Sep 13 2021

How Nonprofits Can Defend Against Ransomware Attacks

Charitable organizations have a lot to lose, but a proactive stance could help keep your data safe.

Ransomware has become a top concern for organizations large and small as high-profile incidents have grabbed headlines. Nonprofit charitable organizations have been targeted as well — and in some cases, law enforcement has been unable to assist.

While some have turned to cyber insurance, the model has its limits, according to a recent article from Protocol. Simply put, the sudden growth in ransomware attacks this year could make insurance an untenable option going forward.

Still, nonprofits can’t afford to be passive. According to a SonicWall threat report, ransomware attacks grew by 62 percent between 2019 and 2020, and recent events have suggested that remote and hybrid work creates new attack surfaces for ransomware to take hold.

Nonprofits are known for doing more with less. Given that, how can nonprofit pros ensure that they keep their data, their income and their hard work safe from ransomware attacks?

Nonprofits Should Emphasize Preventative Measures

When it comes to preventing a cyberattack on an organization, it’s important to first understand what the organization does, what its mission is, and what it represents. Data is paramount to the function of nonprofits. That data is often sensitive in nature, potentially including identifying information on donors and beneficiaries of services.

This means embracing frequent backups in multiple settings, including in the cloud and in physical form. One approach is the 3-2-1 rule, which calls for three recent backups in two separate formats, with one backup offsite. These backups can help mitigate the impact of a potential attack.

Existing policies around sharing and storing donor data should also be considered. This could include limiting access though multifactor authentication and encryption, and following compliance frameworks such as the General Data Protection Regulation.

It’s also important to make sure your employees are prepared to identify suspicious behavior and emails. Workers can be the last line of defense against ransomware, and arming them with actionable steps can help significantly. Unfortunately, insider threats can also play a role in potential ransomware attacks, so building an effective program to thwart them is another key investment to make.

Focus Security Efforts on Leadership

Nonprofit leadership is a crucial piece of the puzzle and can ensure that concerns about security like ransomware are heeded throughout the organization. Leaders can convince employees and volunteers to take cybersecurity seriously.

More significantly, executive directors, board members and CEOs are prime targets. They can become the focus of strategies like spear-phishing attacks. These types of attacks can be combined with ransomware for maximum impact.

With that in mind, cybersecurity training should emphasize the responsibilities of teams at the top.

MORE FROM BIZTECH: Why nonprofits need to prioritize digital maturity.

Launch a Ransomware Response Strategy

Prevention may limit your ransomware risk, but there’s always a chance something will get through. At that point, the focus switches to minimizing harm and impact.

Many organizations don’t have a strategy for this. An eMarketer study found that just 45 percent of businesses have a contingency plan in case an attack happens. Cleaning up after an attack can also be expensive: A recent Sophos survey found that the cost of recovering rose to nearly $2 million in 2021.

Ransomware attacks take many forms, and strategies to combat it should follow suit. Plans must consider potential effects on finances, business functions, donor goodwill and public relationships. They also need to account for vulnerabilities in outside vendors and supply chain links, something that has negatively affected nonprofits in the past.

A good response strategy keeps in mind factors both technological and tactical, using tools to lock down information as needed to minimize the impact of an attack and deciding whether the organization will pay a ransom — something that Kaspersky notes often doesn’t lead to data being returned.

The good news is that there are options for nonprofits that may not have ransomware experts on staff. Services like CDW Amplified™ Security services can help you prepare for a potential attack and quickly respond if it becomes necessary.

Just_Super/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT