In any online environment, there are risks of computer systems being hacked, data being stolen or manipulated, and privacy breaches occurring. Unfortunately, many not-for-profit organizations are woefully underequipped to protect themselves from these attacks due to financial, technical, or other restraints. While there is no single solution that will work for all organizations, there are many simple steps that any organization can take to improve their online security and minimize risks from both internal and external threats.
- Individual user accounts – Funds are limited in many organizations, resulting in multiple users sharing a single computer. It’s crucial that when the sharing of computers occurs, each user has their own separate account, with only the programs they need access to installed on their account. For example, users not part of the accounting team should not have QuickBooks installed on their profile. Additionally, only Information Technology users should have administrative privileges, ensuring that non-IT administrative users cannot install or modify any programs.
- Secure passwords – Safe passwords are one of the most fundamental parts of online security for an organization, and the best part is they don’t need to be ever-changing, complex passwords. Microsoft has recommended that organizations get out of the habit of complex passwords that are updated on a schedule and instead focus on ensuring each user creates a password that is easy to remember because it should never be written down. These passwords should be at least eight characters, but be sure to avoid commonly used words and phrases. Microsoft’s “Password policy recommendations for Microsoft 365 passwords” may be a beneficial guideline for your organization.
- Phishing and malware – E-mail-based attacks are a common way for bad actors to attempt to access an organization’s systems through different means. Users should never open emails or files from untrusted and unverified sources, as these files may automatically allow a hacker access to the organization’s systems. Additionally, emails and email addresses should be reviewed to ensure the contact’s request is legitimate and not an attempt to trick the user into giving out information that they should not. This can be especially important in a not-for-profit environment, where users may not have an email address directly associated with your organization
- Networks – Wireless networks are available in most businesses and organizations, and this may be an easy way for an individual with ill intent to access your business’s private records and information. Wireless passwords should be secure and not shared outside the organization’s employees or volunteers. If guests are provided access to a network, the network for these guests should be separate from the main network, and secure business information should never be transferred over the guest network. Employee devices (personal computers, phones, tablets, etc.) should not have access to the main network.
- Multi-factor authentication – More organizations are using multi-factor authentication (MFA) to ensure that only authorized users are accessing organization systems and information. This is useful if a hacker or other non-approved person gains access to a user’s password. If the password is entered correctly, the program will “push” an additional verification to the user’s phone or other device. The user can then deny access to the system or program. While MFA can incur extra costs, it’s a great way to help keep your systems secure.While the tools above are great starting points toward securing your systems, an IT professional can help you evaluate and navigate the needs of your organization. Policies and procedures to protect the systems in place and react in case of a data breach should be in place and reviewed to ensure that they’re up to date. Taking these simple steps seriously will help improve your organization’s security and minimize the likelihood of hackers accessing your systems.
By Alaric Saufley