Cybercriminals look to exploit vulnerabilities in order to gain illegal access and extract, encrypt, or corrupt data. As organisations' data footprints expand, cyber threats are becoming more sophisticated. Ransomware, destructive malware, phishing attacks, insider threats, and even honest user mistakes present ongoing and very real threats to organisations' data.

It is vital to proactively protect your not-for-profit. The complexity and diversity of cyberattacks are rapidly increasing, with different types of attacks for different purposes. Although the best prevention measures might be different for each type of breach, a comprehensive security practice is the best approach for mitigating the majority of such attacks

This three-step approach can help you identify the threats, defend and protect your organisation's data and operations against such attacks, and implement procedures that will help you recover in case of a breach.

1. Identify Assets and Vulnerabilities

The first step in building a comprehensive cybersecurity strategy is to identify your assets and the potential threats to those assets. Learn where assets and information are stored, who has access to them, and how critical it is to protect them. Once an organisation is aware of its vulnerabilities, it can make informed decisions on handling those vulnerabilities and implementing safeguards to ensure data safety and integrity.

Cybersecurity is not just a technical challenge, but increasingly a social and behavioural one. Humans are often both the weakest link and the first line of defence in your cybersecurity strategy. Our brains are hardwired to take cognitive shortcuts to process information as fast as possible. These cognitive biases influence our decision-making processes and can be exploited by cybercriminals to manipulate our behaviours and convince us to voluntarily take an action that enables an attack.

Most breaches begin with an email containing a malicious link or attachment. The email is likely to be disguised in some way in order to appear benign. For example, it may look like an email sharing a Google document or a message from someone in your organisation. The legitimacy of the email should be determined by checking the sender's email address, the context and urgency of the message, and the spelling and grammar for inconsistencies.

Implementing a cybersecurity user awareness and training program, including guidance on identifying suspicious activity and the signs of malicious attacks, is an important step in adopting comprehensive security safeguards. Organisations can achieve behavioural changes through regular data-driven security awareness training and personalised and customised coaching.

2. Protect and Defend

The best way to combat cyberattacks is to prevent them from happening in the first place. Limit access to sensitive assets, implement strong password policies, and use multi-factor authentication to prevent illicit access to your data. Avoid shared logins and be vigilant in deleting accounts that are no longer in use.

Use firewalls and VPNs and install and regularly update antivirus and anti-malware software on your devices. Firewalls prevent unauthorized access to your business network while VPNs create encrypted pathways for your data, allowing you to use public networks safely. Antivirus software plays a major role in protecting your system by detecting real-time threats to ensure that your data is safe. Security products like Norton, Avast, or Bitdefender offer a suite of these protective measures in one solution, helping you to maximise your security and defend your data and infrastructure against cyber threats.

3. Recover

No organisation is immune to cybersecurity breaches. Even if you have top-notch security in place, attacks can take place. The most important step you can take to mitigate this is keeping secure and up-to-date backups. The purpose of a backup is to create a copy of data that can be recovered if your primary data is lost or damaged. A backup is typically stored in a secure, separate location from your original data, ideally following the "3-2-1 rule." This is an industry-standard, advising that you should have three copies of the same data, on two different mediums, with at least one stored offsite. Many organisations assume that cloud service providers protect their data, but this is not always the case. Make sure that you know what data protection services your cloud provider offers and take responsibility for your own cybersecurity measures.

How often you back up your data depends on the needs of your organisation, as well as any regulatory requirements. Two main factors need to be considered: the acceptable amount of time that a system can be unavailable before it starts to impact your operation, and the maximum amount of transactional data that can be lost due to a system failure. You should also test your backups to ensure that they are safely stored and can be accessed if you need them. Products like Veritas help nonprofits with regular backups and recovery to protect the organisation against a data-loss catastrophe.

Your organisation should have a cybersecurity breach response plan that is updated regularly with lessons learned. Ensure that your team is familiar with the plan, which will allow swift and effective action in the event of a cybersecurity incident.

Taking a Safety-First Approach

The security of your organisation is one of the most important things you can invest in. Use this three-step approach to identify risks, protect your organisation, and create recovery routes in the event of a security breach. Through Connecting Up, you can get access to discounted and donated security software, making data protection more accessible and affordable.

Additional Resources

• Donated and discounted cyber security software
• Digital Transformation Hub: Cyber security training
• Digital Transformation Hub: Cyber security guides
• Watch a webinar: Do you know how to keep your organisation secure?