Combatting NFP Cybercrime With a Proactive Cybersecurity Strategy
Top five takeaways from Baker Tilly’s June 2024 lakeside chat
Authored by Laurie Horvath, Bernard Regan, Joe Shusko
Baker Tilly hosted their annual not-for-profit governance and fiscal workshop this past June, with one of their most attended sessions focused on cybersecurity and related fraud risks. The presenters, Joe Shusko and Bernard Regan, delivered compelling examples, data and innovative ideas to assist not-for-profit (NFP) organizations in their defense against these types of crimes. If you missed the workshop or the session, you can view their on-demand recordings from each day. The top five notable lessons learned discussed from the session are below.
Takeaway #1: Be prepared
NFPs should create a detailed plan to be prepared in the event of a cyber-attack. Cyber-attacks are quick – and scary. Operating in these situations is stressful and most likely, organizations are unable to access their systems. Should your organization suffer an attack, having a plan (offline!) with contact information, steps, insurance policies and other critical information will be necessary. Once you have established a plan, don’t just leave it on the shelf, but periodically practice the plan to ensure familiarity, work out the kinks and update it as necessary. Doing an annual “table-top” exercise puts the plan in practice and is a proactive and productive way to ensure preparedness. Look into information sources such as cisa.gov for support you can tap into when developing your plan.
Takeaway #2 - Be informed
Not-for-profit organizations need to be well-informed and diligently aware of current types of cybercrime being committed. With advancing technology and the advent of artificial intelligence (AI), yesterday’s crimes are often irrelevant and have been replaced.
Recommended resources to stay abreast of trends include:
The Register: Enterprise Technology News and Analysis
Dark Reading | Security | Protect The Business
Cyber Security Blog | SANS Institute
Krebs on Security – In-depth security news and investigation
Subscribe for alerts on cisa.gov
NIST Small Business Cybersecurity Corner
Takeaway #3 - Foster a positive cybersecurity education culture
It’s critical to create a positive education culture for employees where they feel safe to report items that look suspicious or unusual and potential errors can be made. In most cyber incidents, human error is the leading cause of a breach. Cybersecurity should be approached as a business challenge, not just an IT challenge. Frequent communication with the workforce on emerging trends, cyber hygiene and best practices should be put in place. Employees should be encouraged to report suspicious activity. There should be no consequences for bringing suspicious activity to the wider security team’s attention. Report everything within reason and do not discourage individuals from using their own best judgment for reporting. If something looks odd or doesn’t seem right, then report it. Your workforce will be best enabled and empowered to report suspicious activities if they are informed with the right level of security awareness. Solutions like Knowbe4 or Mimecast provide engaging continuous training modules, or you can explore a host of low-cost or free materials like those listed on the NIST website.
Takeaway #4 - Test plans
No organization is isolated or completely protected from attacks. It can be helpful to have a testing cadence to measure an organization’s vulnerability, especially in changing times. Periodic vulnerability assessments are essential to understand what potential attacks an organization could be subject to. Additionally, gathering threat intelligence helps an organization stay current and familiar with the current threat landscape, allowing tailored defenses to protect against emerging threats. Finally, test your protective measures and incident response plan periodically through activities like tabletop exercises and penetration testing. Remember that executing your incident response plan will always be more difficult during an actual attack so exercising it frequently builds familiarity and gives you an opportunity to refine and enhance the plan based on the current threat landscape.
Takeaway #5 - Understand the difference between cybercrime and fraud
Fraud and cybercrime are not always the same. Fraud can be intertwined in cybercrime or harder to detect in a cyber-based environment.
Fraud is often viewed as a disturbance in the financial process, either internally (within an organization) or externally. Fraudulent activities such as fictitious vendors, a redirection of funds or simple theft can be performed by employees, vendors, threat actors or a combination of all three. Often, these individuals will work within a close group with the intent of acquiring funds for fraudulent means. This is done by employees or vendors who, due to their access to the organization’s internal systems, are able to modify system settings and manipulate data such as account details, routing or other financial information.
Cybercrime routinely involves schemes like business email compromise and the request for the diversion of funds. These activities don’t always require any unauthorized access to a secure network and are often done by performing social media research or vendor management analysis. This is carried out by a threat actor requesting the money be put into a new account for audit or other fictitious reasons and therefore, by the time it is discovered, the money has been withdrawn and disappeared. This situation also encroaches on cybercrime linked to ransomware or malware attacks where demands are made for the return of data, or to provide a decryption key to access the encrypted data. This is frequently performed via digital currency and is more challenging to trace.
Baker Tilly can help
Baker Tilly’s cybersecurity specialists can offer tailored solutions to your not-for-profit organization to assist with preventing and detecting cybercrime and fraud.