By Suzanne Pollak and Carolyn Conte
Nonprofits are being hacked more frequently than ever, and the global pandemic is only making matters worse.
“We do see a steep increase,” in cybersecurity breaches, said Asaf Weisberg, founder and CEO of introSight and board director of ISACA, an international association that assists technology professionals and their companies around the world. “The intensity is higher than before.”
Because of the increased local threats, the Cybersecurity Association of Maryland, the Maryland Israel Development Center, the Embassy of Israel, and Whiteford, Taylor & Preston LLP will offer a webinar Oct. 22 for National Cybersecurity Awareness Month. A panel of experts will discuss solutions, grant opportunities and insight on emerging technology trends. Four Israeli cybersecurity companies will share their insights and techniques on how to stay ahead of hackers.
“Israel and Maryland are global hotspots of cybersecurity development and, too often, targets of cybersecurity attacks. Our panel of experts will discuss emerging cyber threats and technological solutions they have developed on the front lines of cyber protection,” said webinar moderator Howard Feldman, who is partner and co-chair of Data Security and Privacy Practice, Whiteford, Taylor & Preston LLP as well as a MIDC board member.
Hackers are taking advantage of the pandemic as more people work from home, often using computers that do not have the latest antivirus software. “People are working outside their comfort zones, and the attackers are taking advantage of that,” Weisberg said from his home in Israel.
Last month, The Jewish Federation of Greater Washington announced hackers stole $7.5 million from the United Jewish Endowment Fund and diverted that money into international accounts. The hackers went for the money and did not steal donor information, according to the Federation, which also noted that the incident was not believed to be a hate crime.
Weisberg said that was common. Hackers strive to get the most money from easy, vulnerable targets. Usually, an attack on a Jewish nonprofit is not an anti-Semitic incident. “If the intentions are criminal, they don’t care if you are Jewish or not. They are after the money,” he said.
Taking money from an account or encrypting files and then demanding money to restore the information, which is called ransomware, are the two most common ways of hacking organizations, and they are not new, he said.
A third way, however, has arisen recently. Hackers pretending to be IT professionals text company employees to say they are eligible for a COVID-19 grant and then go on to ask for sensitive information, something that should never be divulged to a stranger.
Local organizations are aware and cautious.
At the Baltimore Jewish Council, The Associated: Jewish Federation of Baltimore maintains a robust system of security to similarly prevent hackers and threats. This includes regular trainings for employees and periodic tests.
“We are aware that there are a lot of risks, and what happened with the D.C. Federation has certainly prompted all of us to review our policies and procedures,” said Howard Libit, executive director of the BJC. “I know that our IT experts are constantly looking at ways to strengthen our systems.”
According to The Associated: Jewish Federation of Baltimore, they train staff in all organizations (including BJC) to be aware of suspicious activities, too.
A recent survey by ISACA found that only 51% of technology professionals are highly confident that their cybersecurity teams can detect and respond to a cybersecurity attack, Weisberg noted. Only 59% believe their cybersecurity team has the right tools and resources to perform their job effectively.
The survey included more than 3,700 IT and cybersecurity professionals from 123 countries.
Almost all those taking the survey — 92% — say that cyberattacks on individuals are increasing and 87% of the respondents believe that the quick transition to working from home due to the global pandemic has increased data protection and privacy risk.
That is what is believed to have happened to the D.C. Federation. Since then, Federation employees are not permitted to use their personal computers for work, and passwords have been changed.
Those are important steps, Weisberg said. He strongly recommended that all companies, no matter how small the workforce or its budget, either hire a cybersecurity officer or designate a current employee to be responsible for all such matters. “You need someone to coordinate,” he said.
While Weisberg understands that many nonprofits don’t have additional funds for this, he stressed, “it’s the cost of doing business.”
If employees only use company computers, it is easier to ensure those computers have the latest antivirus software and all updates are done regularly.
Often, personal computers are not updated. Another problem is that many home computers are used by several family members. “You never know where your kids are browsing,” Weisberg said, making it harder to ensure no one goes to an insecure site.
During October, National CyberSecurity Awareness Month, the U.S. Department of Homeland Security issued tips to be secure at work. The department recommends that everyone treat their business information as they do their personal information and never share personally identifiable information through tax forms and payroll accounts. Use strong passwords that are not easy to guess, and keep all software updated to the latest version available. Turn on automatic updates and set security software to run regular scans.
The federal agency also advises limiting the use of social media. “By searching Google and scanning your organization’s social media sites, cybercriminals can gather information about your partners and vendors, as well as human resources and financial departments,” it notes.
It only takes one slip. Many data breaches are traced back to a single security vulnerability, phishing attempt or incidence of accidental exposure. Do not click on unknown links, delete suspicious messages right away, and when in doubt, don’t open it.