Blog / Nonprofits

Preparing for a Cyberattack: Questions to Guide Your Internal Planning

by Scott Petree and Christina Hardy
Preparing for a Cyberattack: Questions to Guide Your Internal Planning
Imagine the following scenario at your organization: An unsuspecting controller or accountant receives an email with the message, “Latest payroll information — please approve.” The staff member clicks to open the file and, in a split second, launches a series of events that will become a financial and reputational nightmare for your organization.

That fateful click installs ransomware that locks the user’s workstation and crawls areas of the network the user has access to. It hits the first jackpot — the payroll folder on the network — and from there, continues to lock down servers and workstations, and collect a treasure trove of personal and proprietary information along the way.

Finally, a message flashes on the user’s screen: “Your device is locked, go here to unlock it.”

The news isn’t good. Cybercriminals are demanding $600,000 to unlock your network. Where did they get that number? The criminals did their research. They learned the size of your operating fund and chose an amount that won’t break your organization but will still be painful.

Lunch & Learn - Prepare Now: Protect Your Nonprofit by Managing Risk

Join Scott, Christina, and their and their colleague Rachel Sweeney for a FREE webinar called Prepare Now! Protect Your Nonprofit by Managing Risk.

November 17,
Noon–1 p.m. (ET)

Register

“[N]onprofits aren’t immune from cybercrime, and when you consider the financial and cultural cost of a breach, the proverbial ounce of prevention can help prepare and protect your organization.”

Ransomware and other malware can be a serious form of business disruption that literally takes over an organization and its operations. Some nonprofits believe they’re too small to be a target for cybercrime. Others think the risk of a breach is so remote they give it a low priority on the IT budget. But nonprofits aren’t immune from cybercrime, and when you consider the financial and cultural cost of a breach, the proverbial ounce of prevention can help prepare and protect your organization.

Cyber risk prevention starts with a risk assessment designed to help you understand the threats and vulnerabilities that may lead to a cyberattack. In addition to your systems, it assesses your users’ knowledge of potential threats — not just phishing emails but also other types of attacks that can occur via phone calls, access to unattended workstations, or unauthorized devices plugged into the network.

The risk assessment answers the following questions:

What critical information and assets in your organization could be a target?

These could include:

  • Confidential donor information
  • Your list of community organizations, individuals, and businesses that receive your nonprofit’s funds, perhaps confidentially
  • Banking information
  • Private donors who don’t want to be named publicly
  • Employee data
  • Confidential information from certain programs and services, such as healthcare or programs for children
  • Credit card information for monthly payments or preauthorizations at an event

Where is your organization’s critical data stored?

Is it on a vendor’s system, an in-house server, or on staff members’ workstations? If data is held by a vendor, do you have the right to get your data out of their system? Do you have the ability to keep offline backup copies of your data during the contract’s tenure?

Who has access to your data, and what controls are in place to protect it?

If your data is on a vendor’s system, what are they doing to protect the information? Oftentimes, this will require a review of the vendor contract to evaluate what controls are in place and where they could be enhanced to protect against cyberattacks and other unauthorized access.

Do you have an incident response plan in place for cyberattacks?

The plan should include detailed steps to be followed in the event of a breach. Do vendor agreements include a clause requiring notification if there’s been a breach or ransomware attack at their location?

Another component of a ransomware attack is the threat to leak information out to the public or other bad actors. Do you have the right vendors in place to help in this scenario? This could include a pre-contracted forensics group and appropriate contacts for local law enforcement and the FBI local field office.

“Tabletop exercises help your team practice and become familiar with their roles and responsibilities for responding to a cyber event.”

Be sure to also conduct a tabletop exercise with all appropriate staff or vendors that will be involved with a cyber event. Tabletop exercises help your team practice and become familiar with their roles and responsibilities for responding to a cyber event.

Do you have a business continuity plan in place?

The plan should answer these questions:

  • What’s the potential impact to business if there’s a disruption?
  • Which department or products and services are highest impact? Can you continue to operate, pay staff, etc.?
  • In the event you get locked out or have a system availability issue, do you have backups in place and data restoration procedures that enable you to keep the business operating and recover systems to normal operations?
  • Do you have controls in place to monitor the ability of backups to operate in offline mode and regularly test to ensure they’re working properly?

When organizations understand the potential implications of a cyberattack, they discover the investment in cybersecurity is no longer optional. Prevention now can avoid substantial human and financial costs later.

Chris Hardy, CPA
Partner, Plante Moran
Christina advises nonprofits on the financial aspects of their organization so they can move the needle on their missions. She specializes in human services organizations, foundations, economic development organizations, and grant-funded organizations.
Scott Petree, CPA, CISA, CISSP, CFE, QSA
Partner, Plante Moran
Scott assists companies with assessments of security controls including data privacy, PCI compliance, and IT infrastructure. He advises clients on information systems audits, forensic technology, and enterprise risk mitigation in a variety of industries.