Why cyberdefenses are worth the cost

Yes, all organizations are vulnerable, and yes, you’ve heard the warnings that it’s likely only a matter of time before a data breach happens at your organization. But how do data breaches apply to not-for-profit (NFP) organizations? Why would anyone want to target an NFP?

The primary motivation for today’s attacks is to acquire information and money. Every new person a hacker can identify can be a new victim or opportunity, and NFPs possess information about donors that may be very useful to hackers. Some in the health care sector, such as hospitals, have electronic health records (EHR) that may be worth more than $1,000 each (i.e., the EHR for one person) on the black market, according to a 2017 Forbes article.

NFPs host an array of potentially valuable information, from donor lists and profiles to employee and client files containing Social Security numbers and other sensitive data. Even if your organization is 90% volunteers and consists of little more than a tent-based medical camp, attackers realize that you likely have data and funds they can target. On the other hand, your organization might be a large, well-established NFP. Perhaps you have an IT staff that supports computers for hundreds of other staffers across multiple sites. Regardless of the size or sophistication of the organization, an NFP that falls victim to a ransomware attack might prefer to pay an attacker instead of having operations paralyzed for any amount of time and perhaps damaging its reputation (see the sidebar “Ransomware” below).

A lack of IT resources devoted to cybersecurity can make NFPs appealing to hackers. But regardless of the type or size of your organization, you can choose from multiple options to enhance your security against attacks. These tips can help any organization guard valuable systems and data.

TRAIN USERS ON SECURITY PRACTICES

Educate your employees regularly about new attacks and risks. You can provide this education in many ways, including online training (perhaps through a company intranet) or written documentation provided in a simple, user-friendly format.

Consider monitoring the news for security incidents and passing along those articles to your staff. Staying informed about recent attacks can be a great form of defense.

It doesn’t cost much to warn users against opening malicious files and clicking on links. To prevent wire or Automated Clearing House (ACH) fraud, educate employees on when to be suspicious of certain messages or email addresses (see the sidebar “Wire Transfer and ACH Fraud” below).

Management support goes hand-in-hand with security awareness training. Employees should be able to contact their superior and ask, “Are we sure about this?” or “Is this real?” without any fear of reprimand. Management must emphasize that missing a deadline to get confirmation from a superior is better than taking the risk of sending money to the wrong person.

It’s also important to have a process in place that allows an employee to get confirmation from a superior absent the use of a computer. For example, if the CFO sends an email requesting to wire $10,000 to a specific account, the employee should call, not email, the CFO for confirmation. Walking to the CFO’s desk may even be the best course of action. If attackers have access to your systems, they may be able to read and respond to the CFO’s emails and allow the fraud to occur.

If an employee clicks on a bad link or gets a virus on his or her computer, does the employee feel that reporting it could endanger his or her job? Help your employees feel comfortable about discussing mistakes and understanding what happens when they report an incident (see the sidebar “Phishing for Credentials” below). Emphasize the importance of doing so immediately.

Also understand that this sort of training is not “one and done.” Training should be ongoing and periodically refreshed because everyone needs at least a gentle reminder now and then.

CREATE AND TEST SYSTEM BACKUPS

Backup is a key component of mitigating a ransomware attack. Data backups should match the recovery time and objective defined in your organization’s disaster recovery plan.

Backing up systems nightly gives you the ability to restore a system to its state from the day before a breach, and in the case of a ransomware attack, you may be able to ignore an attacker’s demands and maintain business as usual for the most part.

Your systems should be backed up every day, and some organizations may wish to back up systems more frequently. For example, some organizations are transaction-heavy, and losing an entire day of data entry could be problematic. Today’s backup technologies afford organizations the flexibility to back up data using multiple methodologies over varied time periods to many locations, whether in-house, to an alternate location, or online (cloud).

Simply making backups of your systems and data is not enough, however. System backups should be tested periodically by doing a system restore. A good exercise would be to ask your IT team when was the last time that they tried to restore something from a backup. It’s a mistake to just assume that the “green checkmark” showing in the backup software is reliable. Your team should take the time to test your restore process often, perhaps quarterly, even if it’s just for a single server. Additionally, if a test restore is being done for a critical application, it is usually best to have users test the application after the restore to ensure there is no database corruption and the required data exist.

PRIORITIZE ANTI-VIRUS AND PATCHING

Make it a top priority to install and run anti-virus software on all of your systems and apply all security patches in a timely manner. While anti-virus software is important, it is worth considering additional layers of protection, including a new breed of anti-virus applications called automated endpoint protection, which is part of an overall advanced threat protection methodology. You may also consider having multiple anti-virus applications running at the same time to cast a wider net.

It’s important to understand that you cannot settle for 99% anti-virus coverage. Every computer in your organization should have anti-virus software installed. Computers without it should not be allowed on your network.

Anti-virus products do come at a price, but you can’t afford to not have them running on your computers. When you consider the cost of a breach, anti-virus products seem quite affordable. If you are concerned about the price of anti-virus software for all of your organization’s computers, companies such as TechSoup (techsoup.org) offer discounts for qualifying not-for-profits.

IMPLEMENT NETWORK SEGMENTATION

Segmenting your network is your best defense against a hacker moving through your environment, as would occur in a lateral movement breach (see the sidebar “Lateral Movement” below). Segmentation involves implementing certain controls (e.g., firewall rules and access control lists) to divide up your environment and prevent certain networks from being able to access others.

In implementing segmentation, it’s important to consider which groups need access to which systems and data. Should volunteers and HR be on the same network? Should sensitive accounting data be on the same computer as marketing collateral? Separating by job function can save your organization from a breach, or at least limit the type of data that is exposed should a breach occur.

In addition, it is too dangerous to run old or unpatched systems and software. Systems and software that are “end-of-life” no longer receive security updates from their vendors, meaning they can’t be updated to protect against the latest threats. For example, Windows XP should not be allowed on your machines or in your network, no matter the circumstance. Even Windows 7 in some circumstances may not provide the level of security your organization needs.

No matter the platform, you need to apply security patches as quickly as possible. Do you have a vendor who says it can’t apply a security patch to its computer on your network? You may need to consider changing vendors or, at the very least, giving that computer its own isolated network to prevent lateral movement in the case of an attack.

RESEARCH CYBER INSURANCE

Do you already have cyber insurance? Don’t just assume it’s on your general policy. Make it a priority to ask your agent. While this isn’t preventive, it’s something your organization should be looking into, as it can help you cover and recoup costs if an incident occurs.

When setting up a cyber insurance policy, you will want to inform your insurance company of which service providers you would use if you needed help with a breach (e.g., incident response/cybersecurity firms, lawyers, PR firms). It’s worth mentioning that you can specify which law firm you want to use if you give the insurance company prior notice. If you don’t preselect a law firm, your insurance company may assign someone to work with you.

When you are trying to frantically respond to and contain an incident, you don’t want to be meeting new business partners, especially one as important as your legal counsel. Another important issue around cyber insurance is to know specifically what constitutes a breach in your organization and what constitutes restitution.

CREATE A WRITTEN INCIDENT RESPONSE PLAN

A written incident response plan can help an organization decrease the impact of a breach if it occurs. The organization’s leadership and the board should approve a breach response plan in advance, and all relevant personnel should be trained on how the plan requires them to respond in the event of a breach.

The plan also may include the contact information for an incident response/cybersecurity firm that would be the organization’s preapproved consultant if a breach occurs. In the case of a ransomware attack, the cybersecurity firm may help you decide if your organization would pay the ransom or try to find another course of action.

Finally, the response plan may contain information on which law enforcement agencies or regulators the organization would contact in the event of a breach. Even after the breach is over, your plan should help you prepare for media inquiries and breach notifications to regulators, consumers whose data may have been stolen, and other affected businesses, in compliance with legal requirements.

MONITOR LOGS

If you have IT staff, part of their weekly duties should include reviewing logs. The logs might be from firewalls, anti-virus programs, or any number of other systems.

Even though performing log review may not equate to identifying a breach within moments of its happening, it may help stop a breach more quickly.

COST-EFFECTIVE PROTECTION

While NFPs may not always possess an abundance of resources to devote to cybersecurity, following these tips can provide protection at a reasonable cost.

Ransomware

By now, likely everyone has heard about an incident involving ransomware, which was the most prevalent form of malicious software in 2017, according to Verizon’s 2018 Data Breach Investigations Report. A ransomware attack involves a piece of malware that encrypts all the files on a computer system or network. Typically, the attacker demands payment (likely in bitcoin or another cryptocurrency) within a certain number of hours to decrypt the files. The attacker might either set the ransom amount based on the number of files it encrypted or demand a flat-rate ransom.

Even if an NFP is willing and able to pay the ransom before the attacker’s deadline, there is no guarantee that the attacker will be willing and able to decrypt the files. The organization may pay out funds to the attacker only to be left with a bunch of encrypted files that it cannot access.

Ransomware attacks most commonly start with a single client or volunteer opening a malicious file or clicking on a malicious link. That person doesn’t have to be in IT or finance for the attack to succeed. Because the user’s computer often has access to “the shared drive” or is connected via a network to other systems, it’s often easy for that single user’s computer to infect many others.

Wire transfer and ACH fraud

Wire transfer and ACH frauds are growing in popularity because of how easy and successful criminals find these frauds to be.

In older versions of this type of attack, the attacker would send an email to a finance employee asking for a certain dollar amount to be wired to a specific account before the end of the day. The attacker’s email was created to appear as if it had come from a person of authority within the organization.

This attack has grown in complexity recently. Attackers now email organizations posing as outside vendors and state something along the lines of:

We are your vendor, Acme. We have changed banks from First National Bank to Second National Bank. When you send us our monthly payments going forward, please remit checks to this new account.

While this type of attack may take a month to yield any results, rest assured, the attackers are patient enough to wait for the payout.

You can prevent this type of fraud by making sure you never initiate a transfer through an email. Rather, always type the address into the browser and go directly to the bank website to initiate the transfer.

Upon detecting wire or ACH fraud, your best course of action is to contact your bank immediately. Each bank has its own process and its own window of time in which it may be able to reverse a transfer.

Lateral movement

The term “lateral movement” describes an attacker’s ability to move from one computer to another in the same environment without detection and with minimal effort. If an attacker can get from one employee’s computer to another employee’s computer without going through a firewall, the attacker may be able to access and obtain sensitive data without being detected.

An attacker first needs to gain access to the environment and would likely do so through a phishing email (see the sidebar “Phishing for Credentials”). For example, if an attacker can get a volunteer coordinator to click on a malicious link, giving the attacker an opening into the environment, the attacker could use that opening to ultimately access the HR director’s computer or even the CEO’s computer.

Unfortunately, an attacker need not be overly sophisticated to perpetrate this type of lateral movement. Dozens of tools that help attackers are for sale on the “dark web.”

Phishing for credentials

Phishing attacks are very similar to wire transfer/ACH attacks. When phishing, the attacker wants to steal the credentials of your organization’s associates, donors, volunteers, and customers — anyone that could provide access to your website or computer system. Stealing credentials can be the first step into your organization to launch a variety of other attacks, including denial-of-service attacks that flood or overwhelm your systems with the intent of temporarily disabling them.

A phishing attack often involves two steps:

1. The attacker creates a webpage that looks like the organization’s webpage on which volunteers and partners are prompted to sign in. While the page looks real to end users, it is designed to capture usernames and passwords from would-be victims. One way to avoid this type of attack is to make sure to always type your organization’s URL into the browser rather than clicking a link in an email.
2. Once the phishing webpage is ready, the attacker sends a mass email to your constituents and points them to the fake webpage to log in, allowing the attacker to capture their usernames and passwords to use on the real webpage. The attacker may leverage social engineering to access an employee’s email account to send the mass email, or send the mass email from an attacker-controlled domain chosen to make it look like it came from the organization (e.g., @acrne.com instead of @acme.com).

Fake landing pages are not easily identified. It takes a smart employee to spot, and then report, an impostor page. Once a phishing page is identified, consult your incident response plan. Your actions may include blocking the page at your firewall. Keep in mind, though, that this will not protect your remote users. The slower, but better, approach may include notifying the internet service provider (ISP) for the webpage. You might also consider notifying federal law enforcement.

About the author

Mark Shelhart is director of incident response and IT forensics for Sikich LLP in Naperville, Ill.

To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA’s editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.

AICPA resources

Articles

• “Paving the Way to a New Digital World,” JofA, June 2018
• “Small Businesses Should Guard Against Tax-Return Identity Theft,” JofA, May 3, 2018
• “How Board Members Can Perform Oversight of Cybersecurity Risks,” JofA, April 12, 2018
• “Cybersecurity Tips From the ‘Shark Tank,‘” JofA, Nov. 3, 2017
• “A New Cybersecurity Risk Management Reporting Framework for Management and CPAs,” JofA, April 26, 2017
• “7 Benefits of Cybersecurity Penetration Testing,” Feb. 10, 2017, blog.aicpa.org

CPE self-study

• Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate (#162220, online access; #GT-CSFD, group pricing)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

Online resources

• AICPA Cybersecurity Resource Center
• AICPA Not-for-Profit Section
• Archived webcast: “Cybersecurity Pitfalls and Information Risk Management for Not-for-Profits,” aicpa.org; slide deck, aicpa.org (AICPA Not-for-Profit Section member login required)