I spoke to a software vendor not too long ago about a cybersecurity incident he recently dealt with.
And he was frustrated!
His team just spent an enormous amount of time trying to find a “cybersecurity breach” that was reported by his client, only to eventually discover that it was not a system vulnerability at all. Instead, it was the client’s administrator who allowed information to be shared outside of the system.
This was a common occurrence for them, apparently, hence his frustration.
The reality is that up to 90% of all cybersecurity breaches occur through what I call the “front door.” Unlike the more sophisticated back door attack that requires high-level technical skills, it’s the users who allow hackers to enter the system or access sensitive information, usually by accident or neglect.
So, when I speak to software vendors, here are some things they would love for your organisations to understand about cybersecurity and how you can prevent a large number of these hacks from occurring.
5 things you do to create cybersecurity risks in your software applications:
1) Poorly managed user permissions create risks
When I speak at conferences about this topic, audiences regularly tell me how poorly they manage user permissions. In smaller organisations, it’s not uncommon to find that every staff member is an administrator in the systems.
And when I ask about role-based permissions, they often admit that they don’t enforce this even for systems as important as the CRM.
Why? Because it can be time-consuming to administer permissions, and because they “trust” their team to do the right thing.
This may work fine… until an employee leaves disgruntled and decides to delete information on their way out.
Or someone’s account has been compromised because they always use the same password, and it has been stolen in a different breach.
Best practice is to limit administration rights to 2 or 3 people, and to only allow people to access information that they need to perform their jobs.
2) Lack of multi-factor authentication creates risks
And speaking of stolen passwords. If people reuse passwords (likely), and your system login is easy to predict (aka your email address), the only thing that could stop a hacker from gaining access to any of your accounts is multifactor authentication (MFA).
And yet, when I ask organisations if this is turned on by default for all their systems, the answer is often, “No!”
Why?
Convenience. It’s a pain to have to authenticate into a system you use all the time.
And yet, the extra 30 seconds someone may have to spend on this task is also the very action that can mitigate most password breaches.
Best practice is to turn on multifactor authentication by default for all users or to enable Single Sign On via your Microsoft or Google account. Ask your IT help desk or managed service provider if you are unsure about this option.
If your software vendor doesn’t offer MFA, get a new vendor!
3) Sharing data with third parties creates risks
One of the most overlooked vulnerabilities to your data is how you share it with third parties. I regularly see organisations send emails with their entire CRM stakeholder list to others, such as conference planners, fundraising direct mail companies and other service providers.
What you may not realise is that email boxes are incredibly easy to hack. In fact, at a cybersecurity conference recently, I watched a penetration test specialist hack into Microsoft accounts five different ways due to easily overlooked administration misconfigurations.
Best practice is to only share data through secure methods with third parties. This can be done via a secure portal or website form. Or at the very least, consider a password-controlled link via SharePoint.
If you are unsure about your options, talk to your IT help desk or managed service provider.
4) Lack of regular user audits creates risks
Do you know what your users are doing within the system? Do you ever look at audit logs? When I ask this question at conferences, only 1 hand out of 100 will typically go up.
I recently had a client discover that one of their volunteer board directors had downloaded the entire CRM list into their personal contacts and then proceeded to contact some of these individuals for their own business purposes. They only found out when they started receiving complaints.
This goes back to #1 regarding poorly managed permissions to begin with. After all, why should a board director (and most other roles) ever have the right to download the entire CRM?
But had they been doing regular audits on their user activities, they may have found this out sooner.
I typically recommend a proactive audit to be done every quarter at a minimum.
5) Lack of staff, volunteer and 3rd party training creates risks
It’s good that most organisations have implemented cybersecurity training for their staff. However, if it’s just an email phishing test, be aware that this is only one of about a dozen ways that hackers are gaining access to systems via the front door.
What about fake calls from your IT support desk? This is what happened in the Qantas data breach.
Or what about that urgent text message from your CEO who’s out of the office? That’s happened to one of my clients.
And staff members are not enough. What about your volunteers who have access to sensitive information, too?
Also, what about your third parties who have access to your data? Do they train their staff in ALL the cybersecurity risks?
Almost all organisations tell me that this is a major gap in their cybersecurity risk management defence.
Best practice would be to ensure your staff and volunteers are trained regularly on the full suite of hackers’ tricks (which is changing all the time).
Furthermore, your contract with third parties should explicitly say what they will do to protect your data.
Final Thoughts
Software vendors work hard to keep your data safe. After all, they could lose their entire business if they don’t.
However, you have just as important a responsibility to keep the “front door” closed by:
- Actively managing role-based permissions
- Turning on multifactor authentication by default
- Using only secure channels to share data with third parties
- Proactively auditing user logs
- Ensuring your staff, volunteers and third parties are trained on the latest cybersecurity hacks
I have a Cyber Assurance Program that helps boards and executives have more confidence in their cybersecurity risk posture. Let me know if you need some help with this.
P.S. If you found this article helpful, you might want to read these too:
- Could your NFP survive a 3rd party cybersecurity breach like Qantas?
- If I were a non-technical manager in charge of cybersecurity
- How volunteers increase your Association’s cybersecurity risks
- Is your Not for Profit compliant with the Privacy Act changes?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.