Opinion: 3 ways nonprofits can mitigate cybersecurity attacks

Nonprofits identify gaps in our society and step in to provide care and services for our communities, the world we live in, and our futures. But a critical shift in how to deliver services has taken place over the past few decades. Devices are everywhere, and nonprofits are shifting to digital delivery of services. In this world, identity becomes the heart of every interaction between people and technology. However, hackers have taken note and social engineering and web-based application attacks have increased over the years.

According to the 2021 Verizon Data Breaches Investigation Report, 89% of web attacks are caused by credential abuse — an identity-based attack — of some kind. And every sector is at risk. Once a hacker has nonprofit login credentials, they can leverage social engineering to access donor data, volunteer information, and personal information of constituents.

This is why, in today’s modern age, nonprofits need to shift from empowering people to securely empowering people. They need to protect the sensitive information that they store and digitally protect the communities and people they serve.

Many nonprofits already work to establish trust as a core part of their mission and culture. This should be extended to the ways nonprofits set up infrastructure, access information, and login for employees and volunteers.

How can nonprofit organizations make trust part of their mission? Take these three steps to harden their security posture and protect sensitive information and data.

1. Put multifactor authentication everywhere

A vast number of organizations may already be using some form of multifactor authentication solution, or MFA, which requires a user to present two or more pieces of evidence of authentication before accessing a system. But as Chris Niggel, Okta’s regional chief security officer for the Americas, noted in a recent Devex Q&A, the uptake is still low across many sectors.

So how do you become good at using MFA?

To prevent phishing attacks and meet a growing list of compliance requirements, find an authentication solution that is adaptive — or flexible. This type of system prompts the user with a secondary authentication factor only when needed and doesn’t overburden the end user. It can grant access based on a spectrum of possibilities, including device and user context, whether the user is inside/outside corporate networks and application policies. Also, organizations should leverage a variety of authentication factors based on the risk of the login, such as SMS for less critical resources, and Web Authentication API, or WebAuthn —  a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices, such as phones, laptops, etc., as factors — or biometrics for high-risk resources. An adaptive authentication solution allows you to stay secure, without having to overburden the end user.

Additionally, when deploying an MFA solution it's important to extend these secure methods of authentication to all critical resources and applications, including on-premises applications, custom applications, cloud applications, and desktop applications. Extending MFA to all your critical internal resources also means protecting access to network servers, corporate networks, and devices. To do this, it’s helpful to find a solution such as Okta Adaptive MFA that provides out-of-the-box integrations for all types of resources.

Further, for everyone logging into your applications or infrastructure, you need to ensure that they truly are who they say they are. This means extending MFA to all groups of employees, contractors, volunteers, partners, and constituents regardless of which of the above resources they are accessing.

2. Reduce hacker entry points by automating deprovisioning

Provisioning users access to applications involves complex processes that span multiple departments and applications. Human resources, IT, and payroll teams need to create accounts across many systems to grant users access to all their applications. However, provisioning doesn’t stop there.

As a user changes roles, system administrators need to make the relevant changes to their access settings. And when they leave the organization, their accounts need to be disabled and eventually deleted.

Manually provisioning these accounts can burden IT. These mundane tasks are prone to human error — administrators may, for example, assign the user incorrect access, which limits their efficiency and can create security risks. Accounts could also remain active long after a user has left, which provides another potential access point for hackers.

This is why organizations should automate user provisioning. It can increase productivity by freeing up time for both administrators and end users — such as new volunteers that quickly need access to apps — to focus on more pressing tasks. It also improves efficiency by reducing the risks of human error in these tasks and allows IT to ensure end users have the correct levels of application access, ultimately increasing security for the entire organization.

By using a centralized identity directory to provision users, IT gets the visibility they need to properly manage its users and applications. Administrators gain a consolidated view of users across every application, which helps them make informed decisions about access policy. From this unified view of users and actions, they can see how the organization stacks up against governance and compliance requirements.

3. Implement secure identity policies

When implementing security policies across an organization, most administrators want to adhere to industry best practices. Here are a few critical policies to follow:

• Use strong authentication factors in factor enrollment policies.

Not all factors are created equal — traditionally popular factors such as security questions and SMS have proven to be problematic. Hackers can easily find the answers to security questions online, and SMS can leave users vulnerable to phishing and SIM jacking attacks. Require users to authenticate via strong factors, such as WebAuthn or biometrics, as well as push notifications, and security keys.

• Enforce a limited session lifetime. 

Session lifetime determines the maximum idle time of an end user's sign-on session. By enforcing a limited session lifetime for users, admins reduce the window of time wherein a hacker could attempt to access a user's applications from an active session. This is especially critical in a remote world.

• Use strong password policies. 

First, requirements should be specified for lockout — the maximum number of invalid password attempts before locking the user's account.

Second, password history — the number of distinct passwords users must create before reusing a password — should be enforced. This prevents users from reusing a previous password when resetting their password, which reduces the likelihood of credentials that have been compromised in a data breach being reused.

Third, passwords should have minimum length requirements. Greater length encourages the use of passphrases, which provide greater protection against brute force attacks.

Conclusion

When it comes to securing your organization, there’s no silver bullet. But identity is the foundation of a secure organization. By placing a strong MFA solution across all resources, reducing hacker entry points with automated provisioning/de-provisioning, and enforcing strong password policies, nonprofits will greatly improve their security posture to defend against today’s threats.

Okta is here to help you better secure your organization. Through our Okta for Good program, we proudly offer all nonprofit organizations 50 free licenses for Okta products such as Adaptive MFA and Lifecycle Management and 50% off additional licenses. To learn more, contact us here.