As nonprofits transition to a remote workforce during the COVID-19 pandemic, significant changes to the traditional IT systems at most organizations are afoot. Meetings have gone virtual, staff are using both work and personal devices, and nearly everyone is connecting to the Internet on their home Wi-Fi networks. Along with all this comes new security concerns that nonprofits must keep in mind to keep their systems safe.
This post contains some important considerations for your nonprofit during these times, but they are are also important no matter the circumstance. Much of this is drawn directly from our recent webinar, Keeping Your Nonprofit's Systems Secure While Working Remotely.
The webinar's one major takeaway was that implementing security measures is important to organizations of all sizes because hackers who want to capitalize on the current situation are attacking a wide range of targets indiscriminately. To that end, most of the solutions we're pointing to here are relatively low-cost and possible to implement with little to no IT support.
We also encourage nonprofits to invest in the paid — not free — versions of any of these tools since these will be the most secure and effective in the long run.
And with that, let's focus on how to keep your nonprofit's systems safe during the COVID-19 pandemic.
One of the primary ways computers and systems are being hacked is via fake emails that entice you to take some action like clicking on a link or downloading and opening an attachment (called phishing). Other methods include fake online ads on social media, websites, or browser pop-ups that can install malware when clicked on (sometimes referred to as malware clickbait).
Phishing emails are designed to trick an unsuspecting person into providing sensitive information that can give them access to both organizational and personal data — TechSoup and Tech Impact staff have been receiving phishing emails daily over the last several weeks.
Some are fairly obvious, like the one below:
If you look closely at the email above, there are a few things that suggest it is a phishing attempt. The first sign is that the email references Office 365 but does not come from either Microsoft or a legitimate company that offers Microsoft services.
The content itself is also suspicious because there are typos and it uses an unknown email ID.
Others are a bit sneakier, in which hackers try to pose as someone within your organization. In this case, the hacker used a custom field to pose as an HR staff member asking the recipient to click through to a required training.
Hackers use publicly available information on websites, including your own nonprofit website, to identify key information that can be used to trick you, such as your email domain and senior staff names. The email above actually looks like it is coming from your HR manager, and the individual's name may even be spoofed in the From field of the email and the content of the email.
However, if you look at the actual From email address, you will notice that it does not actually come from that individual. Always be suspicious of an email coming from your CEO, HR, or others if there is a request for action of any kind. It can be a phishing attempt.
There are many COVID-19-related phishing and other types of scams out there right now, trying to get you to provide access to sensitive data or separate you from your money.
App scams: Scammers are also creating and manipulating mobile apps designed to track the spread of COVID-19 to insert malware that will compromise users' devices and personal information.
Charity scams: Scammers are soliciting donations for individuals, groups, and areas affected by COVID-19.
Treatment scams: Scammers are offering to sell fake cures, vaccines, and advice on unproven treatments for COVID-19. Scammers are also posing as national and global health authorities, including the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC), tricking recipients into downloading malware or providing personal identifying and financial information.
Supply scams: Scammers are creating fake shops, websites, social media accounts, and email addresses claiming to sell medical supplies currently in high demand, such as surgical masks. When consumers attempt to purchase supplies through these channels, fraudsters pocket the money and never provide the promised supplies.
Provider scams: Scammers are also contacting people by phone and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19 and demanding payment for that treatment.
Investment scams: Scammers are offering online promotions on various platforms, including social media, claiming that the products or services of publicly traded companies can prevent, detect, or cure COVID-19, and that the stock of these companies will dramatically increase in value as a result.
COVID-19-specific scams: There is a lot of phishing activity related to COVID-19 that asks people to provide information in order to access benefits or information. These are examples highlighted by KnowBe4:
The best way to protect yourself and your organization against phishing threats is to train your staff to be aware that they exist and to know how to spot and report them as they come in.
One great way to do this is to have staff take an online course in cybersecurity such as KnowBe4 (more on this below). Remember, it is always better to err on the side of caution and treat all email as potentially dangerous.
Cybersecurity researchers have identified several fake COVID-19 tracker maps like the one below that infect people's computers with embedded malicious code when you click on the image to open it. The tactic is one of many ways hackers and scammers are capitalizing on people's fears about COVID-19 to spread malware.
In general, never click on an image in an ad or email or follow a link unless you verify that it is legitimate. An image is only safe if you recognize and trust the sender. This is true with websites as well, and it is always prudent to validate the URL you're clicking on and check that it is secure, with a reputable certificate.
You can check the certificate easily by clicking on the lock symbol next to the URL. In most browsers, if you see a red line through the lock, this indicates the site is not secure and may contain malware.
Given the multitude of threats that exist, you may be overwhelmed by the prospect of protecting yourself against hackers while doing your best to keep everything else at your organization up and running. But there are a number of measures you can take to greatly improve your IT security.
Best Practices to Follow
Here are some simple best practices to keep in mind, regardless of whether you have a remote workforce or you've returned to your office:
It's always better to use devices managed by your organization. But in the event your staff must use personal computers while working from home, here are some tips on how to better secure personal computers and home networks, including using a VPN or remote desktop (or both — more on that in a bit).
Ensure that all available updates are applied to all applications running on that computer, including
Also be sure that you're running a fully up-to-date version of antivirus software and that it is scheduled to regularly scan your device. For Microsoft and Office 365 users, Windows Advanced Threat Protection (ATP) or Windows Defender are great solutions.
But other powerful antivirus solutions, including those from Bitdefender and NortonLifeLock provide excellent protection against malware and other threats. All of these are available through TechSoup.
Home Network Security
There are a few simple steps you can take to better secure your home Wi-Fi network:
Here are a few more actions to consider that will keep your organization more secure. Again, these aren't just security measures to implement during this crisis — they're widely adopted practices that you should consider no matter the circumstance.
VPNs and remote desktop clients are advanced security measures that you should seriously consider using. However, it should be noted that each of these should only be implemented by an IT professional.
Companies employ the use of a VPN system to ensure that employees who are remote can access resources behind the company's firewall securely. Importantly, it also encrypts all data that is passed from your computer to the services you are connecting to. This adds an additional layer of security even when you are not accessing your company's information systems directly.
TechSoup offers Cisco Meraki security appliances that let you set up VPNs.
Organizations can also provide access to desktops in the office using a remote desktop client (RDC). RDC software allows a user to log in remotely to another desktop system to access on-premises applications on office computers. Nonprofits often have accounting software like QuickBooks, client management systems, or donor databases installed on computers in the office. Examples of RDC software include
Note: Do not use any of the free remote desktop clients that you can find on the Internet. These can pose a security risk.
It is very important to only set up an RDC under the guidance of your IT department because the configuration must be done correctly. In all cases, access must be protected by a firewall, and the service must only be used over a VPN. Otherwise, it can open up a vulnerability in your network because hackers scan to find unprotected services like this in networks. This is particularly true in times like these when hackers are in overdrive mode looking for ways to exploit openings.
All of the above is valuable information that should be shared with your staff, and implementing these solutions alone will increase your organization's IT security a great deal. But because human error can undo even the best security setups, the next step to truly protecting your nonprofit is to implement formal cybersecurity training.
KnowB4 Security Awareness Training and discounted rates are offered to nonprofits via the TechSoup catalog. (Full disclosure: TechSoup uses this platform, and all of our staff were put through a refresher training as we transitioned to remote work in early March.)
The platform provides numerous online training modules, from introductory IT security basics to more advanced topics that might better fit an organization's specific needs. All sessions are extremely interactive and are geared toward changing employees' online behavior in order to promote better cybersecurity.
We hope that all of this has given you and your organization some clarity and direction as to what can be done to keep your systems safe during these difficult times. If you have any tips you'd like to share or questions you'd like to pose to the community, be sure to check out TechSoup's COVID-19 forum.
It's full of useful information, and it's a great way to connect with other organizations like yours.
Originally published as "Keeping Your Nonprofit's Systems Secure During the COVID-19 Pandemic" with the Creative Commons Attribution 4.0 International license.