Culture Clash: When Protecting Nonprofits From Cyberattack Doesn’t Feel Like “The Mission”
By: Jess Dinsmore, SOC Director, CISO Global, Inc.
Sitting in the back of the auditorium during a budget approval meeting for a church was, at best, an interesting situation.
Pages and pages of line items describing where the money was going to be allocated over the coming year was enthusiastically described by each of the ministry departments.
As we approached the line items for “Computers and Technology,” I raised my hand for a quick question. “Excuse me. May I ask how you came to this figure?”
I thought it a relevant question as I was the person entrusted with taking care of all the equipment for the church. Sheepishly, the answer was along the lines of, “I just came up with that.”
I never received the final verdict on how that number was really calculated. (The number was significantly lower than the cost of a single MacBook.) But it was at that meeting that I realized a couple of very hard truths.
- The money entrusted to that congregation was intended to change lives. Although technology can assist, bits and bytes just weren’t the mission at hand. Nor should it have been.
- Every penny that can be allocated to technology needed to be spent with wisdom.
Fast forward a few years (more than I’d care to admit), and the same still holds true. The use of technology in organizations thought of as nonprofit has grown, but the driving principles of being focused on the mission at hand — as well as honoring a budget — are still there. New challenges, however, have emerged. Especially around the area of security. With so much to focus on, how does one prioritize and get the most for each precious dollar?
Oddly enough, I think the best options come from someone who lived around the 4th century B.C.: a gentlemen named Nehemiah. This gentleman had a decent job (cup bearer to King Artaxerxes of the Persian Empire!). Nehemiah heard reports of the city of Jerusalem being in disrepair and essentially a laughingstock for the region. Out of a great compassion for his ancestry and the people there, he made his plea to return and begin rebuilding the city walls. It was a monumental task which was completed in 52 days.
That brings us to a great blueprint for establishing security for churches and nonprofits today. (And don’t worry, it won’t have 52 points.)
- Establish firm outer defenses.
- Enlist and empower the masses.
- Engage in “a great work.”
Upon arrival to the city, Nehemiah went out secretly to determine just how bad the situation was with the city walls. City walls were a primary form of defense then, much like our perimeter defenses in the security world. Nehemiah found walls and gates that had been burned down.
Our first order of business then becomes a solid assessment of your attack surface. Just like those broken walls, you need to understand where your potential holes are so that you can begin the process of prioritizing and fixing them. A solid vulnerability management program with regular scans will help you with this.
Next up, how are those “city gates?” In our world, this is represented by your firewalls. Left open and unsecured, you may be inadvertently inviting marauders in to do as they please. Here are some things to consider:
- Are your firewalls updated to their latest security and operating system revisions?
- How often do you review firewall policies to ensure that you don’t have any ANY/ANY situations active?
- Have the advanced services been tuned correctly for your environment to produce the maximum security tolerable by your processes?
- Can you geofence your firewalls to limit traffic from potentially malicious countries?
Another great perimeter defense to check for holes is in your cloud collaboration systems. A quick review of your secure score — for example, in the Microsoft Office systems — is a great start.
Once Nehemiah defined the work that needed to be done, he mobilized his workforce. People were assigned locations of the city wall to fix that were close to their own home. Progress was being made, but at one point, the workers began to fear attacks from some of their enemies set against the project. Which brings us to the next area of focus: enlisting and empowering the masses.
Any organization’s greatest asset is its people. Helping them to be cyber-aware and defended should be the primary goal. That benefits the organization and the employees, as many best practices will carry over to protecting employees and their families.
In a recent discussion with Terry Acuna and David Radcliffe of Life.Church, they shared how the challenge of implementing security best practices sometimes comes up against the culture of trust they are establishing with their co-workers. For example, we’ve often seen organizations perform targeted phishing campaigns to establish security baselines and to help show improvement from the organizations’ cyber-awareness training programs. However, the creation of the “fake” sites also has a feeling of dishonesty associated with it. In a conflict between culture and security, culture wins out every time.
Another example of this can be found in the implementation of something as industry blessed as Zero Trust. As you can imagine, the terminology alone created situations for Life.Church where the business process owners didn’t even want to discuss the benefits. Wisely, the efforts were rebranded to “Focused Trust,” which pointed to the positive of ensuring access to needed resources instead of the focus on denial.
So where do you begin? Maybe a little 4th century wisdom can help here as well!
Nehemiah wasn’t content in just directing the efforts and making assignments to fix the walls – he participated as well. Every day found Nehemiah busy reconstructing the gates to the city and working hard to keep the effort organized. How your organization views your approach to the tasks at hand should look much more like a partner than the “bits and bytes police.”
- Organize a cyber-awareness campaign around educating staff on the benefits of protecting themselves online.
- Look into password management platforms like Dashlane that can have both a corporate benefit and a separate employee benefit for managing their “keys to the city.”
- Offer positive reinforcement for phish email submissions or the safest department in the organization. (A little Chick-Fil-A goes a long way!)
- Coach any lax in judgment from the stance of providing a loving, guiding hand to help them feel safe in the future.
Finally, amidst all your efforts, you may find that there will be distractions and naysayers along the way. Nehemiah had those as well. Time and again, they attempted to pull him away from the work. (They even had plans to eliminate him if they could just get him alone!)
I love his statement though:
“I am engaged in a great work, so I can’t come.”
In your position as a technology leader for your organization, you are the perfect blend of technical prowess and a heart for service. We all know it’s not for the lavish salaries (those just don’t exist at nonprofits!). The great work you are engaged in is the protection of the people and the mission of your organization. As the caring coach they need, you are leading them to be able to move forward in the safest manner available to them. You are protecting the organization, but more importantly, providing the walls of safety they need.