Malicious actors are changing tactics, targeting personally identifiable information (PII) that’s often easy to steal and lucrative to sell. Consider the recent case of an email marketing breach that saw 809 million PII-containing records compromised by attackers. Today, nonprofit organizations that have historically been overlooked by hackers are viewed as lucrative opportunities. Lacking robust security controls and strategies, critical donor and patron PII offers high value and low risk for potential attackers. At HALOCK Security Labs, we’re committed to deploying cyber security for nonprofit organizations that both reduces total risk and enhances long-term defense — here’s how our team can help.
The Nonprofit Cyber Security Problem
Nonprofits often struggle with cyber security. As noted by recent survey data, almost 70% of those asked had no documented policies and procedures in place for cyberattacks — even though 37% have discovered unauthorized applications on their network. What’s more, 20% “don’t know” if their network has been compromised by unapproved apps. This creates a gap between critical nonprofit cyber security and organizational mandates. Companies know they need to better protect donor and patron information, but often lack the IT expertise and infrastructure required. Managing sensitive data of charities, endowments, foundations, trusts, associations, and other NPOs require specialized security strategies.
Better Cyber Security for Nonprofits
Improving cyber security for nonprofits is often made more difficult because companies lack the time and resources to deploy full-time, dedicated IT teams. HALOCK can help nonprofits meet this challenge with services such as:
- Security Engineering: Complexity can sidetrack cyber security for nonprofit organizations; the wide array of IT and services now available makes it challenging to identify the mix of on-premise and cloud-based security products. HALOCK’s professional security engineering services help nonprofits find their InfoSec best fit such as security architecture reviews, threat monitoring, and sensitive data scanning. A consistent and steady review of your threat landscape is a best practice for your industry through a managed detection and response program (MDR) or Threat Hunting Program.
- Compliance Management: PII handling, storage and security is now governed by multiple — and evolving — pieces of legislation such as GDPR, HIPAA and state-specific acts. PCI DSS v4.0 is now available, and credit card information must adhere to the new requirements. Protect your members’ and patrons’ sensitive information. Assess your compliance. Our experts help nonprofits identify relevant compliance regulations and ensure they’re prepared to meet the challenge.
- Penetration Testing: If nonprofit cyber security fails, investigating agencies will look for “due diligence” in protecting PII. HALOCK’s penetration testing services are designed to search network vulnerabilities and recommend key countermeasures to boost cyber security for nonprofits. Services include external and internal network, wireless or wifi, web application, social engineering, and remediation verification penetration testing. Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
- Workforce Recruiting: If you’re looking for in-house IT talent, the specialized nature of many security roles combined with the competitiveness of the InfoSec job market makes this a challenge for nonprofit cyber security. HALOCK can help define critical job roles and provide access to skilled candidates who aren’t available on job boards.
- Incident Response: When a breach does occur, you need to address the attack immediately, contain it and remediate the threat. Having a trusted, expert incident response team to stop, fix and develop an ongoing incident response plan (IRP) helps keep your data secure and improve overall cyber security for nonprofits. HALOCK’s incident response management, process, and planning provide comprehensive coverage in the event of a security breach. Conduct a forensic analysis. Explore an ongoing program that gets in front of any potential cyber security threats or attacks. You can be response ready with an Incident Response Readiness as a Service (IRRaaS) program.
- Third Party Risk Management (TPRM)/Vendor Risk Management: Ensure third-party partners are aligned with your organization’s risk controls. Vendors and contractors serve as an extension of your group. They represent you and should operate under your business requirements. A recent Panorays study revealed 41% of organizations are not sure if their suppliers were out of compliance in the past year. It also indicated that half of the respondents cited third party risk as one of the top 5 items in their risk register and expect this risk to increase. A required best practice is to always conduct a supplier risk assessment to keep your vendors on point with your security posture. HALOCK can help build and manage a specific nonprofit cyber security organization program for your environment.
- Risk Assessments: Regulations require your safeguards be reasonable to your organization, customers and partners. With many frameworks available, how do you establish your acceptable risk? The Duty of Care Risk Assessment (DoCRA) helps you define a balanced security strategy factoring in compliance and safeguards based on your specific business and objectives.
- Risk Management Program: Get the industry knowledge you need to prioritize and optimize security investments while keeping you compliant. Establish a defensible risk and security approach. An ongoing risk management program provides continuous maintenance and insight on your risk profile and how to enhance your security.
- Privacy: CCPA is the most sweeping legislation to date in the U.S. that concerns the protection of personal information and cyber security for nonprofits. It broadens the definition of what constitutes personal information and gives California citizens greater control over what companies can do with their personal data. The California privacy law includes the right to exempt their own personal information from being shared or purchased on the open market. Understand the impact this change and other states’ requirements have on your organization. Implement a recurring Sensitive Data Scanning as a Service (SDSaaS) program.
- Cyber Security Awareness Training – With many employees now working remotely, they are targets for hackers. Ensure they understand the potential cyber security threats they may experience and best practices to prevent cyber attacks on your data. Security Awareness training will provide guidance on how to detect suspicious activity and what to do in the event of a security incident.
“We have always had a good experience with HALOCK. Whether a planned project, or incident emergency.”
– Non-profit association
Finding the Balance With HALOCK
Effective nonprofit cyber security requires organizations to find a balance between data protection and company performance. If staff can’t easily access donor information to drive new pledges, campaign goals could go unmet. Further, if unpatched security holes let hackers through the gate, nonprofits could face serious legal and legislative challenges. That’s why we created the concept of purpose-driven security: tools and teams custom-designed to address your specific issues without impacting productivity. To enhance cyber security for nonprofits, this requires applying just the right amount of security engineering; compliance management and penetration testing to meet compliance requirements; and leveraging our workforce recruitment tools to ensure critical assets and network processes are protected. Cyber security for nonprofits is essential to defend PII and guarantee smooth operations — HALOCK can help. Let’s talk.
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.