Your not-for-profit organization can’t count its cybersecurity program effective unless it properly trains employees. If staffers visit “dangerous” websites, mix work and personal accounts, or can’t recognize a social engineering scheme, they may open the door to hackers. Both new employee training and refresher courses for longtime staffers can protect your organization.
Leading cause of data loss
According to a recent study from the Ponemon Institute, a technology consulting company, employee negligence is the leading cause of data loss incidents. In fact, almost 60% of organizations experienced data loss due to an employee mistake involving email in the previous 12 months.
The shift to remote work, increasingly common for nonprofits, is notable, too. The Ponemon study found a strong correlation between the number of remote workers an organization has and a data breach’s cost. But the study also found that certain factors — including employee training — are associated with a lower-than-average breach cost.
Social engineering threats
Perhaps the most critical cybersecurity threat to your organization is social engineering, so make it a central focus of employee training. In social engineering attacks, including phishing schemes, cybercriminals use social skills to obtain data or compromise a target’s network. Phishing is responsible for 16% of data breaches, according to the Ponemon report.
But phishing is just one example of the social engineering threats your employees might encounter. “Vishing,” for example, uses voice communication. It can be combined with other types of social engineering to lure a victim to call a certain number and reveal sensitive information. “Smishing” leverages SMS messages with dangerous links.
Making technology safer
Another common risk is when staffers mix business and personal accounts, information, and devices. You need to explain why they shouldn’t conduct business activities (such as accessing your organization’s bank account) on their personal phone or play games on their employer-provided laptop. Similarly, they shouldn’t share USB flash drives, hard drives or other external hardware between business and personal devices. And they shouldn’t download software or apps from unknown sources either.
Creating a culture of safe browsing is particularly important now that so much work is done remotely. In addition to warning employees to be cautious about suspicious attachments and links, you might want to require them to use a virtual private network (VPN) when accessing your system. A VPN establishes a secure, encrypted connection, hides the user’s IP address and acts as a filter to protect data from cybercriminals.
As always, strong passwords that are frequently changed should be required. Passwords to access accounting, HR and other sensitive data should be given only to those who require it and changed as soon as they don’t.
The substantive content of your employee cybersecurity training is critical, but don’t overlook the importance of format. One-sided lectures and slide shows are unlikely to engage or stick with the audience. If you want staffers to walk away ready to put your lessons into action, make the training interactive. For example, create simulations during or after training that allow trainees to put what they’ve learned to the test.
Some organizations deploy simulations in the midst of a workday to check how employees respond. These real-time assessments can provide much better insight into whether employees retain actionable knowledge than a quiz during training.
If the worst happens
If despite all your and your staffers’ best efforts, your network is hacked, don’t try to handle the situation yourself. Work with security experts to repair the damage. And contact us for help creating a more risk-averse environment.
This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, accounting, legal or tax advice. The services of an appropriate professional should be sought regarding your individual situation.