For many nonprofits, staying informed of cybersecurity threats can be a challenge — along with prioritizing their response to them. This is especially true in light of how the landscape of threats is ever-evolving.
Those involved in the hacking world continually find new ways around our traditional defenses. Staying on top of trends and threats is therefore an important aspect of any risk management strategy — and essential as it relates to cybersecurity.
As we read news headlines about significant cyber incidents that expose private data or compromise critical infrastructure, it can be difficult to sort out what may or may not impact your organization and whether to be concerned regarding the safety of your data or your constituents.
The recent cyberattacks on the Colonial Pipeline and other parts of our critical infrastructure are just more reminders of the importance of maintaining an ear close to the tracks in the area of cybersecurity trends.
This short blog post is intended to highlight some useful resources to help nonprofits stay on top of threats. The better we understand emerging trends and patterns, the more equipped we are to be able to defend our resources and minimize risk.
The CVE system (Common Vulnerabilities and Exposures) was designed to help organize the process of identifying vulnerabilities. It is a standards-based system maintained by the National Cybersecurity Federally Funded Research Center, with support from NIST (the National Institute of Standards and Technology).
As vulnerabilities are detected in commercial software, they are cataloged by this organization and identified using the CVE naming convention. This helps with public awareness and industry response to the discovered vulnerability, and in turn, helps with identification and remediation efforts.
It is imperative that organizations subscribe to the National Cyber Awareness System bulletins from the Cybersecurity and Infrastructure Security Agency to get updates and alerts when vulnerabilities are identified.
When you review the notices provided by the US-CERT (Computer Emergency Response Team) system, identify whether or not this alert applies to your organization by correlating the affected products in the alert with your own inventory of applications.
Be sure to check what version of systems are affected as part of the CVE and prioritize the updating of those systems based on the severity noted in the bulletin.
In addition to the previous guidance provided by the National Cyber Awareness System, there are other online resources. Security professionals, journals, and vendors of cybersecurity software or services address current issues, including emerging threats or trends.
Both Google and Microsoft update their security-related blogs frequently and are a great resource even if your organization does not use these platforms. Security-focused firms that have excellent technical coverage of cyberthreats include Volexity, Rapid7, and Trend Micro.
KrebsOnSecurity is a very well-known and respected leader in journalistic coverage of cybersecurity. Zero Day, from the journal ZDNet, and Threatpost are other excellent online resources for staying informed about the cybersecurity threat landscape.
There are other resources online that are focused on providing more in-depth analysis specifically for those working in the cybersecurity field. AlienVault, which leverages the Open Threat Exchange (OTX) framework to assess real-time threats, is a particularly well-respected destination.
Regardless of the size of your organization or its IT budget and resources, implementing and maintaining security solutions is a critical aspect of reducing your organization's risk. You must also ensure that your staff is well trained to recognize threats.
Veritas, a backup and recovery tool, provides your organization with a final layer of protection.
And because even the best system is vulnerable to human error, make sure your staff is well trained to recognize phishing emails and other methods to hack into your systems. Our KnowBe4 cybersecurity and compliance training service both educates staff members and tests them with simulated phishing attacks.
For a great general overview of how to protect your organization, TechSoup Courses offers a Cybersecurity Bundle that gives concrete advice on how to protect yourself and your ability to serve your constituents.
Written by: Michael Enos, Senior Director of Community and Platform