In today’s digital age, every click can be a potential threat, so the importance of cyber security awareness cannot be overstated, especially for Not-For-Profit organisations. However, balancing the technical needs of vulnerable sectors like disability, community services, and aged care with the ever-present spectre of cyber threats is no small task and many NFPs require support to achieve it. Enter Bremmar’s engagement with the human services sector and events designed to educate those industries.
Brenton Harris, Bremmar’s Managing Director, provided invaluable cyber security insights at the recent ‘Cyber Security Strategy, Compliance, and Reporting’ briefing at a CPA breakfast meeting. Keep reading to discover his key takeaways.
Understanding the Cyber Security Landscape for NFPs
To boost productivity and improve customer satisfaction, NFPs must harness technical advancements daily. However, as a result, the technical challenges, especially within the cyber security landscape, become increasingly complex and demanding.
Current Cyber Landscape
“Every seven minutes, a cybercrime is reported,” states Brenton Harris.
While this statistic is startling, the changing nature of these attacks is even more troubling. Cybercriminals aren’t merely seeking to steal data. Instead, they also threaten to disclose sensitive information, holding organisations to ransom.
As Brenton Harris outlines, it takes an attacker a median time of just 72 minutes to access private data following a phishing attack. “From there, it’s a mere 102 minutes for that attacker to invade the network and potentially deploy a ransomware attack. Their speed within the digital realm is astonishing.”
Why are NFPs Prime Targets?
NFPs often handle a sensitive information. From client details, financial transactions, to personal stories, thus making them a treasure trove of data. Cybercriminals recognise the value of this data, either for direct financial gain or for resale in the dark web. What’s more, on average, NFPs operate on tight budgets prioritising their cause over operational aspects of their data security. Consequently, making the industry be viewed as a soft target.
Paying the Price for Cyber Complacency
Recent incidents starkly highlight the perils of downplaying cyber threats. Despite many organisations’ belief in their immunity against the cunning strategies of today’s cybercriminals, the reality tells a different tale. No sector is safe.
There are real-life examples happening daily of the the magnitude and intricacies of cyber threats that highlight the vulnerabilities even big corporations face.
The NFP was ensnared by a ransomware attack, leaving its email system paralysed. The culprits? A seemingly innocuous phishing attack. Yet, this was no ordinary breach. Cybercriminals capitalised on a Customer Virtual Assistant (CVA) vulnerability to infiltrate the organisation’s digital realm.
The attackers targeted an unpatched vulnerability in the organisation’s exchange server. Even though the organisation had transitioned most of its operations to the cloud it maintained certain on-premises infrastructure, including the vulnerable exchange server.
Once inside, the attackers swiftly encrypted the organisation’s data. The NFP found itself in a race against time, striving to restore access to their encrypted files. The financial impact? A hefty 200,000 AUD. The organisation grappled with four days of operational standstill to add to the turmoil before resuming its usual activities.
The essential lesson from this incident is the importance of timely patching. The organisation’s IT team struggled to keep up with the necessary patching cycles, leaving their digital environment vulnerable. Whether the organisation was unaware of this lapse or deemed it an acceptable risk remains unclear. However, the consequences of this oversight were undeniably severe.
It’s clear that even organisations who think they’re off the radar need to step up their cyber security game. It’s not just about playing defence anymore; it’s about staying two steps ahead. Regular updates, keeping a keen eye on systems, and having a solid cyber security plan are crucial to avoiding major cyber incidents.
Strategies to Fortify Cyber Defences
The best cyber security strategies don’t just hinge on applying the latest tech tools,, instead, it comes from a deep understanding of the basics. Brenton Harris emphasises the following three pivotal areas:
- Mastering the Fundamentals
Before navigating the complexities of advanced cyber security measures, it’s essential to grasp foundational elements. Harris emphasises how the Essential 8 framework is an exceptional resource to tackle the basics and achieve compliance level 1. The most effective defence against ransomware, for example, includes Multifactor Authentication and frequent security patches. According to the ACSC Cybercrime Report, only 50% of NFP’s have Multifactor Authentication enforced, and 70% have no vulnerability assessment to understand risk exposure.
- Frameworks and Accreditation
The Australian Cyber Security Centre (ACSC) framework is an indispensable guide, offering a structured approach tailored for NFPs. Alternatively, the NIST framework is more comprehensive and has a broader scope on cyber security. Organisations seeking external endorsement protocols can engage with ISO 27001as a gold standard.
Drafting a Resilient Cyber Security Response Plan
In the complex world of cyber security, forearmed is forewarned. A meticulously drafted response strategy can be the line between a situation under control and an all-out debacle. Such a plan offers a clear course of action during a breach and bolsters stakeholder confidence. The effect of which reassures stakeholders of the organisation’s capability to weather digital storms. Key components of an effective plan include the following:
- Defining Roles
Clearly delineate roles, responsibilities, and communication channels to ensure a coordinated response during an incident.
- Assessing the Threat Metrics
Categorise incidents based on their severity to streamline the response process. Doing so ensures that resources are allocated appropriately, from minor glitches to critical breaches.
- Transparent Communication
Lay down guidelines for both in-house and outward-facing communications. This includes determining who authorises public statements, bolstering staff morale during crises, and keeping clients and associates in the loop.
Unlocking Microsoft 365’s Cyber Security Arsenal
Far from being just a productivity toolkit, Microsoft 365 emerges as a stalwart in the cyber security arena. Its suite of features not only amplifies operational efficiency but also fortifies an organisation’s digital security. Key digital security features include:
- Selective Application Access (Whitelisting)
Organisations can dramatically mitigate their vulnerability by curating a list of permitted applications on user computers, blocking non essential applications.
- Reliable Backup
Regular backups are a safety net, ensuring data recovery even after a cyber attack.
- Defences for the Remote Worker
Tools such as Smart Screen and the Microsoft Defender suite stand guard, ensuring a secure digital workspace.
Guarding Gadgets: Safeguarding Frontline Workers’ Devices
Frontline workers are equipped with mobile devices. This modern convenience helps boost their productivity and reach, however, it also demands robust cyber defences. After all, the stakes are high, especially for NFPs who handle sensitive client data. Addressing this challenge involves a multi-faceted approach:
- Device Management
Using tools like Microsoft Intune, companies now have a powerful way to keep their devices in check. It’s not just about managing gadgets; it’s about protecting data, setting up those essential PIN codes, and keeping an eye on what apps are up to.
- User Uplift
Mere tech won’t suffice. Through hands-on training and real-world phishing simulations, management, staff and volunteers can sharpen user vigilance and embrace cyber security norms.
- Standardisation is Key
Organisations can fine-tune their cyber defences by narrowing the spectrum of apps and devices. In essence, “Guard what’s active, making security proactive.”
Cyber threats are evolving, and NFPs must evolve faster. But building a resilient cyber security strategy, ensuring compliance, and upholding transparent reporting isn’t a walk in the park.
It takes time and serious consideration. Bremmar, with a history of success with different NFP clients, can offer a clear path and tailor it to your organisation.
Engage with Bremmar to safeguard your present and fortify your organisation’s future in an increasingly complex digital world.
Watch our CPA event video:
Click here to watch our “Cyber Security Strategy, Compliance & Reporting Briefing for NFPs”.