With a number of data breaches in the news recently, and an uptick in phishing scams capitalizing on COVID-19 related anxiety, cybersecurity has been a frequent topic of conversation in our sector.
To better understand how foundations can protect themselves and their data, we sat down with Marc Joffe—an IT security specialist providing assessments, training, and consulting through MSJ—for a discussion about how foundations can build a cybersecurity practice and mitigate risk.
1. Cybersecurity is top of mind for many foundations these days. Let's start with some basics: how do you define cybersecurity?
Cybersecurity is the protection of electronic data. Protection includes three critical items: confidentiality, integrity, and availability. Confidentiality covers the idea that only people that should have access to data can use it. Integrity means that data modification is limited to authorized people at appropriate times. Finally, availability is the requirement to ensure that information is available when it is needed.
These three items require a carefully thought out ecosystem. We need physical security to ensure the data is protected from issues like theft or being misplaced. Information needs to be stored and transmitted securely, processed correctly, and we need to control access at all times.
2. Who are the key players in establishing cybersecurity for a foundation, and what roles do they play?
A successful cybersecurity program starts at the top and requires participation from the entire foundation. In all organizations, including foundations, the board should set the tone for the cybersecurity program and highlight its importance. The leadership team is responsible for ensuring that the program is implemented and monitored by the right employees and consultants.
Finally, all employees are the critical piece that actively protects, learns, listens, and reports issues. It often only takes one mistake to grant attackers access to your network, no matter your title, position, or level of responsibility.
3. What initial steps do you recommend for foundations who are concerned about cybersecurity? How can they assess where they're at, and identify areas of improvement?
Many foundations are unsure how to get started, but the first steps are the easiest. Step one is to acknowledge that you need to tackle cybersecurity and get leadership and board buy-in.
To kick off any program, I recommend using the NIST Cyber Security Framework. The National Institute of Science and Technology is a United States non-regulator agency. The framework provides guiding policies for the protection of the private sector's critical infrastructure.
After reviewing the framework, step one is to identify what you need to protect. Define what you're defending by taking inventory of all the hardware, software, vendors, services, software, and data that your foundation owns. After your inventory, you can then identify the risks you’ll need to tackle. The risk assessment will likely be wide reaching and may include items like those in the list below:
- Review and implement password policies for all systems
- Require two-factor authentication for all services
- Ensure all devices that hold data use encryption at rest
- Ensuring only business tools are used when working with company data
- Destroying data that is no longer needed
- Securing physical facilities (alarms, cameras, locks)
- Validating onboarding and offboarding processes
- Implement vulnerability scanning and patching policies
- Training to ensure your team understands your policies and can identify attacks
Flowing from each risk, you will need to write and implement policies, and then train your employees to protect your data. And from that point, you will still need to detect security breaches you hadn't anticipated, learn from them and ensure you can respond to them moving forward.
4. Let's talk a bit about user error—systems are only secure if they're used properly. What kind of training do you recommend? Any advice for mitigating risk due to user error?
Training should teach people what the corporate policy is, how they can protect the company, how they can protect themselves, and how to identify attacks.
Training is available online through videos, in-person, and of course, via webinar today. We prefer in-person or interactive online training because we believe cybersecurity is a conversation. Everyone is human and makes mistakes, which is why phishing attacks are so prevalent.
If you encourage security best practices as a group, and actively allow your team to ask questions and learn, I believe that you will have a more reliable system to help prevent human error.
The Zoom security concerns at the beginning of the pandemic are a great example of how teams can build reliable systems. There is no doubt that there were valid security issues with Zoom, including insufficient encryption and the ability to quickly find chats, but at the same time, the most common issue of people joining random rooms and offending participants was preventable with existing tools. Using meeting passwords and not openly publishing links was a best practice that everyone should have discussed and utilized.
5. What can foundations do to learn from security breaches in the sector?
Often, when a security breach occurs in a sector, but an organization is not affected, the team breathes a sigh of relief and moves on. To me, this is the wrong approach. Breaches can happen to anyone and any company, and each incident is a learning opportunity.
Foundations should use industry events to stop and evaluate their programs. How would your foundation respond to a similar breach? Do you have systems in place to handle these scenarios? Can you learn from reactions in your industry to help improve your own response?
For example, many in the security industry see Covid-19 as the largest Business Continuity Plan (BCP) test of all time. Often BCPs are tested on a small scale within a company. But now, companies globally are forced to run in unique ways. How has your foundation done? Are there ways to improve your BCP? What did others in your space do to handle work from home?
6. Any final thoughts for readers who are concerned about cybersecurity at their foundation?
Research shows that the number of data breaches continues to grow each year. Now is the time to take a measured approach to security. What are your risks, and how can you mitigate them? What can you afford to pay to protect the foundation, and how is that money best spent?