You are here:

Cybersecurity Essentials for Nonprofits: Identity and Access Management 

Posted May 09, 2024 04:36 PM
Written by Vonnita Jones & Kai Dailey

This is the first of five articles covering 23 essential steps that you can take immediately to reduce the risk of cyber-attacks on your organization. Cybercriminals work full time to hack into systems and steal private information. Using automation, they often target hundreds or even millions of accounts at once. A single unprotected entrance into an account or system can be exploited by a hacker causing significant disruption to your nonprofit’s finances and operations.

Here’s a story to illustrate. Sarah, a fundraising coordinator at a nonprofit that provides school supplies to low-income children, attempted to log in to their online donation portal one Tuesday morning. She froze. An error message flashed on the screen refusing her access. With a surge of panic, she immediately contacted David, their IT support person. David investigated and delivered grim news. Someone had gained unauthorized access to their account, likely through a stolen password, and had changed the credentials. They were locked out.

Now filled with dread, Sarah imagined that hackers were at that moment looking at their donor information – names, addresses, and potentially even credit card details. The situation had suddenly become dire.

As David worked with their cloud vendor to regain control of the account, Sarah contacted the executive director with the news, her heart heavy with worry. They would have to investigate the account hack, notify potentially hundreds of affected donors, and deal with the fallout – damaged trust, financial losses, and the nightmarish task of publicly accepting responsibility for what they would later learn was an easily preventable lapse in their cybersecurity.

In the following months, Sarah worked with a small team to recover from the cyber-attack and improve their security practices and awareness. They brought in a cybersecurity specialist who demonstrated how the situation could have been avoided by implementing multi-factor authentication (or MFA), an extra layer of security requiring a code from a phone or app in addition to a password. Without MFA, a guessed or stolen password would have been all it took for the hacker to easily gain access.

Account hacks like the fictional scenario just described happen every day, some causing minor inconveniences and others setting in motion months or years of expensive and arduous recovery. Hackers sometimes attack nonprofits on ideological grounds, but more often they seek easy, low-security targets with valuable data.

Fortunately, there are steps any organization can implement, regardless of their resources or technical expertise. Here are six of them:

Multi-Factor Authentication (MFA)

Implementing MFA adds an extra layer of security by requiring employees to verify their identity through multiple action steps, such as a password and a unique code sent to their mobile device or email account. This simple step can significantly reduce the risk of unauthorized access to your organization's accounts and systems. If you are prompted to set up this option, consider enabling it, particularly for data sensitive accounts. If you store sensitive data online with a vendor that does not offer this feature, reevaluate the vendor’s data safety capabilities and consider moving your data to a safer location.

Strong passwords

Encourage the use of long, complex passwords that are difficult for cyber attackers to guess or crack. Consider implementing password policies that require regular password changes and prohibit the reuse of old passwords. The minimum standard as of 2024 is 16-character passphrases. Avoid common passwords that hackers have likely already stolen and decoded.

Password manager software

Use password management software to securely store and manage passwords for your organization's accounts. These strongly encrypted tools reduce the risk of password-related security incidents. Versions that include a browser extension make it convenient for employees to log into web accounts. Password management software also enables secure password sharing and centrally managed vaults that can be revoked when an employee separates from the organization. Use a password manager instead of storing passwords in a browser. While convenient, browser storage poses significant security risks because browsers are not as secure. If a web browser is compromised, all stored passwords can be exposed.

Separate admin and user accounts

For account administrators, it is crucial to separate their use of administrative accounts from their regular user accounts. This helps prevent potential security breaches that could occur if an admin's user credentials are compromised. Executive leadership should always use separate accounts because they are prime targets of hackers. This requires having two accounts, one for general user activities, and one for administrative tasks. Administrators should not use their admin accounts for general use.

Formalize cloud account administrative role

Describe and document security responsibilities for account administrators. Designate a primary account owner responsible for data privacy and account security. Ensure both account owners and admins are trained on the cloud software's security functions and options, and that they understand that security is a shared responsibility with the vendor. They should know where the vendor's responsibilities end and theirs begin. Create a schedule of security activities to be performed regularly.

Do not assume that large cloud software vendors are 100% secure. If they are breached, you are still responsible to the individuals whose data you stored there and to any applicable regulatory entities. Vendors generally take responsibility for the security of their own servers and software but do not have responsibility for incidents that occur because an account or web-facing form, used for example to collect newsletter signups, was compromised and as a result data loss or theft occurred.

Phishing email training

This security measure is essential for combating the daily threat of phishing attacks. Regular training (such as monthly) improves employees’ ability to:

  1. Identify suspicious emails.
  2. Avoid engaging with a phishing email.
  3. Report potential threats promptly.
With continued training, most employees become adept at spotting sophisticated phishing attempts. This strengthens the organization's overall cybersecurity posture. Between 85% to 90% of cyber-attacks, particularly those involving stolen IDs and passwords, begin with a successful phishing email. Common methods used for phishing email training include interactive quizzes, videos, and exercises that simulate real-world phishing scenarios.

Additional Resources:

No budget for training? You don’t need to build phishing email training from scratch. Sharing a simple video, or a blog post, like these from National Cybersecurity Alliance and TechTarget can be an effective start.

Are you leading your organization’s security effort? If you’re not a techie, check out The National Cyber Security Centre tutorial, Phishing Attacks: Defending Your Organization.