Photo of a padlock on computer motherboard, symbolizing cybersecurity

Preparing for a Cyberattack: Questions to Guide Your Internal Planning

by Scott Petree and Christina Hardy
Imagine the following scenario at your organization: An unsuspecting controller or accountant receives an email with the message, “Latest payroll information — please approve.” The staff member clicks to open the file and, in a split second, launches a series of events that will become a financial and reputational nightmare for your organization.

That fateful click installs ransomware that locks the user’s workstation and crawls areas of the network the user has access to. It hits the first jackpot — the payroll folder on the network — and from there, continues to lock down servers and workstations, and collect a treasure trove of personal and proprietary information along the way.

Finally, a message flashes on the user’s screen: “Your device is locked, go here to unlock it.”

The news isn’t good. Cybercriminals are demanding $600,000 to unlock your network. Where did they get that number? The criminals did their research. They learned the size of your operating fund and chose an amount that won’t break your organization but will still be painful.

Lunch & Learn - Prepare Now: Protect Your Nonprofit by Managing Risk

Join Scott, Christina, and their and their colleague Rachel Sweeney for a FREE webinar called Prepare Now! Protect Your Nonprofit by Managing Risk.

November 17,
Noon–1 p.m. (ET)

Register

“[N]onprofits aren’t immune from cybercrime, and when you consider the financial and cultural cost of a breach, the proverbial ounce of prevention can help prepare and protect your organization.”

Ransomware and other malware can be a serious form of business disruption that literally takes over an organization and its operations. Some nonprofits believe they’re too small to be a target for cybercrime. Others think the risk of a breach is so remote they give it a low priority on the IT budget. But nonprofits aren’t immune from cybercrime, and when you consider the financial and cultural cost of a breach, the proverbial ounce of prevention can help prepare and protect your organization.

Cyber risk prevention starts with a risk assessment designed to help you understand the threats and vulnerabilities that may lead to a cyberattack. In addition to your systems, it assesses your users’ knowledge of potential threats — not just phishing emails but also other types of attacks that can occur via phone calls, access to unattended workstations, or unauthorized devices plugged into the network.

The risk assessment answers the following questions:

What critical information and assets in your organization could be a target?

These could include:

  • Confidential donor information
  • Your list of community organizations, individuals, and businesses that receive your nonprofit’s funds, perhaps confidentially
  • Banking information
  • Private donors who don’t want to be named publicly
  • Employee data
  • Confidential information from certain programs and services, such as healthcare or programs for children
  • Credit card information for monthly payments or preauthorizations at an event

Where is your organization’s critical data stored?

Is it on a vendor’s system, an in-house server, or on staff members’ workstations? If data is held by a vendor, do you have the right to get your data out of their system? Do you have the ability to keep offline backup copies of your data during the contract’s tenure?

Who has access to your data, and what controls are in place to protect it?

If your data is on a vendor’s system, what are they doing to protect the information? Oftentimes, this will require a review of the vendor contract to evaluate what controls are in place and where they could be enhanced to protect against cyberattacks and other unauthorized access.

Do you have an incident response plan in place for cyberattacks?

The plan should include detailed steps to be followed in the event of a breach. Do vendor agreements include a clause requiring notification if there’s been a breach or ransomware attack at their location?

Another component of a ransomware attack is the threat to leak information out to the public or other bad actors. Do you have the right vendors in place to help in this scenario? This could include a pre-contracted forensics group and appropriate contacts for local law enforcement and the FBI local field office.

“Tabletop exercises help your team practice and become familiar with their roles and responsibilities for responding to a cyber event.”

Be sure to also conduct a tabletop exercise with all appropriate staff or vendors that will be involved with a cyber event. Tabletop exercises help your team practice and become familiar with their roles and responsibilities for responding to a cyber event.

Do you have a business continuity plan in place?

The plan should answer these questions:

  • What’s the potential impact to business if there’s a disruption?
  • Which department or products and services are highest impact? Can you continue to operate, pay staff, etc.?
  • In the event you get locked out or have a system availability issue, do you have backups in place and data restoration procedures that enable you to keep the business operating and recover systems to normal operations?
  • Do you have controls in place to monitor the ability of backups to operate in offline mode and regularly test to ensure they’re working properly?

When organizations understand the potential implications of a cyberattack, they discover the investment in cybersecurity is no longer optional. Prevention now can avoid substantial human and financial costs later.


Senior Research Associate
Director, Strategy and Planning
Research Associate

Authors

Photo of Chris Hardy

Chris Hardy, CPA

Partner, Plante Moran
Photo: Scott Petree

Scott Petree, CPA, CISA, CISSP, CFE, QSA

Partner, Plante Moran