Nonprofit organizations face a constantly evolving set of potential threats, from data security breaches to downtime from unexpected events. October is Cybersecurity Awareness Month, so it’s an excellent time to focus on protecting your organization from cyber threats. In this article, we provide 10 actionable steps that any organization can take to improve its cybersecurity and protect sensitive data and systems from cyber threats.
- Establish a cybersecurity culture: Create a culture of cybersecurity awareness within your organization by providing regular training to employees on how to identify and respond to cyber threats. Security awareness training helps ensure that all employees understand the importance of cybersecurity and are equipped with the knowledge and skills needed to protect sensitive data and systems. Encourage employees to report any suspicious activity or potential threats they encounter.
- Implement multi-factor authentication: Require multi-factor authentication for all employees accessing sensitive data or systems. Multi-factor authentication adds an extra layer of security by requiring users to provide two or more forms of identification before accessing sensitive data or systems.
- Encrypt sensitive data: Encrypting sensitive data is like putting it in a secret code to keep it safe from people who shouldn’t see it. There are two ways we do this: when the data is “at rest” (meaning it’s stored on a device or server) and when the data is “in transit” (meaning it’s being sent between devices or servers). By encrypting sensitive data both at rest and in transit, you can help ensure that it remains secure and confidential.
- Conduct regular vulnerability assessments: Conduct regular vulnerability assessments to identify potential security weaknesses in your organization’s systems and applications. Vulnerability assessments help identify potential security weaknesses before cybercriminals can exploit them.
- Implement intrusion detection and prevention systems: Implement intrusion detection and prevention systems to detect and prevent cyber attacks. Intrusion detection and prevention systems monitor network traffic for signs of suspicious activity and take action to prevent cyber attacks.
- Establish an incident response plan: An incident response plan is a document that outlines the specific procedures and steps that should be taken to ensure minimal impact from a cyber attack. It’s important to establish an incident response plan that is tailored to your organization’s specific needs and risks. The plan should outline the roles and responsibilities of everyone involved in the response effort, including IT staff, security personnel, and management. It should also include a communication plan that outlines how information will be shared during an incident, both internally and externally. Establishing an incident response plan can help ensure your organization is prepared to respond quickly and effectively to cyber attacks.
- Back up your data: Perform daily (automatic if possible) backups of important business data and information and store copies either offsite or in the cloud. Critical data includes digital documents, spreadsheets, databases, financial files, human resources files, accounts receivable/payable files, and applications.
- Implement network segmentation: Implement network segmentation to limit the impact of a cyber attack on your organization’s systems. Network segmentation is the process of dividing a computer network into smaller subnetworks, each with its own security measures.
- Implement email security controls: Implement email security controls to prevent phishing attacks and other email-based cyber threats by blocking suspicious emails and attachments.
- Stay current on the latest threats: Stay current on the latest cyber threats by subscribing to industry newsletters, attending conferences, and participating in other cybersecurity-related events.
Get Support: It can feel daunting if your organization is small and lacks dedicated IT staff or security personnel. Stay aware and seek out expertise as you are able. Consider outsourcing your IT and security needs to a third-party provider who can assist you.
Further Reading: There are a lot of resources out there to help guide you and your organization as you navigate this increasingly complex space. Below are a few to get you started:
- Cybersecurity & Infrastructure Security Agency (CISA): Cyber Guidance for Small Businesses
- Forbes Technology Council: Small-Business Cybersecurity: 20 Effective Tips From Tech Experts
- S. Small Business Administration: Strengthen your Cybersecurity
- Subscribe to Cybersecurity newsletters, like these popular options from SANS Cybersecurity.