Current world events have the globe on high alert. As the situation in Ukraine has continued to evolve, many governmental agencies have continued to release notices regarding the awareness of increased cyberattacks impacting various industries, and guidance to strengthen cyber security threat detection and response capabilities. Given this, your social good organization may be taking a fresh look at your cyber security practices to make sure you are well protected.
Here at Blackbaud, our Global Trust and Security Program is taking this matter very seriously, and the protection of our customers is top of mind. Below, you can find a series of high-level tips and reminders that your organization can leverage to ensure you are keeping cyber security in the forefront of your organization’s practices.
Eight Key Cyber Security Best Practices
Below are a few best practices to remind your organization of at any time, but especially in heightened threat scenarios.
- Enable Multifactor Authentication: Where possible, enable multi-factor authentication. Multi-factor authentication requires more than one way to identify yourself. If you have a phone these days, it’s likely you’re using multi-factor authentication to access it. Phones now use biometrics – your thumb or your face – to validate you are who you say you are in addition to your passcode. Multi-factor authentication can also come in the form of a security question, or a one-time passcode. Where it’s available to you, use it.
- Be Vigilant: If you receive an email, phone call or text message that feels odd, it probably is. Even if the origin of the contact seems authentic – a colleague, friend, your bank, etc. If the language is abnormal or if they’re asking you for confidential information, do not engage. Instead validate separately. Ensure your organization is aware of the various types of behavior to look out for:
- Phishing – These are specific to an email form of deception used for malicious intent. The world of phishing has matured significantly since the days of emails from Nigerian princes. These days, phishing emails are incredibly difficult to detect. They replicate authentic brands, use seemingly legitimate URLS and no longer include such a sense of urgency or outward requests for money. Phishing emails often fit right into the normal construct of an email you’d receive.
- Vishing – Vishing uses phone calls or voicemails for a similar art of deception. Imagine that you get a phone call from your bank telling you there’s been fraudulent activity on your account – that gets your attention, right? They then ask you to verify yourself before reviewing the activity – they ask for your social security number and address. That’s all a malicious actor needs to compromise your information. Vishing has been on the rise in recent years and is much more mature than a general spam call.
- Smishing – You’re probably seeing a theme here. Smishing uses SMS – or what those of us in the normal world know as texting – to conduct fraudulent activity.
- Do Not Reuse Passwords: Remember, it’s likely that one of your passwords has been compromised at some point so you don’t want to fall victim to credential mining! Ensure your passwords are long and complex – it takes only minutes to crack an 8-character all lowercase password. If you make it 12 characters, it takes weeks. If you add 1 uppercase letter, it takes 5 years.
- Lock Your Devices: In this remote world, who knows who could either advertently or inadvertently do something malicious on your computer! All it takes is a child accidentally clicking on a phishing link on your computer to infect it.
- Use Secure WiFi: This applies when out and about or at home. Ensure the following to be safe:
- If you’re in a place that doesn’t have Secure Wi-Fi, use your phone hot spot to access the internet. Or ask if there’s another Wi-Fi network with a password. Otherwise, do not browse anywhere that you wouldn’t want others to see.
- Make sure you change the password on your home Wi-Fi router to make it personal.
- Restrict Access: Inevitably, companies have access to data and that data can be used against them! Data is incredibly valuable these days. The quickest and most efficient way to protect your data is to restrict access to only those individuals that need it to do their job.
- Train Your Staff – Be Security Aware! Your staff is your first line of defense from threats that could impact your company. Remember, 85% of breaches involve a human element. Make sure your staff understands the threat landscape and how to protect themselves and your company from a breach. To start, we recommend annual security training in addition to education around the threats of phishing.
- Implement Security Policies if you don’t already have one: Policies are critical to shaping a security posture and culture within your company. Policies set clear expectations of security practices and are easily digestible to your organization. They can include anything from password requirements to data management and ensure that any expectations you implement are measurable and enforceable.
Other Cyber Security Resources
The U.S. Cybersecurity Infrastructure & Security Agency has developed a program entitled “Shields Up” to assist organizations with preparation, response, and mitigation of potential cyber security threats. This program continually releases updates on industry guidance, that any organization can leverage to ensure appropriate protections and responses in the event of an incident of this level. For more information, please reference https://www.cisa.gov/shields-up .
Additionally, the below resources provide valuable information on creating a Cyber Security program within your organization:
For more information on Blackbaud’s Global Trust & Security Program, please also feel free to visit our website at www.blackbaud.com/security.