October is National CyberSecurity Awareness Month, and the message is that nonprofits are being hacked more frequently than ever. The global pandemic is only making matters worse.
“We do see a steep increase” in cybersecurity breaches, said Asaf Weisberg, founder and CEO of introSight and board director of ISACA, an international association that assists technology professionals and their companies around the world. “The intensity is higher than before.”
Hackers are taking advantage of the pandemic as more people work from home, often using computers that do not have the latest antivirus software.
“People are working outside their comfort zones, and the attackers are taking advantage of that,” said Weisberg during an interview with Washington Jewish Week from his home in Israel.
Last month, The Jewish Federation of Greater Washington announced hackers stole $7.5 million from the United Jewish Endowment Fund and diverted that money into international accounts. The hackers went for the money and did not steal donor information, according to The Federation, which also noted that the incident was not believed to be a hate crime.
Weisberg said the theft was a common one. Hackers strive to get the most money from easy, vulnerable targets. Usually, an attack on a Jewish nonprofit is not an anti-Semitic incident.
“If the intentions are criminal, they don’t care if you are Jewish or not. They are after the money,” he said. The exception is OpIsrael, an annual coordinated cyberattack in which the Israeli government and private Jewish websites are hacked.
Taking money from an account or encrypting files and then demanding money to restore the information, which is called ransomware, are the two most common ways of hacking organizations, and they are not new, he said.
A third way, however, has arisen recently. Hackers, pretending to be IT professionals, text company employees to say they are eligible for a COVID-19 grant and then go on to ask for sensitive information, something that should never be divulged to a stranger.
“Philanthropy often involves large transfers of money between organizations or people who don’t interact daily,” Dan Schoenfeld, of the grants management software company Fluxx, wrote in Philanthropy News Digest. “That gives hackers an opportunity to trick inexperienced employees who are unfamiliar with how cyber-crooks operate.”
Company executives are aware and nervous. A recent survey by ISACA found that only 51 percent of technology professionals are highly confident that their cybersecurity teams can detect and respond to a cybersecurity attack, Weisberg noted. Only 59 percent believe their cybersecurity team has the right tools and resources to perform their job effectively.
The survey included more than 3,700 IT and cybersecurity professionals from 123 countries.
Almost all those taking the survey — 92 percent — say that cyberattacks on individuals are increasing and 87 percent of the respondents believe that the quick transition to working from home due to the global pandemic has increased data protection and privacy risk.
That is what is believed to have happened to the Federation. Since then, Federation employees are not permitted to use their personal computers for work, and passwords have been changed.
Those are important steps, Weisberg said. He strongly recommended that all companies, no matter how small the workforce or its budget, either hire a cybersecurity officer or designate a current employee to be responsible for all such matters. “You need someone to coordinate,” he said.
While he understands that many nonprofits don’t have additional funds for this, he stressed, “It’s the cost of doing business.”
If employees only use company computers, it is easier to ensure those computers have the latest antivirus software and all updates are done regularly.
Often, personal computers are not updated. Another problem is that many home computers are used by several family members, and “You never know where your kids are browsing,” he said, making it harder to ensure no one goes to an unsecure site.
For National CyberSecurity Awareness Month, the Department of Homeland Security issued tips to be secure at work. According to its Cybersecurity and Infrastructure Security Agency, there was a 17 percent increase in data breaches during 2019.
The department recommends that everyone treat their business information as they do their personal information and never share personally identifiable information through tax forms and payroll accounts. Use strong passwords that are not easy to guess, and keep all software updated to the latest version available. Turn on automatic updates and set security software to run regular scans.
The federal agency also advises limiting the use of social media. “By searching Google and scanning your organization’s social media sites, cybercriminals can gather information about your partners and vendors, as well as human resources and financial departments,” it notes.
It only takes one slip. Many data breaches are traced back to a single security vulnerability, phishing attempt or incidence of accidental exposure. Do not click on unknown links, delete suspicious messages right away and when in doubt, don’t open it.