Nonprofit Remote Work Best Practices to Avoid Cyber Risks

Protecting your employees while working from home

As Coronavirus took hold in the United States, the COVID-19 pandemic had an immediate impact on the operations of virtually every organization, including nonprofits. Almost overnight, the nonprofit sector scrambled to move their workforce from familiar offices to new remote spaces. While this may have provided a safer environment from the COVID-19 pandemic, it also may have heightened cyber risk by providing cyber hackers more fertile ground to commit cyber crimes.With little to no preparation, many employees may have resorted to using unsecured public Wi-Fi, personal devices, and web conferencing platforms without the proper data security controls.

There are several best practices that nonprofits should consider following as guidance for their remote workforce:

Computer protection for cyberattacks

Create remote work guidelines for employees, and provide virtual training to ensure a competent understanding of network security and IT compliance when working remotely.
Allow network access only:

Through virtual private networks (VPNs) that are promptly patched as soon as updates become available.
To devices with full disk encryption and proper firewalls.

Require strong passwords and multifactor authentication.
Pay special attention to system monitoring and detection services, enhancing or upgrading them as needed to keep up with the increased remote network traffic.
Be on heightened alert for remote cyber criminals who use mask their efforts to exfiltrate data with similar email structure and addresses to those of clients and business resources like commercial banking institutions, industry associations, etc.

Instructions for nonprofit remote employees

Learn about social engineering risks, methods, defenses, and the heightened risk that may unfortunately arise from coronavirus-related scams.
Keep their laptops within their physical control, and avoid working in public places except when absolutely necessary.
Never to provide login credentials in response to an email request.
Do not to use less secure devices (like the family computer) to obtain or store work information.
Do not to use personal email accounts to transmit work information.
Do not to transmit or store work information on their personal cloud storage accounts unless their organization specifically allows that practice.
Restrict access to sensitive corporate materials only to those that have a business need for them.
Even when working from home, log off when not using the network.

Best practices for video teleconferencing

Tighten both the scope of authorization for wire transfers and the verbal or video verification of each request to confirmation transfer information.
Follow recent guidance issued by the FBI while using web conferencing platforms:*
- Do not make meetings public. Utilize two options to make a meeting private:
  1. Require a meeting password.
  2. Use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen sharing options. Change screen sharing to “Host Only.”
- Ensure participants are using the updated version of remote access/meeting applications.
- Ensure that your organizations’ telework policy or guide addresses requirements for physical and information security.
Review and update your incident response, business continuity, and disaster recovery plans so that they adequately address your new circumstances

Despite following all of these guidelines, there is still no guarantee that nonprofits, or any organization, can prevent cyberattacks 100% of the time. Cyber insurance is one of the best ways to help transfer this risk.

Potential cyber insurance coverages, depending on a particular policy’s negotiated terms, could include:

Costs incurred in connection with the wrongful disclosure or otherwise failure to protect confidential personally identifiable information (PII) or protected health information (PHI).
Costs incurred in defending and resolving lawsuits alleging the wrongful disclosure of confidential personal information.
Costs incurred in responding to a regulatory investigation or proceeding triggered by an alleged failure in the collection, use, or disclosure of confidential information.
If allowed by applicable law, regulatory fines and penalties resulting from such investigations and proceedings.
Costs incurred in defending and resolving lawsuits alleging the failure to provide network access or technology products/services.
Business income loss and extra expenses caused by a non-malicious “system failure” – an interruption or significant degradation of the network caused by a coding error, upgrade or patch, or network failure caused by its inability to handle the increased volume of remote work.
If cyber thieves are able to gain wrongful access to the network:
- Legal and forensic costs incurred in determining if PII, PHI, or third-party corporate information has been compromised.
- Social Engineering coverage for losses from fraudulent wire transfers or invoice manipulation, although losses should be addressed by Crime policies
- Ransomware-related coverages, which can include the cost of ransom payments, data and system recovery, legal, and forensic work.
- Business income loss and extra expenses caused by ransomware or other attacks on the network, or by a voluntary shutdown of the network to limit the scope of an attack in process.
- Depending on the terms of the policy, there could be Business Income and Extra Expense coverage if the network interruption is impacted by one of the company’s outsourced IT suppliers or other outsource providers (i.e. supply chain providers).

Your Gallagher representatives are ready to help your nonprofit organization during these challenging times, and as your risk evolves. Please visit our Pandemic Preparedness page for the latest information.

Author Information:

John Farley

Managing Director — Cyber Liability Practice

New York, NY

Phone Number (212) 763-3424

Source

*FBI, “FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic,” March 30, 2020.