Imagine a situation where during your very busy day the computer you rely on stops working due to a virus. It gets worse when you find your information has been stolen or leaked. What is especially concerning is that this unfortunate situation can be created by an employee or volunteer innocently plugging a flash drive into a computer, or by clicking a link in an official looking email.
In some cases a data breach or virus that leaks financial or medical records is a violation of the law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus rule that came into effect in 2013 has brought hefty fines, increased audits and strict enforcement. U.S. Department of Health and Human Services (HHS) level fines can be $1.5 million per incident per year.
While hackers and organized crime get most of the headlines, according to a study by Symantec and the Ponemon Institute in Traverse City, Mo., most data breaches are caused by human errors and system glitches. Two key issues cited were employee mishandling of confidential data and lack of system controls.
Protecting sensitive information is of paramount importance to nonprofits of all shapes and sizes. Donors and supporters of your nonprofit would not be very happy to find that their financial and/or personal information was leaked from your computers. You can imagine both the short-term and long-term damage to your nonprofit and to your reputation in the community.
Data breaches using phishing and virus social engineering attacks are very common. Phishing scams are typically a method of email fraud in which the perpetrator sends out an email that appears to come from a legitimate enterprise (e.g., your nonprofit; your bank; your insurance company). These messages usually direct the user to a spoofed website or otherwise get you to “share” personal and/or financial information. You would be surprised at how easy it is to clone a website, yes, even yours, and fool people into trying to log on to a near perfect replica. Virus writers use tactics to persuade people to open email attachments with malware (malicious software) or a Trojan horse.
The Online Trust Alliance (OTA) in Bellevue, Wash, reported that 90 percent of breaches in 2014 could have been prevented. Security awareness vigilance is your first line of defense. It’s easy to catch people off guard. Here are a few tips to help protect your nonprofit:
• Don’t retain too much data. Only keep sensitive information that you need for a legitimate business purpose. Is there a way you can remove or modify unneeded data elements from your records to make them less sensitive (e.g., truncating a social security or credit card number)? Develop and implement a records retention policy that outlines how long you will maintain sensitive records.
• Think about where sensitive information might be hiding. As an example, a PowerPoint presentation to your board could contain a chart built from an embedded spreadsheet that contains the Social Security numbers of your staff members.
• Implement a mobile device management program. Require authentication to unlock a device, locking out after three to five failed attempts; use encryption on mobile devices such as laptops and removable media; consider mobile device management software that allows an administrator to trigger the purging of all data from a lost or stolen device.
• Regularly review your access controls. You should restrict access to sensitive information to individuals with a valid business need to access it. If you don’t, you are vulnerable to the risk of “insider threat.” These are attacks by individuals who have a legitimate login for your network but use their access for malicious purposes.
• Use strong, complex passwords and do not share them with others. Consider requiring that they be changed several times a year.
• Do not leave your password or user name written down in view of clients or co-workers. That Post-it note on your computer monitor doesn’t offer much protection from prying eyes.
• Avoid clicking links that people send to you. Use a search engine to find the proper legitimate link or type in the web address manually.
• Discard solicitation emails, even if forwarded from a trusted friend.
• Do not download files or open attachments in emails from unknown senders. Best practice is to open attachments only when you are expecting them and know what they contain, even if you know the sender.
• Anything that sounds too good to be true probably is too good. Does your organization typically promise you a free Starbucks card to join a new wellness initiative by clicking on a link?
• Beware of any email, text or phone call asking for personal information, including your password. Be cautious of emails that ask you to call a number to update your account and do not divulge personal information over the phone unless you have initiated the call and are familiar with the organization. Unsolicited keywords to watch out for: verify, account, won, lottery, login, inherited, hacked, PayPal, Western Union, fax, IRS, FBI, FedEx, USPS, UPS, delivery, DHL, invoice and ADP.
• If an email seems to have poor grammar or is not properly translated this could be an indicator that something is wrong.
• Enter sensitive log in data such as passwords only on “safe” sites. The site address or URL should begin with “https://” (the “s” indicates secure) and will typically show an icon of a lock or shield.
• Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Malware and viruses change daily. Most security software will provide regular updates to keep up with the latest threats. While these won’t protect you from all threats, they do help in some situations.
• If in doubt, don’t take a chance. It’s not worth the risk of exposing your sensitive information just to click on a link in an email or see what’s on a USB drive that you found.
As you read this list, did you think to yourself that your staff has done a good job of protecting itself? That is what the organization in the following story thought, too.
A well-known network security expert was hired to penetrate an organization. He showed up early one morning and seeded the client’s parking lot with USB flash drives, each of which had a Trojan horse file installed on it. When employees arrived for work they were quite excited to find the free gadgets lying around the parking lot. The employees gathered them like candy and some plugged them into their workstations.
While many other employees did not use the flash drive, it only took one to violate the security of their system. This type of social engineering attack is known as baiting and the test showed the organization was more vulnerable than leaders thought.
It was a simple example of methods that can be used by criminals to access or damage a system. How easy would it be for someone to mix some bad USB drives in with the free giveaways at a conference or trade show? Will you think about that the next time you accept a free USB drive?
The best security technology in the world can’t protect you unless your employees and volunteers understand their roles and responsibilities in safeguarding sensitive data and protecting your organization resources. Train your employees and volunteers to recognize common cybercrime and information security risks, including social engineering, online fraud, phishing and web browsing risks. NPT
Dan Luttrell is director of loss control for the Alliance of Nonprofits for Insurance (ANI) and Ann Shanklin is director of loss control for the Nonprofits Insurance Alliance of California (NIAC). Both NIAC and ANI are part of the Nonprofits Insurance Alliance Group, which insures more than 15,000 nonprofits in 32 states plus the District of Columbia.