Cybersecurity for the Under-Resourced

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Non-Profit Cybersecurity

A successful cybersecurity improvement effort depend more on the willingness of an organization's leadership to revamp work procedures to reduce information technology-borne risk than on the resources the organization has to devote to the effort, the author writes.

Jed Davis

By Jed Davis

Jed Davis is a partner at Day Pitney LLP in New York in the firm's Cybersecurity and Data Protection practice.

When it comes to cybersecurity, it is tempting for nonprofit and other under-resourced organizations to sigh in envy at the wealth of bigger, wealthier firms—and hope for the best. But such wistfulness is ill-advised. We should know by now that new technology is not “the” answer, whether an enterprise can afford it or merely wishes it could. The fullness of its tech budget is never a sure indicator of how safe an organization actually is. Rather, improved cybersecurity depends more on whether that organization's leadership is willing to revamp work procedures to reduce information technology-borne risk. That commitment is one that any enterprise can make, particularly organizations with bare bones information technology budgets.

Nonprofits and similar entities face much the same scary Information Age threats as their wealthier counterparts. They depend on IT to convey and store data about trustees, donors, business partners and clients that need to be kept confidential. There are sound economic reasons for this dependence. And yet as we now know all too well, there is a dark and dangerous flip side to the advantages in speed, volume and interconnection that IT enables.

All that sensitive data is a magnet for criminals, hacktivists and vandals worldwide. Moreover, IT is simultaneously so powerful and so imperfect that even innocent mistakes by users can, do and will cause similarly grave leaks and disruption. The potential fallout, from malicious attack, human error, or both, includes threats to an organization's very survival: operation shutdowns, litigation and regulatory inquiries, withdrawal of key stakeholders—and cumulatively, devastation of an organization's finances.

In this scary time, navigating to greater safety requires an organization (no matter its mission or mode of financing) to stop assuming cybersecurity is a problem exclusively for new technology and only for tech people to fix. For sure, the allure of a technological fix, outsourced to the technically-minded, remains powerful. But by now, we know enough to recognize this for the dangerous myth that it is.

The internet, computers, smartphones and other devices on which we depend have been engineered to favor rapid rollout, instant copying and transmission of data, in volume, across networks and borders. Accordingly, each successive wave of security technology, from the ones that even poorer organizations can by now afford (e.g., firewalls and antivirus software), to newer countermeasures adopted by richer enterprises (e.g., intrusion detection and data loss prevention “appliances”) are imperfect exercises in retrofitting. Although they head off already-known threats, they nevertheless conflict with IT's deep-seated bias in favor of openness—the very bias that bad guys keep finding new ways to exploit and that keeps tripping up innocent users.

In these circumstances, it is not just counterproductive, but potentially lethal for any organization to gauge its cybersecurity based solely on whatever new technology it can afford. Improved cybersecurity instead depends on management pursuing a broader but ultimately more cost-effective range of containment measures, including candidly examining how an organization uses IT to perform its mission, revising its work habits to reduce overall risk and (yes) as funds permit, upgrading tech.

As it may require uncovering previously undetected leaks and vulnerabilities, organizations need carefully to consider whether to pursue this process under supervision of experienced cybersecurity counsel. Important steps in the process include the following:

Make an unflinching inventory of the information that the organization generates and holds

Over time, organizations have become addicted to information. Terabytes of it, in wide variety across many formats and in multiple repositories. If an organization is truly serious about reducing the risk of data breaches, it needs the courage to look hard at the depth and pattern of its addiction. Call this “data mapping” if need be, but “unflinching inventory” is more apt. In order for the organization to get better, its management, and staff need to examine what data the organization is actually amassing and how sensitive it is, who creates or has access to it and what rationale (if any) justifies its acquisition and continuing availability. Grading the sensitivity of this information according to the damage that would ensue were it to leak is a critical first step toward improved cybersecurity.

Apply the above findings to reduce the universe of information at risk of compromise

Management must set and enforce criteria that lead the organization to stop creating, sharing and keeping so much sensitive stuff. For example, just because an organization acquires donor or other stakeholder data through its website does not mean that data need to remain with the third party that hosts that site. Just because a prominent person used to be an active trustee or donor may not justify storing her personal details in the organization's databases. Moreover not every observation important to an organization needs to be conveyed by e-mail, nor retained in active e-mail in perpetuity.

Draft, test, revise and then implement a security incident response plan

In this era, every organization faces security incidents in which the first clues are equivocal. There may be a major breach, a minor event or a false alarm, but determining which one is hard. Without more, it is easy for management to under-react, failing to probe enough, or to instead to jump to frightening conclusions. Moreover, even if it responds with dispassion, an organization that tries on the fly to figure should respond, and how, will waste precious time and energy when it can ill afford to.

Instead an organization should in advance develop a searching incident response plan. The plan pre-assigns and helps prepares the organization's best lay managers to work together with IT staff, counsel and often an outside cybersecurity expert, to conduct an internal inquiry, to maintain normal business operations and timely to communicate with stakeholders, law enforcement, regulators and the public. But beware the plan in a can. The best plans are those that organizations periodically require their response groups to test under realistic scenarios (a ransomware infection, an outside allegation of breach, etc.) and that management revises accordingly.

Invest in security awareness training

Cybercriminals succeed not just by finding flaws in IT design and implementation, but also by tricking users to let them in, volunteer secrets or send them money. These are venerable cons that succeed when users fail to transpose their street smarts to the digital world. People can be taught to be smarter and safer online, however—often at no- or at least low-cost. Phishing drills, for example, are an inexpensive and compelling means to educate users to treat every e-mail containing a link or attachment with a modicum—or more—of suspicion. Similarly, showing finance staff just one imposter’s e-mail requesting (in violation of standard operating procedures) that funds be immediately wired to a previously unknown account can be enough to inoculate the organization against such frauds (if not for years than at least until the next training).

Invest in vulnerability testing

Only a few years ago, in-depth scanning of an organization's systems for active malware and signs of prolonged intrusion and theft was available only to high-end businesses. Competition and technological innovation, however, have substantially reduce these services' price tag. They are now viable options even for organizations with scant resources, at minimum as a periodic diagnostic tool, if not for continuous monitoring. These services are readily installed, monitored remotely (eliminating the cost of site visits) and usually bundled with expert interpretations of the data. As such, they afford an organization with a thorough outside assessment of its IT and with it, a road map to allocate available tech dollars toward remedying the most severe vulnerabilities.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security