As a former systems administrator of a non-profit business, I have seen first-hand some of the challenges in creating and maintaining networks which provide fast and efficient access to resources to staff members. The increasing IT costs each year, combined with the flat budgets often experienced by non-profits, can certainly make it a challenge for any IT professional. Therefore, it can be very tempting to put security on the bottom of the to-do list. Unfortunately, the risk of a breach to an organizations network exists, regardless of size.
One of the simplest ways to prevent a breach is by using a password policy called multifactor authentication. Multifactor authentication is a password policy that pairs something that a user knows (such as a password) with something they have (phone, digital token, fingerprint, etc.) Once a password match is confirmed by the logon process, a notification to the user is sent, prompting them to authorize using their device. This makes it very difficult for outside attackers to access data, even if they do have a known password, but this policy also has other benefits as well. Since the item is specific to the user accessing data, it can really improve an organization’s internal breach risk as well. This can be especially beneficial to organizations who have strict privacy requirements on client data access where they must limit access of that data to only those who need to know. As a final bonus, the combination of the process described above, along with a company policy that requires it to report unauthorized logon attempts, can quickly lead to resolution.
An additional consideration to be aware of is service accounts that automate tasks using a user account. Sometimes an account simply must exist in an organization without multifactor authentication. A primary example might be a copier that exports to a shared network folder. For these accounts, best practices must be employed. The first and most obvious is to keep these service accounts limited in scope to a singular task. That way should such a breach occur, the access is isolated to a tiny subset of the organization. The next best practice is to deny the account access from outside the organization. Doing so limits the threat to within the organization. Other best practices might include long passwords, frequent password change intervals, and randomly generated passwords.
There will continue to be many security challenges in the years ahead for non-profit organizations. Implementing a process such as multifactor authentication can go a long way in shoring up the divide between the increasing threats that affect one’s organization, and the limited budgets allocated to addressing those threats.