Cybersecurity Tech Tips for NFPs

MFA Everything
Multi-Factor Authentication (MFA) protects your IT resources by using an additional check on the login process for your data and services.  MFA requires two or more factors before granting access, verifying what you know, what you have, or who you are. The ‘what you know’ factor is usually your password (more on that later). ‘What you have’ can be a security device or mobile phone, and ‘who you are’ is often verified through biometrics. By requiring a second verification factor, your organization fortifies its defense against the vulnerabilities of weak or compromised passwords.  Requiring MFA for any remotely accessible resources is a recommended practice. Additionally, consider requiring Single Sign-On when possible to reduce the number of MFA accounts and methods your users need to manage.

Cybersecurity Training

According to Coalition, the leading cyber insurance provider, phishing remains the top attack technique across all their reported claims. It is frequently the initial vector that provides a foothold for attackers to commit funds transfer fraud or deploy ransomware.  A single successful phishing attack can trigger a waterfall effect, enabling attackers to use a compromised email account to send targeted phishing emails to the account owner’s contacts.

By providing ongoing and up-to-date Cybersecurity awareness training, your user base will develop a healthy skepticism and start asking themselves the right questions before clicking links or opening attachments. We recommend you look for the following trainings when evaluating cyber security awareness training vendors:

• Content: Make sure the training courses they offer are up-to-date, engaging, and tailored to the recipients. Many vendors provide content for specific roles, departments, and even generations. Determine whether your team would benefit more from formal, annual training or from bite-sized, regularly provided training modules.
• Testing: Most vendors offer some form of training through simulated phishing attacks. By sending your users fake phishing emails, you can identify those who need additional training, and to which attack vectors users are most susceptible.  A strong testing program will automatically enroll employees who fail a phishing test into a relevant remedial training course.

Password Management
Password management software lets your team generate, store, and share credentials securely. By using a password manager, you only must remember one strong master password, and then you can have a uniquely generated, strong password for every login you utilize. Most password managers have browser add-ins, mobile apps, and desktop applications you can utilize to access all your credentials. Business-level accounts will allow your team to share passwords securely, and some enterprise offerings will even allow you to reset your user’s master passwords. It is a good idea to turn on MFA as soon as you set up your password management account.

Bonus Round: Discount Software for NFPs

TechSoup.org offers deep discounts on top-tier software and computing hardware to eligible 501(c)(3) nonprofit organizations.  If you are not currently taking advantage of their offerings and your organization is qualified, this should be a top priority. Some examples are a Microsoft E3 subscription for $9/user vs the retail rate of $36/user.