Knowledge and Insights

Nonprofits Should Assess Cyber Security Risks and Preparedness

Growth Chart

Technological security is the first hot topic in our new series, introduced last issue, on the major trends affecting the nonprofit sector. Not only is the topic increasingly important to nearly everyone today, but it is also undergoing a directional shift due to the prevalence and ingenuity of cyber-hackings. The true statistics about these hackings are more alarming than may be realized from the handful of high-profile corporate incidents recently in the news.  The risks associated solely with IT security apply to and reverberate throughout an entire organization’s systems and operations.

Many nonprofits, already challenged by regulatory and funding pressures, lack the economic or human resources to efficiently and economically address issues related to information technology and telecommunications. Of course, these are the very systems on which they must rely (to greater degree every day) to enhance services, automate processes and report program achievements. These issues become even more burdensome if disruption, degradation or unauthorized alteration of information or systems are adversely affected by malicious acts, which are increasing significantly.

With this in mind, Mercadien recently hosted a presentation about a new cyber security development applicable to all organizations.  It is micro-virtualization, a state-of-the-art security enhancement designed to allow all computer users to more securely access the internet, embrace mobile options, and adopt new applications, while better protecting the entire organization – its networks, cloud, desktops, technology infrastructure, mobile devices and endpoint applications.  Such micro-virtualization technology is included in Microsoft’s newly-released Windows 10 operating program.

Why and how is cyber security technology changing and what’s the impact on your nonprofit?  Here’s a picture of the current landscape, according to Verizon’s 2015 Data Breach Investigations Report.

  • The majority of organizations in almost every business sector have been hacked. The manufacturing, public and professional/financial services sectors were the targets of 27%, 20% and 13% of the attacks, respectively.
  • Attacks are targeted. 70-90% of malware is unique; that is, created for a single organization.  Flash-based ads are the leading source of malware today.  Of the top 10 causes of infections or espionage, the top two are people opening an email attachment and clicking on links in emails. These accounted for over 75% of incidents.
  • The costs of physical property loss or business interruptions are considered low by some due to the existence today of numerous outlets from which information may be recovered.  However, more devastating are financial losses from stolen intellectual property, trade secrets and public sector information, such as IRS taxpayer records.
  • Most computer security breaches could have been stopped if already-existing system protections, such as anti-virus software, were utilized.  However, many IT providers and/or end users do not install or update them as they interfere with operating systems.  Many employ the “fix it after it breaks” methodology.  In addition, not all protection software works adequately against rapidly-evolving attacks.  As a result, some industry sources believe that an estimated 47% of all computer users have been compromised.  If you are a nonprofit with 20, 50 or 150 computer users, your IT risks and remediation challenges compound at an incredible rate.

Fortunately, detection technology has experienced key innovations.  It has moved from:

  • traditional hardware isolation, where the operating system (OS) protects by isolating corrupted files, to
  • desktop virtualization, where software isolates OS processes or applications, to
  • micro-virtualization, which currently is the only technology that can hardware-isolate all untrusted activity of an application at a granular level.  The OS hardware isolates critical system components, data and application tasks using CPU features for desktop virtualization. The OS distributes advanced threat analysis as a protective measure, so even if the system is compromised, key data files cannot be stolen. It enables real-time organization-wide protection that doesn’t interfere with the end-user experience.

It’s critical to be informed about cyber security, which the National Institute of Standards and Technology defines as “the process of protecting information by preventing, detecting, and responding to attacks.”   As part of technological security, and regardless of the size or state of your organization’s IT assets, you should consider management of internal and external threats and vulnerabilities to protect information and the supporting infrastructure from cyberattacks.  For help assessing your nonprofit’s cyber security risks and preparedness, contact me at sritter@mercadien.com or 609-689-9700.