Amidst trying to operate in a pandemic, the impact of inflation, and budgets that are stretched to their limits, not-for-profits are now faced with a new and terrifying reality: they are squarely in the crosshairs of cybercriminals looking for their next victim. To drive home the point that these organizations are being relentlessly targeted, the following list consists of just a fraction of the recent not-for-profit cyber casualties:

• Partnership HealthPlan of California (PHC) confirmed that the protected health information (PHI) of more than 850,000 current and former health plan members has potentially been stolen.
• The International Committee of the Red Cross (ICRC) revealed that cybercriminals stole data on more than a half million "highly vulnerable people."
• Goodwill disclosed a data breach where customers of its ShopGoodwill.com e-commerce auction platform may have had their personal contact information exposed due to a site vulnerability.
• Kaiser Permanente suffered an email compromise that may have exposed the medical records of nearly 70,000 patients.

Not-for-profit organizations are often a beacon of hope as they provide critically important services to countless recipients every day, making these attacks exponentially more tragic. The cold hard fact is that cybercriminals are unsympathetic to the missions of their victims and are focused solely on profit, regardless of how much pain their assaults may cause. In order to fight back against these cybercriminals, not-for-profits need to bolster their cyber defenses and follow best practices to reduce the chance of a successful attack. The following cost-effective solutions are examples of what an organization can do to proactively fortify their cyber defenses and increase their chances of remaining safe and secure.

• Cybersecurity Risk Assessments
  • If you don’t know what data and assets you have or how well they are being defended, it is virtually impossible to protect your business from cyberattacks. Completing a cybersecurity risk assessment will help you identify your most critical systems and data, recognize and prioritize gaps, and build a roadmap to a safer and more secure environment.
• Security Awareness Training
  • Since the genesis of over 91% of data breaches is a spear phishing attack, it is imperative to train employees to identify and avoid this threat. Every employee, including those being newly onboarded, should be provided with the training needed to recognize and avoid these attacks.
• Spear Phishing Simulations
  • Once you have established a cybersecurity awareness training program, it’s critically important to incorporate a “trust but verify” approach. The best verification method to ensure all employees can identify spear phishing emails is to simulate these types of attacks. These simulations will reinforce the training concepts and identify those employees that need additional guidance.
• Establish Patching Protocols
  • A misconfigured network device or missing security patch can open the door for cybercriminals to enter your business. For servers, workstations, hardware devices, and applications, establish protocols to execute security updates and patches on a regular basis so that vulnerabilities are addressed before an actual attacker can leverage them.
• Resilience
  • Since an attack may occur regardless of the defenses that are put in place, an organization has to plan for a worst-case scenario. The creation and subsequent testing of disaster recovery and incident response plans is an excellent way to accelerate the response and recovery process while minimizing the damage caused by a cyberattack. In addition to developing these plans, acquiring a cyber insurance policy to help blunt the many costs associated with a cyberattack is critically important.

How We Can Help

For more information on securing your NFP organization, contact Kevin Ricci at kricci@citrincooperman.com or your Citrin Cooperman Not-For-Profit Practice advisor.