On February 19, Sean Brooks, CLTC Research Fellow and Director of the Citizen Clinic, presented a webinar entitled “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.” A total of 140 people participated in the session, which was presented in collaboration with TechSoup. In the webinar, Brooks introduced basic tenets of cybersecurity, explained what qualifies an organization as ‘low-risk’, and introduced a risk-informed decision-making process to identify where organizations need to invest in digital security. The webinar followed the structure of an online guide, “Cybersecurity in Low-Risk Organizations” (LRO), that aims to help individuals in leadership positions, as well as staff with little or no cybersecurity background, understand some of the fundamentals of their security context and guide them toward improving their cybersecurity.
Brooks began the webinar by introducing a set of basic cybersecurity concepts and explaining the fundamentals of cybersecurity risk management. “A lot of what we hear about in the world of cybersecurity and in the news today have to do with big, scary threats, state-sponsored cyber attacks, or cyber terrorism,” he said. “That can facilitate a nihilistic perspective as a small or lower-risk organization if you don’t think you’re going to be targeted by a large cyber attack. At the Citizen Clinic, we’ve developed a… guide to help [organizations] understand the practical threat landscape you’re likely to run into on the internet, and [provide] reasonable advice about how to manage those risks and understand how they affect lower-risk organizations.”
This initiative is related to a recent report published by CLTC that exposed the challenge facing civil society organizations, which frequently face cybersecurity threats but have limited resources to protect themselves online. Technically, any individual or organization that uses the internet is vulnerable to risk. However, a ‘low-risk organization’ is one that is considered unlikely to have a malicious actor who wants to attack them, jeopardize their systems, or steal their data.
“While non-profits continue to invest in technical abilities to execute their missions online, we’re not seeing the same level of investment in information security,” said Brooks. “Because of that low investment, common cybersecurity threats can have an outsized impact on low-resource organizations.”
Brooks described several of the most common cybersecurity challenges that non-profits and civil society organizations face, including account compromise, phishing, data promiscuity, and malware. Brooks advised participants in the webinar that most cyber attackers are also resource-constrained and on a budget. “People who have the most basic cybersecurity protections are not worth it to these attackers, who are playing a numbers game,” Brooks explained. “The goal of this guide is to get you ahead of the pack and make you a little harder for them to attack.”
The next section of the webinar provided an overview of effective technical controls, measures that low-risk organizations can take to improve their resilience to cybersecurity threats. A detailed rundown of each control (and what security threats they mitigate) can be found in section 2 of the LRO guide. Although none of these measures is 100% effective, implementing any one (or combination) of these controls can make a cyber attack less probable and/or reduce the strain on a low-risk organization’s resources. Some of the controls that Brooks outlined include:
- Strong Authentication
- One of the most important cybersecurity advances for the general public that has happened in the last decade
- Includes account monitoring, password managers, and multi-factor authentication
- Mitigates phishing and account takeovers almost entirely
- Requires some technical expertise to set up, but is considered mandatory in order to preserve the reputation of your organization and avoid ‘insecure’ flags
- Includes a protocol that secures the connection between a user and the website they are on
- Mitigates web-based attacks
- Software Updates
- Operating system updates can be expensive for low-resource organizations, but should be considered an essential overhead cost; the cost of falling victim to a ransomware attack can shut down an entire organization
- Includes software updates and license renewal
- Mitigates malware
- Data Security
- Important to use monitoring and encryption on devices that support it; some risks exist (i.e. losing an encryption key means losing access to data), but it is a crucial step to prevent data loss
- Includes end-to-end encryption, file- and disk-based encryption, and access management
- Mitigates data theft and loss
- The Cloud
- “The Cloud” = someone else’s computer; offloads many difficult security issues to highly qualified service providers
- Includes ongoing cost for cloud-based service subscription; often behavioral shifts
- Mitigates malware, phishing, web-based attacks, data theft, etc.
Brooks went on to review several key policies low-risk organizations should establish in order to facilitate secure day-to-day practices, including fleet management, travel policies, incident response, social media use, and payment card security. He explained that template policies or best practices are designed to help set ground rules for behavior rather than specific technical configurations, and he emphasized that policies can be used, edited, or expanded based on an organization’s unique needs or concerns.
Brooks spent the remainder of the webinar showing viewers how to use the LRO guide to adopt and implement new technical controls and policies. The implementation guide provides additional resources and guidance to help identify critical accounts, devices, and other information to help prioritize where an organization should focus its limited time and attention. “None of this is set in stone,” said Brooks. “All of this is to designed to give you a starting place and provide you with a strong foundation of some basic cybersecurity knowledge.”