Ransomware and non-profits

By Randy Purse and William Sloan

Here are three huge myths that often impact non-profit organizations decisions on cybersecurity:

  • We’re too small to be attacked.
  • We don’t have a lot of money so aren’t going to be targeted by ransomware.
  • We aren’t even on the cybercriminals’ radar.

Just because non-profit enterprises represent a worthy cause doesn’t mean they are safe from attacks. Non-profits are just as subject to ransomware attacks as other kinds of organizations, and often lack resources, expertise, funding and ready access to the tools and capabilities that would support a robust cybersecurity program – putting them in a very similar situation to small- or medium-sized for-profit businesses.

What risks do non-profits face?

A non-profit often focuses the majority of its organizational energy on its mission. Indeed, non-profits can be more vulnerable than for-profit businesses, because ‘risk’ is often front of mind for business owners and a risk assessment is core to an effective business plan.

Why would a hacker go after a non-profit? Wouldn’t they be better off targeting a bigger payday? Not necessarily. A cyber-criminal could try hitting one big target that may be heavily protected, or it could hit a number of less protected smaller targets and accumulate the same amount of money.

Why does it matter?

Every dollar matters when you’re running a non-profit. If your website is the primary way you solicit donations for your cause, then losing it for any length of time could have a devastating impact. If you’re in the midst of a fundraising campaign with a set goal, and your website or systems go down for just one day, that can hurt you badly. Cyberattacks can hurt your credibility among potential donors, as well as among employees worried about their sensitive data.

Plus, once you’ve faced a ransomware attack, it might not be easy to shake off. You might have the financial surplus to meet the ransom demand, but that doesn’t mean it’s over. The cybercriminals may ask for more, they may not decrypt your data, your data may be corrupted, or they may attempt a double extortion threatening to release or delete data should you not provide payment. In the end, you may never get your data back.

How can non-profits protect themselves from ransomware attacks?

There are five key things that you can do that are relatively easy to implement and often at low cost, and that will significantly improve your organizational cybersecurity and resilience.

  • Establish risk management governance and a leader for your cybersecurity program. Risk management governance simply means that you have people and processes responsible to assess, prioritize and manage organizational risks – including cyber risks. As well, assigning responsibility to an individual to develop and manage your cybersecurity program will help ensure that cyber risks are appropriately managed. Preferably a senior leader, this individual does not need extensive technical training, nor does cybersecurity need to be their full-time job. Rather, they are a focal point for spearheading and managing the program.
  • Create an asset inventory. As the saying goes, you can’t protect what you don’t know you have. To make informed cybersecurity decisions, you should understand what needs to be protected. An asset inventory helps. It includes hard assets like laptops as well as operating systems, software and data – such as data protected under The Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Back up what’s important on your systems. Ransomware can lock you out of your data, software and systems.This can be debilitating to your operations. To protect yourself from this type of situation, you should conduct regular backups. As best practice, you should have three backups: one local, one in separate location (eg. the cloud), and one in an offline location segregated from your existing network. Work with your IT staff or your service provider to ensure that you have a reliable, tested backup plan that suits your needs.
  • Have an incident response plan. There’s no such thing as 100% security, so you need to be prepared to respond to a cybersecurity incident. Having a cybersecurity incident response plan will provide guidance to your staff on what needs to happen to help mitigate the impacts of the incident. Not only should you have a plan, but people should be trained and your plan exercised to ensure that it works when you need it.
  • Implement baseline cybersecurity controls. The Canadian Centre for Cybersecurity has introduced has put out some useful guidance on ransomware and also Baseline Cyber Security Controls for Small and Medium Organizations. These are well suited to non-profits and will help improve your cybersecurity and resilience. While some technical expertise is required, most IT professionals or IT service providers can assist you with implementation.

Ransomware may seem like a daunting threat to your organization. However, there are things that you can do that normally do not require a lot of effort or funding, but can significantly increase your cybersecurity and resilience.

The Rogers Cybersecure Catalyst offers a suite of ransomware training resources, including role-based workshops for organizations, open skills workshops for individual learners and tip sheets. Contact the Catalyst for more information.