ask about NIA’s NONPROFITS OWN® enhancement endorsement to your general commercial liability policy, which may cover some expenses due to a cyber event.
Your people are your first line of defense — and the more prepared they are, the more effective they can be against cyberthreats.
Be Vigilant and Aware with Every Email
- Do not click links or download attached files
- Verify requests by email and phone
- Have an IT professional verify the safety
Practice Safe Cyber Hygiene
- Do not use the password(s) you use for work for any other site
- Use complex passwords and multi-factor authentication
- Report any suspicious emails or texts you receive, even if it might be legitimate
- Never give your username, password, or any other credentials to any source, even if the person asking for it is someone you connect with regularly
Create a Culture of Safety
- Provide routine training and education to all users of your nonprofit’s systems on how to identify and report scams
- Promote a culture to encourage reporting anything suspicious
- Only provide emails or other technology and system access to employees (you can monitor and control activity, allowing a response to potential and actual threats)
- Frequently remind users to never give their credentials to any source, even a reliable one
- Send reminders routinely on cybersecurity and safe practices
- Train your organization to never ask for login credentials — or provide them if someone asks
- Limit access to employees only — you have less control and ability to check the activity of volunteers
Talk to NIA about Risk Management Services
Your NIA membership includes access to multiple resources to help you manage risks.