For all too long, nonprofits believed they were somewhat immune to cyberattacks. In recent years, that has changed dramatically as cybercrime has become far more prevalent and criminals are going after the easiest prey, which unfortunately, in many cases, are nonprofits.
Why? Let’s begin by looking at the scale of attacks. Threat actors are now attacking every 39 seconds, on average 2,244 times a day, according to research from the University of Maryland. How are they attacking? While there are always new and emerging threats, the old tried and true methods remain the most prevalent. An astonishing 94% of malware is delivered by email phishing scams, according to research from Verizon. Couple that with some statistics that say that only 26% of nonprofits actively monitor their networks for threats and 59% don’t provide any cybersecurity training to staff, and you can see where criminals are seeing opportunities.
Many of the reasons behind the lag are completely understandable. Since nonprofits are judged on how much of their operating budgets go to mission, spending on even necessary operating expenses like cybersecurity has been frowned on. Couple that with tight budgets, fundraising issues emerging from COVID, and a general lack of technical expertise, and it’s easy to see where nonprofits fall short. Oftentimes, networks and technology are cobbled together at nonprofits, which while easier on current budgets, also leaves the door wide open for cybercriminals.
So how can nonprofits cope? By focusing on the things that return the greatest results. Of course, you’ll want to update firewalls, install antivirus and antimalware, and test for weaknesses. Yet since employees who open the malware are often the biggest breach, cybersecurity training for employees is one of the most effective (and cost-effective) tools nonprofits have at their disposal. How do you train effectively? In this blog, we’ll walk through some basics to help turn your employees into your first line of defense.
Cybersecurity Awareness Is Key to Prevention
More is Better when it Comes to Cybersecurity Training
Your employees can’t protect you from cyber threats if they don’t know what to look for. That’s why regular training that includes the latest forms of cyberattacks and scams, what to watch out for, and how to properly avoid them, is critical. Since threats are continually evolving, your training should as well. You should refresh training on a regular basis, incorporating stories in the news, data from organizations that track cybercrime, and anecdotal evidence of things you and your colleagues have personally had to navigate.
Nonprofit organizations should hold cybersecurity training a minimum of once a year, but increased frequency can lead to better results and more informed staff.
Organizations that hold quarterly or even monthly training give their employees more information, create a proactive culture within their organization, and can create shorter training flights that are more effective than longer training sessions because they hold employee attention better.
While you can customize your cybersecurity training to fit your organization’s specific needs, there are several topics that we believe you should always include:
- Types of cybersecurity threats: Cyberattacks are evolving, with new threats continually emerging. To maximize the benefits of your employee training, it should include the most popular types of attacks so that your employees understand the real hazards they will face. Phishing, malware, ransomware, spam, and social engineering are just a few of the topics your training should be covering. Real-world examples from your organization or other similar ones can help them understand what threats are likely to look like. If you don’t have current examples, find some common phishing emails online and present them to your employees so they can be aware of what to look for.
- Why secure passwords are critical: Of course, we all understand how critical passwords are for security, but we are also all human. If they don’t understand the consequences of poor password habits, employees are likely to revert to using an easily breakable password like a birthday or a child’s name. To combat this, train often on the importance of password security, establish a password policy, and give them the password management tools they need to make it easier to store and recall complex passwords.
- The importance of updates: Nothing makes employees groan like seeing the spinning circle on their laptop that says updates in progress. It’s only natural that employees who are crushed for time won’t want to take time away from their “real” work to update software. Yet those software updates often contain critical security patches that can mean the difference between keeping you safe and leaving the door wide open for criminals. Train your employees that they should always update software across all devices they use. While you can alleviate some of the stress by having your internal or outsourced IT team do this for them, it is particularly critical for any remote employees who have more responsibility for personal devices that they use for work purposes.
- Reporting cybersecurity threats and chain of command: Creating an open and transparent atmosphere around reporting cyber threats is essential. Since time is critical in a cyberattack, employees can’t be afraid to question the authenticity of an email or fear reprisals if they mistakenly click on something they shouldn’t. Likewise, if they receive what they think might be a phishing email, they should know exactly who to contact and how to report it. Knowing what’s happening in real-time allows your cybersecurity team to stop incoming threats and devise appropriate means to prevent them in the future.
Start Cybersecurity Training at Orientation
To ensure that new employees understand and embrace your technology policies and cybersecurity awareness, immediately train all incoming employees on your practices and protocols. All new hires should understand that your organization has a cybersecurity plan and how they fit into it. If you include cybersecurity materials with other onboarding training, you’ll ensure that they understand this from day one.
Test and Test Again
The only way that you’ll know if your training has worked as you intended is to put your employees to the test. Test them, review the result, and then implement new training or review based on those results. What kind of tests should you be conducting? A phishing test is one of the easiest for your IT team to tackle. They should send a fake phishing email to all employees and then record how many employees opened it, clicked the link, downloaded a file, or uploaded any information. If most of your team fell for the ruse, it’s time for more training. If most realized it was a phishing email and reported it, your cybersecurity awareness efforts are paying off. The results will guide your next steps in training.
Employees are your first and last line of defense when it comes to cybersecurity. No matter which technology your IT experts put in place, how your team interacts with it will largely determine your success. Training can go a long way toward making your employees savvy users of technology who will safeguard the security of your organization and its donors. Start training your employees early and often. Need help designing or implementing a training program? Reach out to us!