With more than a trillion dollars flowing last year from donors and government agencies to grantees in the United States alone, online thieves have discovered fertile hunting ground. In the three years since hackers stole usernames, passwords, IP addresses, and other account data from some 700,000 nonprofits that used the Urban Institute’s online tax filing system, cyberattacks have only gotten more clever, and the stakes higher.
To thwart hackers, organizations in the philanthropy space need to focus on both common security practices and their special vulnerabilities, from the bottom to the top of the organization.
Foundations and nonprofits have the same security concerns as any business, but they also have particular needs based on their mission-driven orientation compared to, say, a retailer or bank. "You often have part-time or volunteer employees, and they like to be helpful," says Mark Walker, knowledge management and technology officer at the Jessie Ball duPont Fund. "And many philanthropic workers wear multiple hats, which means the person responsible for watching over security may not have time to be as thorough as they'd like."
Philanthropy often involves large transfers of money between organizations or people who don't interact daily. That gives hackers an opportunity to trick inexperienced employees who are unfamiliar with how cyber-crooks operate. "They'll contact you with a sense of urgency to act," says John Mohr, chief information officer at the MacArthur Foundation. "If the president of your foundation asks you to wire money quickly, you might not stop to wonder if it's really her."
The most common type of attack seen by foundations is phishing — sending employees forged emails with links to look-alike sites mimicking Gmail, a financial website, or a social media site, in hopes that an unsuspecting employee will try to log in, thereby disclosing her username and passwords to a Web server that looks like the real thing. Once a cyber-burglar gets into one account, he can use it to pry information from other members of the team, or even donors or grantees.
Nonprofits, with employees who are generally accepting, are prime targets for the advanced version of phishing known as spear phishing — a phishing attack customized for a specific person. The spear fisher may break into an employee's email and read messages for weeks, learning to mimic a trusted correspondent until a promising moment arises.
Then, masquerading as a manager, an executive, a big donor, or even a longtime colleague, the hacker will send a convincing email to his target requesting a money transfer, password change, or confidential information asap: "I'm about to get on a plane and Connie isn't available. We don't want to lose this one." Accomplished spear phishers, after reading your email for a while, might even know the private jokes you share with the friend they're impersonating.
How can a company fight back if it can't afford full-time senior security expert? Walker and Mohr offer three steps every philanthropic organization should follow:
1. Train every team member. Training is Job #1. "You need to create a culture of security," says Walker. "Every member of your staff needs to understand the effect of a break-in on your reputation, and your donors — who might not come back."
Everyone with access to your network, or to team members who might have access to the network, should be trained regularly on how to recognize phishing and spear phishing emails, how to identify potential scams and fraud, and how to keep your organization from letting its guard down.
A common practice is to have security staff send out phishing emails on a periodic basis and/or conduct spearfishing attacks on unwitting employees to identify people who haven’t yet learned to be careful. "Don't shame people," Walker says. "It's counterproductive." Instead, meet with people who fall for test attacks privately to help them understand how to avoid being taken in by a real scam.
The Department of Homeland Security offers free tests designed to measure an organization's vulnerability to cyber-attacks, and the Nonprofit Technology Center in San Francisco has published guidelines that nonprofits can follow. There are also companies like KnowBe4 that will be happy to provide a quote for an analysis of your organization’s vulnerabilities and to train staff.
2. Don't rely on passwords alone. Two-factor authentication, abbreviated 2FA or MFA (for "multi-factor authentication"), augments a standard password with a second challenge for anyone trying to log in to your site. Banks, financial firms, online email, and social media networks have all adopted some form of 2FA, which they prod their users to adopt. The most common is a system that, after you've logged in, sends a text message to your phone with a temporary second passcode that you have to type in. "It takes ten minutes to set up Gmail with MFA," Mohr says. "Not only your staff, but your grantee and their volunteers should be using it."
The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, offers a primer on multi-factor authentication. Which system do the foundations we spoke with use? They asked us not to tell — and that's the way your team should be thinking.
3. Keep your software legit. It can be tempting, on a shoestring budget, to resort to borrowed or old software that does the job well enough. But you need to think like a scammer: Many free downloads are rigged with a back door, and out-of-date software can be vulnerable to hackers for whom breaking into computer networks is a full-time job.
It Never Ends
Creating a culture of security means more than installing the right software or enforcing two-factor authentication. Employees should be trained and tested regularly, as well as reminded to take security precautions with them when they go home. Are they using 2FA on their personal Gmail account? What about their accounts on Amazon, LinkedIn, Instagram, and other sites they don't think of as work-related?
Walker and Mohr both agree that management, starting at the top, needs to encourage and reward caution. "When in doubt, it should be okay for a new employee to pick up the phone and call the CEO to see if she really emailed from the airport telling them to change an account password," says Walker. Likewise, incoming calls from strangers with requests for information or action should be verified with a manager or co-worker in the know. Posing as someone we are inclined to trust is the oldest trick in the scammer's book — it plays on our desire to be helpful and do good.
The biggest challenge to keeping your organization secure is resisting the urge to think you're all set. New security risks are constantly emerging and break-in methods constantly evolving. "It's a never-ending process," says Mohr. "You can't just cram for the annual compliance test."
Dan Schoenfeld is chief evangelist at grants management software company Fluxx.