What’s keeping you up at night? Cybersecurity considerations for NFP leaders

Not-for-profit principal Laurie Horvath sat down with Joe Shusko, Baker Tilly cybersecurity principal, to discuss trends not-for-profit (NFP) organizations are experiencing with cybercrimes and what our clients should be aware of when building their control structure.  

Laurie: Joe, you’ve evolved into our clients’ best friend and worst enemy; our clients appreciate you keeping them informed and aware. But you also give them more things to worry about in the cyber realm. What type of cyber activities are you seeing that target NFP organizations?

Joe: We appreciate our role in helping keep Baker Tilly’s NFP clients safe and secure on the Information Technology (IT) front. Cybercrime continues to grow and advance, making it reasonable to estimate that approximately half of all incidents occur at smaller companies and organizations such as not-for-profits. Some of the most common attack strategies we’re seeing are business email compromise, wire fraud and ransomware. Many of these attacks leverage advanced social engineering tactics to give them a sense of authenticity. With advancements in artificial intelligence (AI) technology, these attacks are getting more sophisticated and easier to launch.

Laurie: That’s scary. I remember you mentioning how these ‘cyber bad guys’ are investing in talent and operating with more of a business-like mindset. It seems to be paying off for them.

Joe: You’re right. In years past, cybercrime was more about data theft and disruption, but now it has become a booming black-market business that generates significant income. While it’s difficult to truly measure the size of the problem, recent estimates indicate that cybercrime generated $8 trillion dollars in 2023! For some context, only the U.S. and China have a larger economy than that of these cyber criminals. That level of “earning” has given rise to niche criminal groups who specialize in a particular type of attack and then “sell” their services to other “cyber bad guys.” This has led to a rise in highly talented and organized criminals with the ability to leverage the most advanced technology, significantly reducing the barrier to entry. With the use of advanced AI technology and social engineering techniques, I wouldn’t be surprised to see attacks start to incorporate voice replication and other convincing tactics. Imagine getting a phone call from your executive who is on vacation, asking you to process an urgent wire payment. It is only going to get more difficult to identify fraud going forward.

Laurie: With the cyber threat evolving and becoming so sophisticated, it would seem like organizations will need highly technical protective measures in place. How should NFPs prepare themselves and what next steps should they take?

Joe: There are some baseline technical solutions organizations should have in place such as endpoint detection, multi-factor authentication, malware protection and firewalls; however, the good news is that improving human behaviors is more often the best bang for your buck. Approximately 90% of cyber incidents occur due to human error, so paying attention to good awareness and sound security behaviors goes a long way. I would advise my clients, especially NFPs who may be financially constrained, to focus on improvements in the following areas:

• First, increase cyber awareness, education and readiness across the organization. Anyone who connects to your network can be the weak link in the chain, so make sure that the entire organization is given security awareness training on a regular basis. Provide basic email tagging so users know when an email originated from outside the organization. Key leaders should familiarize themselves with the resources that are available such as the NIST Cybersecurity Framework and CISA.gov. Identify key partners to engage during an incident (e.g., cyber insurance provider, FBI, forensics investigations, legal intermediaries, etc.) and have a plan to coordinate with them in the event of an incident. Periodically simulate attacks through a “tabletop exercise” to make sure you’re prepared if/when a real incident occurs
• Second, enforce strong passwords and authentication methods. Utilize a virtual private network (VPN) for anyone connecting remotely and enforce multi-factor authentication. Periodically review your user IDs and use concepts of “least privilege” effectively and remove accounts that are no longer needed. Remember that ID in your environment is a potential target for hackers. The smaller “surface area” you have, the less you’re exposed
• Finally, identify departments who may have a higher likelihood of being targeted and evaluate your processes and controls in those areas. Often payroll, accounts payable and treasury functions are targeted for fraud and business email compromise (BEC). Controls like call-back procedures for wire requests and vendor changes help authenticate the activity prior to any fund’s disbursement

Bottom line: there are a lot of low-cost activities and protective measures that an organization can implement to protect themselves against cyber threats.

Baker Tilly can help

Questions? Connect with Laurie Horvath, Joe Shusko or any member of the Baker Tilly NFP team.