Cyberattacks on the public sector and nonprofit organizations are on the rise, with companies finding themselves altogether ill-prepared due to inadequate data security policies and practices that fail to safeguard against digital attacks.
As part of National Cybersecurity Awareness Month, the Nonprofit Council hosted a cybersecurity workshop aimed at helping nonprofits adopt and strengthen cyber practices. Workshop attendees benefited from panel discussions that ranged from the recent cyberattack on a local nonprofit to ways to protect against and respond to a cyberattack.
Christian Dibrell, senior director of Sales and Channel Development of Geekdom member Sandler Partners, moderated the panel that focused on high-level guidance and recommendations for cyber best practices, risk mitigation, and threat assessment, especially for the nonprofit sector.
Financial transactions, accessing internet, and socially engineered attacks on email accounts are the most common vectors for incoming cyberattacks. As it turns out, it was an onslaught of repeated financial transactions that hit a local nonprofit to the tune of $5,500 in fees.
Local Nonprofit Cyberattack Reflects Growing Trend
Bob Deschner, president of Vet TRIIP, a local nonprofit focused on services for veterans living with chronic pain, spoke about the recent cyberattack on his company. A member of the Nonprofit Council, it was Vet TRIIP’s experience that prompted the workshop aimed at helping alert other local nonprofits about the pressing need for strong cybersecurity practices.
What Vet TRIIP experienced was a card testing attack.
Stolen credit card numbers aren’t valuable on the underground market until verified, so thieves use online payment websites to test whether the cards actually work. Typically, someone trying to verify a credit card number’s validity will try to donate a few dollars to a nonprofit via its website.
“It’s only 25 cents for every failed transaction – except we racked up $5,500 worth of (failed transaction bank) fees for the 18,311 transactions that took place in a few hours,” Deschner explained. “If you use a service like PayPal, they don’t limit the number of transactions. Now we’re liable for this bill.”
Examples like Vet TRIIP’s are becoming a costly and dangerous trend. Criminals are using poorly protected nonprofit websites to test the validity of stolen credit card numbers, racking up thousands of dollars in fees for these organizations in the process.
“Bad guys buy a list on the black web with thousands of credit card numbers,” said Jeffrey Reich, president and chief security officer at Barricade Security Systems. “They need to run those numbers to find the ones that are valid, testing each with a $2 transaction. Nonprofits tend to be the collateral damage for this illicit activity.”
Fraudsters also use for-profit retailers to verify stolen numbers, but those businesses tend to be better protected as they require additional steps such as setting up an account and providing personal information linked to the credit card to make purchases.
Many nonprofits forego such requirements to reduce obstacles to people making donations. That simplicity is ideal for criminals trying to test a large quantity of numbers in a short period of time.
Panelists weighed in on how to defend against this specific type of attack.
“Use captcha to slow the bad guys down,” said Adam Cason, director of product marketing at Futurex. “They can still use cheap labor to do this manually, but they will typically move on to an easier target.”
Panelists also discussed other types of cyber threats now plaguing nonprofits.
Thieves use ransomware to target public sector and nonprofit organizations. Once a computer hard drive is infected and encrypted, they will issue a demand for ransom under a tight deadline or threaten to permanently delete data. Because of the short deadline and difficulty in breaking the encryption, law enforcement generally recommends paying the ransom to regain access to encrypted data.
CEOs and directors for nonprofits are also at risk for whaling. Criminals do research and gain required internet credentials to trick a highly targeted end user – such as a director of finance – into making a fund transfer based on an email from a higher-up such as a CEO’s personal email account. With more of their information publicly available, nonprofits are more prone to whaling attacks.
These are just a few types of cyber threats. So how can a nonprofit with a small budget and few – if any – dedicated resources for information security, protect its organization from the wide array of cyberattacks?
Risk Management: How Do I Get Started?
“Focus on three things: People, processes, and technology,” said Omar Quimbaya, technology evangelist at Def-Logix. “People come first because they are the weakest link, being vulnerable to socially engineered attacks, (such as) ‘Win a free iPad, just click on this link.’”
All panelists agreed on the need for employee training and awareness of common cyber threats, like socially engineered ones that lure readers into opening a malicious link.
“There are four vectors at play in risk management,” Reich added. “You need to ask yourself: what is the threat, what’s your vulnerability, what is the impact from each, and what do you lose in each case, then assess the probability for each.
“You evaluate all these to evaluate what your risk appetite is. What are you willing to lose and how much? This helps you determine how much you are willing to spend to address vulnerabilities to avoid losses from a cyberattack.”
Once risks are better understood, organizations then can develop cyber policies that start with good cyber habits and detail everything from employee onboarding and training to cyber incident response.
“A cyber policy manual should be simple, so people read it and use it,” Reich emphasized. “It can start with a statement: ‘Our mission is ‘X’ and we will take steps to protect and safeguard data from our donors’ with the organization’s cyber policy.”
Worst Case Scenario: Incident Response
The best time to prepare for the aftermath of a cyberattack is before it happens – with a cyber incident response plan.
An organization’s response should be outlined as part of its plan for continuity of operations: who to contact, what actions to take, as well as what to communicate about the attack to media, stakeholders, and donors should all be detailed in a plan accessible to employees.
Implementing the plan will require training so everyone understands the plan and can respond as needed.
“You’ll need it as a minimum in any legal case you might have to pursue,” Reich said. “The first thing the judge will ask is, ‘Do you have one?’
“If not, then good luck.”
Securing financial data after a breach will depend on the state the nonprofit is based in.
“From a legal standpoint what you have to do to secure your financial data from donors depends on the state and will determine what you do after an incident,” Cason added. “The way you implement the concepts of disclosure and notification after an attack can impact the public’s trust in and perception of your organization.”
The bottom line: Nonprofits need a solid cyber policy on how to address the impact of a cyberattack and how to mitigate that impact on the organization’s end users.
Dibrell also mentioned that cyber plans and policies are important if an organization wants to qualify for a cyber insurance policy. Cyber (and privacy policies) cover the liability for a data breach in which donors’ personal information is stolen by a criminal in a cyberattack or made public. There is also coverage for associated losses from interruption of operations, damage to reputation, and loss of donors.
Many insurers will ask to see a company’s cyber policies, training, and protection resources in place so they can accurately assess risk.
“You could pay to have a one-time cyber assessment done to help get you started and get the cyber insurance premium reduced,” Reich recommended.
“Be sure to implement controls because your insurance policy may not pay out what you expect if you don’t follow controls according to the provisions in policy,” Cason added.
More Cybersecurity Advice and Local Resources
Panelists closed by stressing the need to access local resources and to research the many lessons learned in cybersecurity. They also offered additional advice for nonprofits.
“Get off of Windows XP, that’s a big risk,” Scott Parker, senior principal systems engineer at Symantec Corporation said. “Be sure to update your systems and get your system’s security patches, plus use strong passwords. Also, use SSL encryption for your website, it’s a fundamental way to lock your door.”
“If you store credit card information, stop,” Reich stressed. “It’s a big risk for a data breach. Never store credit card information from donors.”
“Enable two-step verification for logging into your systems,” Cason said. “Cloud-based data storage is a great option for small nonprofit organizations who can’t afford IT staff.”
“Don’t give one person access to everything cyber – use a system of checks and balances and compartmentalize that access,” Quimbaya said.
“Have at least two people with access for each authority your organization uses,” Reich said.
Educating employees on good cyber habits is possible with many available free resources, such as those at SANS.org. The local chapter of the Information Systems Security Association (ISSA) is active, with several ISSA Distinguished Fellows in San Antonio – Reich and Parker, for example – willing to offer help. San Antonio-based Digital Defense also has free training webinars available online.
The local free MeetUp group CyberDefDojo can help IT staff stay current on cyber practices as well.
“If you are not comfortable with IT and cybersecurity, then outsource that to experts,” Quimbaya said. “You want to focus on your mission.”
Dibrell reminded the participants that “the worst cybersecurity plan you can have is not to do anything at all.”