Computers and the Internet are an integral part of everyday life. Consequently, so are security risks associated with their use. According to statistics compiled by TechJury, approximately 30,000 websites experience hacks or cyber-attacks every day, and last year alone, 50% of nonprofits faced cyber-attacks.
Any nonprofit organization in the United States handling specific types of data and information must take measures to address cybersecurity risks. Understanding what a cyber-attack looks like and knowing the steps to take to address these risks and ensure data security is critical.
Here at Lamb Insurance Services, we understand the cyber-security needs of nonprofit organizations better than anyone else. Familiarize yourself with basic cyber liability protection considerations to help you understand cybersecurity and take the appropriate steps to protect your data.
Cyber-Security Risks Faced by Nonprofits
Although any organization operating a website or online application always faces a certain degree of risk, nonprofit organizations conducting specific activities may increase the risk of a cyber attack.
These activities fall into three categories: E-commerce and money processing, storing and transferring Personally Identifiable Information (PII), and collecting user information and preferences.
Consider the following examples to determine if your nonprofit falls into one of these categories:
• Money processing: A nonprofit organization processing donations or running an e-commerce storefront (e.g., merchandise) on their websites
• PII storage and transfer: Using a cloud-based solution to store important files, such as donors’ personal data. Examples include full names, dates of birth, employee records, drivers’ licenses, social security numbers (SSNs), email addresses, and physical addresses.
• User data collection: Collecting survey answers regarding donors or organization members’ preferences, habits, etc.
Cyber-Threats Targeting Nonprofits
Malicious actors employ various methods and techniques to steal data from nonprofit organizations. Here are some of the most common cyber-attacks a nonprofit might experience.
Denial-of-service attacks (DoS and DDoS)
A denial-of-service attack is one of the most common types of cyber-attacks. There are two types: the standard denial-of-service (DoS) attack and the distributed denial-of-service (DDoS) attack.
Every machine connected to the internet can only support a limited number of simultaneous connections and requests. A DoS attack exploits that principle to flood the target computers or servers with bogus connections, blocking legitimate users from accessing the website. A DDoS attack uses the same principle but uses multiple different traffic sources, making it more challenging to stop.
Although DoS and DDoS attacks do not directly result in the theft or loss of an organization’s data, hackers frequently employ these attacks to cause disruptions, distract the organization’s IT or security team, and make another attack harder to detect.
Social engineering and Phishing
A social engineering attack is a cyber-attack relying on weaknesses in an organization’s human element. They work by exploiting the trust factor and human error instead of systems or hardware, such as posing as a legitimate individual and tricking someone into simply giving away a password or sensitive data.
One of the most common forms of social engineering today is phishing attacks. A typical phishing campaign mimics a legitimate organization’s email communications or websites to trick users into entering their information.
A data exfiltration attack refers to unauthorized persons employing any method at their disposal to access, copy, and remove critical data from devices and networks they are not intended to access. Examples of media targeted by data exfiltration attacks include computers, laptops, mobile phones, or servers.
There are two types of data exfiltration attacks: outside attacks and insider jobs. An outside attack typically involves malware (malicious software like computer viruses) injected into an organization’s devices. If successfully injected, malware programmed for data exfiltration can search for and target specific information.
Insider attacks involve malicious organization members abusing their privileges or access to the organization’s hardware and intentionally leaking the data to bad actors.
A ransomware attack refers to a cyber-attack where a malicious actor injects a specific type of malware into the target systems. After activation, the malware blocks access to the data, typically by encrypting it.
Ransomware attacks then inform the users that if they wish to recover access to their data, they must pay a ransom or face a threat, such as leaking the data publicly, deleting it, or further increasing the ransom. The FBI recommends against paying ransoms per the No More Ransom Project, as paying victims are more likely to be targeted again.
Essential Cyber-Security Questions to Ask
As a nonprofit organization, here are a few essential questions to ensure your systems possess adequate protection against the most common cyber threats.
1. Is your organization protected against an email breach?
Email security is critical in any organization. Implementing a robust email breach protection etiquette is one of the basic steps to ensure your organization has a degree of protection against attacks such as phishing campaigns.
Consider the following simple steps to improve email security:
• Educate your members with security awareness training, for example, how to recognize suspicious emails from legitimate ones
• Keep email software up-to-date
• Implement an email safety policy, such as instructions on what type of information can be shared via email
• Activate multi-factor authentication
• Use long, strong passwords like FBI-recommended passphrases
2. Is your organization vulnerable to business interruption from hacked software or systems?
System or service interruption due to a cyber-attack (usually a denial-of-service attack) can prevent your organization from functioning entirely, causing what the insurance industry calls Business Interruption (BI).
Even as a nonprofit organization, a BI event can be exceptionally costly. The best way to protect yourself against the damages and losses caused by a cyber-attack is to get cyber liability insurance from a trusted partner like Lamb Insurance Services.
Cyber liability insurance is critical for any nonprofit organization that routinely handles donations, personally identifiable information (PII), and other data that attackers target frequently. Nonprofit cyber liability insurance products comprise two elements: first-party and third-party coverage.
• First-party cyber liability covers the financial and material damages sustained due to the attack. It can also include investigative and data recovery services.
• Third-party cyber liability covers damages sustained by your customers or partners due to the data breach, such as legal fees, settlement costs, or media liability expenses.
3. Is your website protected from ransomware attacks?
Ransomware attacks result from successful malware injections into your organization’s systems. The following are some of the ransomware protection best practices for your nonprofit organization:
• Keep your antivirus, firewall, anti-malware software, and other security tools up-to-date, and scan your systems regularly, at least once a week, to detect ransomware infections before they trigger.
• Implement a data backup solution, allowing you to recover encrypted and ransomed data in case essential malware protection methods fail.
• Encrypt your data, protecting you from a leak even if you do not pay the ransom
• Educate your employees and organization members on cyber safety, like how to avoid suspicious links or not inserting unknown USB drives and other portable media into organization computers
• Get cyber liability insurance from experienced providers like Lamb Insurance; they can provide you peace of mind against ransomware threats.
Cyber Liability Insurance for Nonprofits
Lamb Insurance Services is the largest and most trusted insurance provider for nonprofit organizations in the United States. We offer comprehensive insurance coverage and risk management solutions for nonprofits and social service organizations in the United States. Contact us today to request a quote.