Cybersecurity is a topic that has become more and more visible to nonprofits in the years since we started this report in 2019, although there are still too many nonprofit leaders who consider cybersecurity “something the IT department does.” Security should be the goal of everyone at your organization, and this year’s Incident Report makes that clear. We hope to also make it clear that attending to a few basics – many low-cost, or using free tools, or existing security features of platforms and subscriptions you already pay for – goes a long way toward protecting your entire nonprofit.
2021 saw the responses to COVID, including remote work, shift from a temporary solution to a new permanent environment of hybrid, in-person, and at-home workers needing IT support. We saw a continuing increase in the volume of targeted spear phishing emails with staff working from home.
The transition to working from home has also increased security risks, as more personal devices are used to access work resources, and more remote workers may attempt to work around security requirements when the security barriers don’t align with their access needs.
Happily, we saw many organizations implementing and requiring Multi-Factor Authentication on all logins or moving to Single Sign On where possible. In fact, the only nonprofits in our network to suffer account compromise had not required MFA on the accounts that were exploited, showing the strength of this fairly simple and low-cost deterrent.
We can also report evidence that frequent, robust, “micro” training for all staff in identifying and responding to basic level attempts to infiltrate your IT systems is successful in lowering the success of these attempts at fraud. While there is some research that watching an annual security video has little effect on staff practices, peer-to-peer and gamified micro-training programs work to increase awareness and activate an attitude of healthy skepticism that can counter increasingly sophisticated wire fraud scams.