Fall 2017 issue of Horizons

cyber defense, and every action taken to implement basic security principles positively increases an organization’s security. These connections mean that a fundamental level of cyber defense can be achieved without the need for an extensive budget or months of training. The following are recommended best- practices to build this fundamental level of cyber defense. Third-Party Vendor Due Diligence Most not-for-profit organizations are not processing online donations themselves, rather organizations are contracting with third-party processors. After the recent Home Depot and Target breaches, third-parties have become a prime entry point into a target network. Vetting the defenses of third-party vendors will help secure your organization from breaches due to vulnerabilities. There are numerous industry standards and compliances that third-party vendors can achieve in order to prove that they take cyber defenses seriously. If a vendor meets Payment Card Industry Data Security Standard (PCI DSS) or Service Organization Control (SOC 2) standards, this shows that reasonable assurance steps have been taken to secure its network and business practices against cyber threats. As such, before you contract with a third- party processor, as well as periodically throughout your contract, do your due diligence on your provider and review its compliance with these standards to make sure you have a good understanding of and continued confidence in its ability to protect your donors’ sensitive information. An annual review of the third-party’s SOC 2 report is a best practice. Also, make sure that you understand the terms of your vendor agreement with regard to which party is responsible for what in terms of cyber security. What sensitive information does your organization have access to versus your third-party processor?

What security measures do you need to have in place to be in compliance with the agreement? What is the process should a cyber security issue arise? Even though using a third-party processor may reduce your responsibility, it’s your reputation that is on the line with donors. Do everything within your control to avoid any surprises or missed opportunities. There are numerous industry standards and compliances that third-party vendors can achieve in order to prove that they take cyber defenses seriously. You do not need to be a technical guru to achieve a fundamental level of cyber security protection. The following are best practices in a few critical areas: Antivirus Personal workstations and mobile devices should be protected with antivirus software. These programs provide a layer of defense by protecting the devices from known threats. Without antivirus software, these devices act as open gateways into your network. In order for antivirus programs to remain useful for network defense, it is important that these programs are updated regularly. Antivirus software is only able to defend against known threats, and it receives the signatures for new threats through updates. An out-of-date antivirus program leaves a network unprotected from the newest threats. Implement Fundamental Cyber Security Protections

Fall 2017

41