Why would social engineers phish among CSOs?

Non-profit organizations often come across a method of social engineering called ‘phishing’. The similarity to the English word fishing is not a coincidence. Rather on the contrary. The attack in fact utilizes the same techniques as catching a fish. The attacker typically throws a bite and waits to see who gets caught. Financial means are not the only possible object of phishing, as these may be targeted otherwise, including some extremely sophisticated fraudulent invoices. The attacks often target the employee login credentials used to access the organization’s systems or sensitive data managed by the organization. In the digital age, every organization has “something interesting” for hackers. For non-profit organizations, often perceived by the public as shrouded in myth, any misstep can lead to catastrophic outcomes. And the reputational consequences can be pretty unpleasant for an NGO. You may be thinking, “Okay, let’s admit that we can become a target too. But where do we start? Are there any uniform rules of how to address cybersecurity in a non-profit organization?"

Cybersecurity is mostly about human errors

First and foremost, let’s keep in mind that human error tends to be a major weakness in cybersecurity. The first step should therefore always be focused on people. Adequate courses and training can help exposing the staff to trends in social engineering and to boost their resilience. Although many people believe that they don’t need any training in this area and that they are fully in control, many organizations have had the opportunity to see otherwise. To make the training more effective, it is good to have people from management attend. After all, examples still lead the most. Where top managers have their employees attend a training course while skipping it themselves, they certainly don’t send a good signal. If you’d like to try and test your employees’ resilience, many companies offer simulated phishing attacks with a fraudulent email spreading about your organization. Such rehearsal will provide you with data on how you would hold up. Clearly, cybersecurity in an organization certainly goes beyond that.

Where to start with building cybersecurity in your organization

Here is a brief inspiration, based on the Czech legislation, that can guide you through the initial stages of building cybersecurity in your organization:

1. Approach the issue of cybersecurity systematically

  • The management should include cybersecurity amongst the NGO’s priorities; the issue can appear in annual plans or strategies.

  • If possible, it is advisable to allocate financial resources to cybersecurity; you can also entrust the associated technical measures to a specialist company.

  • When ordering IT services, bear security in mind and anchor it in the contract with the provider.

2. Set sustainable rules

  • It is a good idea to designate a person or team responsible for the organization’s cyber security and its ongoing development.

  • Find out the needs of the staff and create an IT policy that is respected by all.

  • Specify the across-organization rules (e.g. rules for passwords, file sharing, etc.).

  • Think of the worst and prepare a plan in case you experience a cyber-attack.

3. Identify your key assets, specifically information systems and resources that are critical to you

  • Any organization should be aware of what types of information it processes and stores.

  • Control who has access to different types of information.

  • Put in order updates and backups of data and systems in the organization.

Some wicked tongues argue that the question is not if, but when we will become the target of a cyber attack. Even the non-profit organizations are of value to a hacker, whether financial or informational. Even though there are no uniform rules of how to address the issue of cybersecurity, we can use recommendations that are based on the legislation. The first step usually lies with the management, which sets the direction. And every employee can contribute through their responsible approach based on regular expanding of their digital skills.

Background illustration by khunkornStudio

This piece was published in partnership with VIA Association