A computer virus outbreak or a network breach can cost an organization thousands of dollars. Small and medium-sized nonprofits have limited resources and often their IT infrastructure is handle by “accidental techies” and part-time IT consultants. Read seven tips for avoiding common threats at your organization
At this point, we all know that Twitter, Facebook and LiveJournal spent yesterday battling a DDOS attack. The attack was so massive that most users and all third-party services have been completely unusable for the last 20 hours or so. If these sites, which excel in their technology, infrastructure and specialized workforce, are vulnerable to hackers and are brought down to their knees, what about our small and fragile nonprofit tech infrastructures?
Many nonprofits are required to comply with privacy regulations and other confidentiality provisions. What would happen if your data is stolen and compromised? Data leakage and down-time may result in reputation loss, turn away new and existing constituents and, in some cases, it may even lead to legal liability.
But even if you don’t have to worry about constituents’ confidentiality, what about your donor’s information? Your internal databases? Your financial information? Security violations, if not handled appropriately and quickly, may impact the organization’s reputation and future opportunities for growth.
The truth is that a computer virus outbreak or a network breach can cost an organization thousands of dollars. Security should be a primary issue for any nonprofit. Unlike larger organizations with dedicated security and IT staff, small and medium-sized nonprofits have limited resources. Often their IT infrastructure is handle by “accidental techies” and part-time IT consultants.
Techsoup in partnership with GFI Software recently published “Security Threats: A Guide for Small Nonprofits.” The article focuses on small and medium-sized nonprofits and offers tips (read below) for avoiding threats that are likely to affect organizations.
Be prepared. Don’t let security attacks catch your nonprofit off-guard.
Seven Tips for Avoiding Common Threats At Your Organization
1. Practice “Security Awareness”
A large percentage of successful security attacks do not necessarily exploit technical vulnerabilities. Instead they rely on “social engineering” — a set of techniques whereby attackers make the most of weaknesses in human nature rather than flaws within the technology — and people’s willingness to trust others. Organizations may fall into one of two extremes: either employees mistrust each other to such an extent that the sharing of data or information is nil, or, at the other end of the scale, total, blind trust between all employees. Yet neither approach is desirable. There has to be an element of trust throughout an organization, but checks and balances are just as important. Employees need to be given the opportunity to work and share data, but they must also be aware of the security issues that arise as a result of their actions.
This is why a security awareness program is so important. For example, malware often relies on victims to run an executable file to spread and infect a computer or network. Telling your employees not to open emails from unknown senders is not enough. They need to be told that in so doing they risk losing all their work, their passwords, and other confidential details to third parties. They need to understand what behavior is acceptable when dealing with email and Web content. Anything suspicious should be reported to someone who can handle security incidents.
Encouraging open communication across different departments makes for better information security, since many social engineering attacks abuse the communication breakdowns across departments. Additionally, it is important to keep in mind that a positive working environment where people are happy in their job is less susceptible to insider attacks than an oppressive workplace.
2. Secure Your Endpoints
A lot of information in an organization is not centralized. Even when there is a central system, information is often shared between different users and devices and copied numerous times. In contrast with perimeter security, “endpoint” security is the concept that each device in an organization needs to be secured. It is recommended that sensitive information is encrypted on portable devices such as laptops. Additionally, removable storage such as DVD drives, floppy drives, and USB ports may be blocked if they are considered to be a major threat vector for malware infections or data leakage. Securing endpoints on a network may require extensive planning and auditing. For example, policies can be applied that state that only certain computers (such as laptops) can connect to specific networks. It may also make sense to restrict usage of wireless (Wi-Fi) access points.
3. Create a Security Policy for Your Organization
Policies are the basis of every information security program. It is useless taking security precautions or trying to manage a secure environment if there are no objectives or clearly defined rules. Policies clarify what is or is not allowed in an organization as well as define the procedures that apply in different situations. They should be clear and have the full backing of senior management. Finally, they need to be communicated to the organization’s staff and enforced accordingly.
There are various policies, some of which can be enforced through technology and others which have to be enforced through human resources. For example, password complexity policies can be enforced automatically through Windows domain policies. On the other hand, a policy which ensures that company USB sticks are not taken home may need to be enforced through awareness and labeling. As with most security precautions, it is important that policies that affect security are driven by business objectives rather than gut feelings. If security policies are too strict, they will be bypassed, thus creating a false sense of security and possibly create new attack vectors.
4. Keep Roles Separate
Separation of duties, auditing and the principle of least privilege can go a long way in protecting an organization from having single points of failure and privilege creep. By employing separation of duties, the impact of a particular employee turning against the organization is greatly reduced. For example, a system administrator who is not allowed to make alterations to the database server directly, but has to ask the database administrator and document his actions, is a good use of separation of duties. A security analyst who receives a report when a network operator makes changes to the firewall access control lists is a good application of auditing. If a program officer has no business need to install software on a regular basis, then his or her account should not be granted such privileges (“power user” on Windows). These concepts are very important and it all boils down to who is watching the watchers.
5. Establish Backup and Redundant Systems
Although less glamorous than other topics in Information Security, backups remain one of the most reliable solutions. Making use of backups can have a direct business benefit when things go wrong. Disasters do occur and an organization will come across situations when hardware fails or a user (intentionally or otherwise) deletes important data. A well-managed and tested backup system will get the organization back up and running in very little time compared to other disaster recovery solutions. It is therefore important that backups are not only automated to avoid human error but also periodically tested. It is useless having a backup system if restoration does not function as advertised.
Redundant systems allow an organization to continue working even if a disaster occurs. Backup servers and alternative network connections can help to reduce downtime or at least provide a business with limited resources until all systems and data are restored.
6. Keep Your Systems Patched
New advisories addressing security vulnerabilities in software are published on a daily basis. It is not an easy task to stay up-to-date with all the vulnerabilities that apply for software installed on the network; therefore, many organizations make use of a patch management system to handle the task. It is important to note that patches and security updates are not only issued for Microsoft products but also for third-party software. For example, although the Web browser is running the latest updates, a desktop can still be compromised when visiting a Web site simply because it is running a vulnerable version of Adobe Flash. Additionally, it may be important to assess the impact of vulnerability before applying a patch, rather than applying patches religiously. It is also important to test security updates before applying them to a live system. This is because, from time to time, vendors issue patches that may conflict with other systems or that were not tested for your particular configuration. Additionally, security updates may sometimes result in temporary downtime: for example, when they require a machine reboot. Systems administrators often have to choose between installing security updates immediately and keeping the system up and running.
7. Minimize Exposure
Simple systems are easier to manage and therefore any security issues that apply to such systems can be addressed with relative ease. However, complex systems and networks make it harder for a security analyst to assess their security status. For example, if an organization does not need to expose a large number of services on the Internet, the firewall configuration can be quite straightforward. However, the greater the organization’s need to be visible — an advocacy group, for example — the more complex the firewall configuration will be, leaving room for possible security holes that could be exploited by attackers to access internal network services. When servers and desktop computers have fewer software packages installed, they are easier to keep up-to-date and manage. This concept can work hand in hand with the principle of least privilege. By making use of fewer components, fewer software and fewer privileges, you reduce the attack surface while allowing for security to be more focused to tackle real issues.
As operations and management functions become more digitized and online, security threats will emerge even faster and more disruptive to the workplace. Moreover, the amount of data and devices that are used have increased exponentially, which now requires a greater sense of vigilance. While nonprofits may lack the dedicated resources and staff to actively engage these threats, taking these above measures will ensure that they minimize their exposure to these risks, and can reduce their downtime and lost productivity. Regardless of your organization’s mission, following these tips consistently throughout your organization will foster a healthy and secure computing environment.
This article was based on and modified from a whitepaper for GFI Software, Security Considerations for Small- and Medium-Sized Businesses by Microsoft MVP Brad Dinerman.