April 13, 2018 | Read Time: 4 minutes
New Orleans
Ransomware attacks like the one that crippled the City of Atlanta could just as easily — or maybe more easily — strike a nonprofit organization.
The attacks are mass, indiscriminate assaults that take down computer systems that are vulnerable, Fernando Sosa, chief executive of the technology consultancy HaonTech.com, told participants here at the Nonprofit Technology Conference. He said they don’t target specific people or organizations, so nonprofit leaders need to stop thinking that their groups are too small or too low-profile to fall victim.
When ransomware infects a computer, the malicious software scans the machine, the network drives that it accesses, and anything else to which it’s connected and encrypts the files, making them inaccessible to the owner. At that point, victims will see a screen that tells them they will lose their data if they don’t pay a certain amount of money by a specific deadline. The hackers essentially hold the information hostage.
“They don’t ask for a large amount of money; they don’t ask for millions of dollars,” Sosa said. “They ask for an amount that’s somewhat reasonable, that people can actually pay. So people pay, and that’s how they make money. They do this on a large scale, thousands and thousands and thousands of people.”
But paying the ransom is a bad idea, he said, because the perpetrators are criminals. There’s no guarantee they’ll give you the key to unlock the encrypted information. You can’t trust the data they give back, he warned — and you can’t assume they won’t attack again.
People Problem
Charities should take steps to minimize the likelihood of a successful attack, Sosa advised. Training employees is a great place to start, he said, because the biggest culprit is human error, not technology.
He said technology officials often assume employees are on the lookout for phishing emails and know not to provide information to someone who claims to be calling from Microsoft, but that isn’t always the case.
Training isn’t foolproof. One session participant said his nonprofit holds regular trainings on internet safety and works with a security company that runs monthly tests in which it sends phishing emails to all staff members. He said only 4 percent of employees fall for them, but at his organization that’s eight people. During one drill, an employee clicked on the suspicious link, then forwarded it to a supervisor, who also fell for it.
Phishing emails purporting to be from Microsoft that direct users to a page that looks like the Outlook 365 log-in are popular.
Another conferencegoer said he added to his group’s security by using Microsoft’s Azure platform to change the image that employees see on the organization’s Outlook log-in page, incorporating the group’s logo and emphasizing over and over that they shouldn’t log in unless they see the image. He said when Microsoft recently had a problem that prevented the image from appearing, he got multiple calls from employees reporting its absence.
First Line of Defense
Installing anti-virus software is important, but Sosa stressed it’s not enough. He recommended organizations take steps to minimize spam, which, in turn, reduces the number of phishing messages that reach employees. Updating software regularly is also critical because the updates often include patches to fix vulnerabilities that hackers have uncovered. He noted that last year’s massive data breach at Equifax was caused in part because the company didn’t install a software update.
A firewall is an organization’s first line of defense against the outside world, Sosa said. To protect the data on a group’s devices in the event of theft, Sosa advised organizations to encrypt all phones and computers — even desktops, which can also be stolen.
It’s also critical to make sure passwords include letters, numbers, and symbols and to use a different password for each program or website, he said.
Regular backups are an organization’s “get-out-of-jail-free card” that will allow it to resume operations after a ransomware attack, Sosa said.
He recommends doing backups in segments instead of all at once. After an attack, a nonprofit will want to restore its essential information first to get back up and running quickly. Less critical data can come after that, he said.
Test your backups regularly, Sosa told conference participants. “A fire is not the time to figure out if the fire alarms work.”
