The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cybersecurity threats cast an ominous shadow over organizations across all sectors. While the world often associates these risks with profit-driven businesses, non-profit organizations are equally vulnerable targets.

And the stakes are alarmingly high. Recent data shows that about 6 cyber-attacks happen every 4 minutes and attacks like the 2022 one on the International Committee of the Red Cross (ICRC) send shivers across non-profits.

To make things even worse, limited resources and backup resources mean a successful breach could prove catastrophic. Hence, non-profit cybersecurity is a particularly important issue.

Understanding the Cybersecurity Risks for Nonprofits

Non-profit organizations face unique cybersecurity risks that stem from their distinct operational models and resource constraints. They frequently handle sensitive information, including donor and beneficiary details, which makes them attractive targets for cybercriminals.

Another significant factor is the general lack of robust cybersecurity measures within many nonprofit organizations. In fact, data shows that more than 84% of nonprofit organizations don’t have a cybersecurity plan. This makes them a prime target for many malicious players.

Additionally, many nonprofit organizations struggle to allocate sufficient resources to cybersecurity due to limited budgets and competing priorities. Much like the security of small business savings accounts suffers from lower budgets, non-profits are also prone to thinking reactively, instead of taking a proactive stance towards their own cyber fortress.

For example, some non-profits don’t have the resources to invest in identity theft protection, cybersecurity consultancy, and even pen-testing tools to use in-house. Cybercriminals are well aware of this vulnerability and are increasingly targeting nonprofits.

Some charity organizations also often underestimate their risk level, falsely believing they are unlikely targets for cyberattacks. This complacency can lead to a lack of preparedness and awareness, further increasing their vulnerability.

Common Cybersecurity Risks for Nonprofits

There are many types of cyber threats and attacks that affect non-profit organizations. Here are some of the most common:

Data Breaches

Nonprofits are goldmines when it comes to data. A data breach typically occurs when cybercriminals exploit vulnerabilities in an organization’s cybersecurity defenses. This could be through hacking efforts, phishing scams, or even physical access to insecure storage locations.

There have even been cases of scammers presenting themselves as SAP consultants, requiring non-profits to hand over their treasure trove of data and the entire backend along with it.

Once they gain access, attackers can steal data such as credit card numbers, social security numbers, email addresses, and health records. For nonprofits, this could also include detailed donor information and sensitive donation and operational data.

Financial targets are also common targets for malicious actors, as they can often interfere with online transfers during invoice financing-related matters, sending invoices, and even crypto transfers, for more forward-thinking non-profits.

The consequences of these breaches extend beyond the immediate loss of data. If the nonprofit is found not to have adequately protected data under laws like the GDPR or HIPAA, it can be subject to hefty compliance fines.

Ransomware

Ransomware is a type of malware that encrypts a victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. This malicious software typically enters systems through deceptive links in emails or vulnerabilities in software.

Once activated, it locks data using strong encryption algorithms and presents a ransom note demanding payment, usually in cryptocurrency, to provide a decryption key. And even if the situation is resolved, many different types are popping up, making forensic assessments all the more difficult.

Forced Downtimes

While data theft and ransomware attacks are often the primary cybersecurity concerns, forced downtimes can also heavily compromise non-profit organizations. Forced downtime refers to situations where an organization’s systems, websites, or online services are intentionally taken offline or made inaccessible, typically through cyberattacks like Distributed Denial of Service (DDoS) attacks.

Though forced downtimes may not seem as malicious as data breaches or theft, they can still have severe consequences for non-profits. They can disrupt your operations and impact your ability to carry out your missions effectively.

Best Practices for Enhancing Cybersecurity for Non-Profit Organizations

The cybersecurity risks facing non-profits are serious, but they can be managed even with limited resources. Here are some of the best practices to get you started:

Implement Basic Cybersecurity Hygiene

Basic cybersecurity hygiene involves simple yet effective practices to protect data. For example, use strong passwords that combine letters, numbers, and symbols and update them regularly. Employ multi-factor authentication (MFA) to add an additional security layer, making it harder for unauthorized users to gain access.

More importantly, ensure that all software, including operating systems and applications, are up to date with the latest security patches to close vulnerabilities. Regularly back up important data to secure locations to prevent loss from cyber incidents.

Likewise, due to the high number of social engineering attacks, more non-profits are open to hiring individuals with psychology degrees, both as external consultants and as orchestrators of educational seminars. In fact, some cyber-security experts sub-specialize in psychologically related matters.

Carry Out Regular Risk Assessments

Start by taking inventory of all the data your organization collects, identifying where it is stored, and understanding who is responsible for it. Assessments should evaluate the potential vulnerabilities and threats to your systems and data.

However, non-profit organizations must also think in a wider manner, pondering the cyber imperviousness of their partners and collaborators. Think about the banks, suppliers and associates that are in possession of sensitive data. Where do they keep that data? Are the servers secure? Do they run regular pen tests?

Incident Response Plan

A good incident response plan can determine the extent of the damage in case of an attack. This plan should clearly outline roles, responsibilities, and specific steps to take in the event of a breach or attack.

It should cover procedures for incident detection, containment, investigation, data recovery, and communication protocols for notifying stakeholders. The plan should also address post-incident activities like system restoration and implementing additional safeguards.

Regularly testing and updating the incident response plan ensures it remains relevant and effective. With a well-designed plan in place, non-profits can respond swiftly and minimize the impact of security incidents.

Adopt Robust Open-Source Cybersecurity Tools

Open-source cybersecurity tools are increasingly recognized for their flexibility, cost-effectiveness, and the collaborative potential they offer to cybersecurity defenses. These tools are vital for organizations, especially those with limited budgets, as they provide a robust alternative to expensive proprietary solutions.

One of the main advantages of using open-source tools in cybersecurity is their transparency, which allows for better auditability and trustworthiness of the software.

Additionally, the collaborative nature of open-source software means that improvements by one entity can benefit all users of the software. This communal benefit is crucial in a landscape where cybersecurity threats are increasingly sophisticated and evolving rapidly.

Conclusion

Cybersecurity is no longer an optional consideration – it’s a critical imperative for organizations across all sectors, including non-profits. Cybercriminals are indiscriminate, and the stakes are simply too high to leave digital defenses to chance.

This article has demonstrated that there are practical and cost-effective strategies for fortifying your cybersecurity posture and protecting your non-profit from online threats.

However, remember that cybersecurity is an ongoing journey, not a destination. So, take one step at a time while focusing on what truly matters: making a positive impact on the world.

Read More

Google’s decision to abandon the phase out of third-party cookies on Chrome has been criticized, with the tech giant accused of neglecting user privacy

Read More

The Chinese company in charge of handing out domain names ending in “.top” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but this is thought to be the first in which ICANN has singled out a domain registry responsible for maintaining an entire top-level domain (TLD).

Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.

“Based on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,” the ICANN letter reads (PDF).

ICANN’s warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. Representatives for the company have not responded to requests for comment.

Domains ending in .top were represented prominently in a new phishing report released today by the Interisle Consulting Group, which sources phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus.

Interisle’s newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.

ICANN said its review was based on information collected and studied about .top domains over the past few weeks. But the fact that high volumes of phishing sites are being registered through Jiangsu Bangning Science & Technology Co Ltd. is hardly a new trend.

For example, more than 10 years ago the same Chinese registrar was the fourth most common source of phishing websites, as tracked by the APWG. Bear in mind that the APWG report excerpted below was published more than a year before Jiangsu Bangning received ICANN approval to introduce and administer the new .top registry.

A fascinating new wrinkle in the phishing landscape is the growth in scam pages hosted via the InterPlanetary File System (IPFS), a decentralized data storage and delivery network that is based on peer-to-peer networking. According to Interisle, the use of IPFS to host and launch phishing attacks — which can make phishing sites more difficult to take down — increased a staggering 1,300 percent, to roughly 19,000 phishing sites reported in the last year.

Last year’s report from Interisle found that domain names ending in “.us” — the top-level domain for the United States — were among the most prevalent in phishing scams. While .us domains are not even on the Top 20 list of this year’s study, “.com” maintained its perennial #1 spot as the largest source of phishing domains overall.

A year ago, the phishiest domain registrar by far was Freenom, a now-defunct registrar that handed out free domains in several country-code TLDs, including .tk, .ml, .ga and .cf. Freenom went out of business after being sued by Meta, which alleged Freenom ignored abuse complaints while monetizing traffic to abusive domains.

Following Freenom’s demise, phishers quickly migrated to other new low-cost TLDs and to services that allow anonymous, free domain registrations — particularly subdomain services. For example, Interisle found phishing attacks involving websites created on Google’s blogspot.com skyrocketed last year more than 230 percent. Other subdomain services that saw a substantial growth in domains registered by phishers include weebly.com, github.io, wix.com, and ChangeIP, the report notes.

Interisle Consulting partner Dave Piscitello said ICANN could easily send similar warning letters to at least a half-dozen other top-level domain registries, noting that spammers and phishers tend to cycle through the same TLDs periodically — including .xyz, .info, .support and .lol, all of which saw considerably more business from phishers after Freenom’s implosion.

Piscitello said domain registrars and registries could significantly reduce the number of phishing sites registered through their services just by flagging customers who try to register huge volumes of domains at once. Their study found that at least 27% of the domains used for phishing were registered in bulk — i.e. the same registrant paid for hundreds or thousands of domains in quick succession.

The report includes a case study in which a phisher this year registered 17,562 domains over the course of an eight-hour period — roughly 38 domains per minute — using .lol domains that were all composed of random letters.

ICANN tries to resolve contract disputes privately with the registry and registrar community, and experts say the nonprofit organization usually only publishes enforcement letters when the recipient is ignoring its private notices. Indeed, ICANN’s letter notes Jiangsu Bangning didn’t even open its emailed notifications. It also cited the registry for falling behind in its ICANN membership fees.

With that in mind, a review of ICANN’s public enforcement activity suggests two trends: One is that there have been far fewer public compliance and enforcement actions in recent years — even as the number of new TLDs has expanded dramatically.

The second is that in a majority of cases, the failure of a registry or registrar to pay its annual ICANN membership fees was cited as a reason for a warning letter. A review of nearly two dozen enforcement letters ICANN has sent to domain registrars since 2022 shows that failure to pay dues was cited as a reason (or the reason) for the violation at least 75 percent of the time.

Piscitello, a former ICANN board member, said nearly all breach notices sent out while he was at ICANN were because the registrar owed money.

“I think the rest is just lipstick to suggest that ICANN’s on top of DNS Abuse,” Piscitello said.

KrebsOnSecurity has sought comment from ICANN and will update this story if they respond.

Read More