I just spent the last three days at the Australian Cybersecurity Conference in Canberra. I’ve taken a lot of notes. Here are some that I think are very relevant for Not for Profit organisations:
- In 2017, 70% of cybersecurity incidents were due to human error. Today, that number is closer to 90% despite organisations investing in training.
- What needs to change? The application of change management practices to behaviour and corporate cultures.
- Prevention is way cheaper than dealing with a cyber attack afterwards. In many cases, the post-attack recovery costs were $1m+.
- Loud warnings were issued about cybersecurity risks caused by your supply chain i.e. IT vendors and providers (and even non-technical ones) that aren’t doing their job to keep your data and network safe. Are you properly vetting your supply chain?
- Attackers are doing the easy things to gain access to your systems: looking for known vulnerabilities in hardware and software, and accessing valid credentials (they are for sale!).
- Turn on your Multifactor Authentication for everything, update your plugins/software and get rid of unsupported hardware.
- Lots of talk about AI and cybersecurity:
- AI for cybersecurity – software to monitor and manage threats, etc.
- Cybersecurity for AI – controlling data privacy, data poisoning, etc.
- GPT apps built from open source models like OpenAI are very difficult to protect from hackers.
- Don’t share private details with a GPT app (even if you think it’s private).
- Ransom demands are increasing as attackers can more easily expand their efforts with the help of AI.
- GPT apps built from open source models like OpenAI are very difficult to protect from hackers.
- Although many cybersecurity software companies attended the conference, I still believe that most NFPs will mitigate most of their high risks if they or their managed service provider master the Microsoft defence tools they are already paying for.
In summary…
Cyber attacks are on the rise. Poor human decisions are still the biggest culprits in allowing these attacks to happen. Prevention is key in both technology and human investments. Remain cautious about sharing private info with AI, but hopefully, your MSP is also using it for defensive measures.
I regularly help Not for Profits with high-level cybersecurity audits. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Beware: Some IT Vendors are not meeting the most basic cybersecurity requirements
- Is your Managed Service Provider effectively managing your cybersecurity?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.