Last spring, major cyberattacks seemed to take place weekly. Everything from gas production to meat packing was vulnerable. As executive director of the Middendorf Foundation, each incident raised my blood pressure. I knew I needed to protect my organization, but I didn’t feel like I had the right tools to do so.
As a small staffed foundation, I find it difficult to access relevant, right-sized information: most tools and resources are geared at larger organizations. Thus, I thought it would be best to learn from my peers.
In September, I met with a working group of Exponent Philanthropy members to discuss how our foundations experienced and prepared for potential cyber incidents. From those conversations, I compiled this checklist of nine easy cyber security actions lean funders should take:
1. Set up multi-factor authentication for software sign-in
Accessing your accounts with a username and password is not enough: usernames can be easy to guess and passwords hard to remember. This leads to many people using the same password for various sites.
Employing multi-factor authentication adds another layer of safety for online services such as financial tools, payroll and investment services. Systems can use this additional action to prove that the person signing into the account is an authorized user. For example, many of the services I use text a security code to my cell phone that I need to enter before I can access sensitive information.
2. Set multi-factor authentication for password changes
You should also have multi-factor authentication, the gold standard being a phone call to a landline, to change passwords or access an account from a new device. One peer uses a password tracker so their passwords can be as complicated as possible. Another proposed using different passwords for each account.
3. Encrypt documents
Whenever I email a document with account information, I encrypt the data and call the receiver with the encryption code. Protecting a document with a password is easy to do in Word. Similarly, I upgraded my Adobe account to encrypt PDFs. This also lets me edit and e-sign them.
4. Remove names and email addresses from your website
Sophisticated phishing attacks involve tricking users into thinking a message came from someone they know and trust. Senders can mimic email addresses so that it looks legitimate.
For example, one peer received a phishing email from a “staff member” asking for information on payroll. This may have been avoided had she not listed her email address on the website. Generic email addresses, such as email@example.com or firstname.lastname@example.org are much safer than using an email with an actual staff’s name.
5. Avoid exchanging sensitive information
What sensitive information do you really need to ask for, and what’s the risk were it to fall into the wrong hands?
Several peers use platforms like bills.com to manage their vendor, staff and grantee’s banking information. Should your organization experience a cyber-attack, this reduces the risk of that sensitive information being stolen.
6. Avoid unsecure networks
When using your business device in a public space, don’t get on a network that isn’t secured by a password. Turn off your phone’s Wi-Fi when traveling so that it doesn’t accidentally grab onto an unsecured network. This can make the data on your phone vulnerable. One peer said that whenever she takes out her keys to leave her home or office, she turns off her phone’s Wi-Fi.
If you must get online, turn your phone into a Wi-Fi hotspot.
7. Develop cyber policies
If your foundation has staff, make sure everyone’s on the same page about keeping the organization as safe as possible from a cyber-perspective. For example, you might keep staff from using their personal devices for business. This simplifies the repercussions of a possible attack.
8. Invest in cyber insurance
Cyber insurance may be costly, but a broker can find a right-sized solution for your lean foundation. One peer said that her organization pays around $1,600 a year for cyber insurance with a $5,000 deductible. Having that added support from an insurance company was helpful when they needed to use it.
Another peer suggested looking for cyber insurance that is based on your organization’s risk level rather than asset size.
9. Join a cyber-security working group
It’s great to be part of a working group centered on this fast-changing environment. We’re on a shared journey, and hearing about peer experiences, ideas and resources is invaluable.
If you are interested in joining our cyber-security working group, please email email@example.com.
Havaca Ganguly is executive director of the Middendorf Foundation. She leads the foundation’s grantmaking efforts supporting the arts, education, historic preservation, health, environment and social services, largely in the Baltimore area. Havaca has 20+ years of experience working in education policy and international humanitarian aid for both non-profits and philanthropic foundations. She has an undergraduate degree in Latin American Studies from the University of Missouri and a Master’s Degree in Public Administration from the University of Kansas. She is a member of Maryland Philanthropy Network, Exponent Philanthropy and is on the advisory board for the Baltimore-based BUILDING Steps mentoring program.