Meet Chris Dufour, Cyber Security Expert
Day-to-day concerns. Upcoming deadlines. Online safety?
Is cyber security on your organization’s back burner? Cyber security is as important for nonprofits as businesses. Nonprofits’ online records may include personal information such as donor data, credit card numbers, and staff employment and health insurance information.
What do we need to know about cyber security and how to avoid risks?
We connected with Chris Dufour to talk about cyber security in nonprofits.
TST: Why should data security be a priority for nonprofits?
Dufour: We never know who may be interested in our data for nefarious purposes. Think about membership email distribution lists that can be found via simple Google Dorking techniques. While you may not think it’s a big deal that that data is not secure behind your nonprofit’s firewall, your members will be pretty PO’d to find themselves future victims of a Chinese spear phishing scheme.
TST: What are some common myths you hear about security? What do you think is important for nonprofits to better understand cyber security?
Dufour: I hear that it’s just not a big deal: “Who would want to hack my organization?” Well, if you’re not spending ANY attention on your own cyber security, then how do you know WHO’S a threat to you? You don’t. In many cases, you’ll never know. But there’s some simple things you can do to make your nonprofit appear to be less of a target, which is all it takes sometimes to deter a hack.
TST: What are frequent issues you find in electronic security?
Dufour: The biggest one is that people mistake good electronic security for TOTAL cyber security. The truth of it is, 90% of most attacks these days happen in spite of technical means, and most of those are some sort of social engineering technique like spear phishing.
TST: How is security for businesses different than nonprofits–or is it?
Dufour: It shouldn’t be. You’ve got to think about security like you would finance: You HAVE to keep track of financial records and manage payroll, right? Security is just like that. It’s not the responsibility of the IT guy; it’s EVERYONE’S responsibility. Businesses are having just a hard a time recognizing that nowadays as nonprofits.
TST: What are best practices for nonprofits to secure their financial records or donor and employee data?
Dufour: Use trusted software and think twice before posting something onto a web-based portal of any kind. Take the time to research vulnerabilities of the systems you’re using and plug as many of those holes as you can.
About Web sites
TST: As some nonprofits outsource Web site creation and maintenance–or may even have a volunteer providing Web services–what are important guidelines for first steps and ongoing maintenance to deter hacking and security breaches?
Dufour: The bottom line here is inculcating a respect for security in everyone who interfaces with your organization, from employees to contractors to FAMILIES. One of the easiest ways to figure out somebody’s password is to crack another password on another site they use, like Facebook. 9 times out of 10, you’re using the same password for multiple site logins. So if I put up a fake Facebook login page that your son logs into, now I can impersonate your son online and even get YOU to surrender information to me willingly. OR I can try using that password on other services and sites.
TST: How secure is the cloud?
Dufour: If you put it on the internet, given enough resources, someone will eventually be able to find it.
TST: So, that is not a good thing in this case?
Dufour: For me personally, I think the benefits of cloud-based computing and storage outweigh the potential security risks. But that’s just me, and I know plenty of organizations whose data was mishandled or otherwise exploited by attackers because it was in the cloud. Just take appropriate security precautions ALWAYS when storing data in the cloud. Use SUPER-STRONG password strings, don’t hang everything in the same place, and generally make it as difficult as you can for a potential attacker to get over your castle wall. Also be savvy about WHAT you’re storing in the cloud: does your membership know that all their contact information is stored on a spreadsheet that you’re storing in the cloud? Does that spreadsheet include a line item for member passwords to your website or CMS? Just be very cognizant of EVERYTHING you put into the cloud and take every measure you can to protect it.
TST: In what ways might an organization be concerned about security on social media?
Dufour: I think social media is one of the biggest vulnerabilities for organizations nowadays because of the richness of information people put on their profiles. I can do some simple research and have you friend a fake persona that I’ve created, and then through the relationship I build with you through that persona, derive personal information that I can then use to exploit your organization. That’s to say nothing of all the mayhem hackers can cause by brandjacking your official social media channels and spewing forth incorrect or inflammatory information, or crowdsourcing legions of people to write negative reviews about your services just because they’ve got an axe to grind with you.
TST: What is the best advice you can give to individuals about security and privacy online?
Dufour: I can’t say this enough: If you put it on the internet, given enough resources, someone will eventually be able to find it. And more importantly, PAY ATTENTION to the non-obvious hacking threats out there, like evidence of someone interacting with you online to discern information that could then be used to exploit your affiliation with work or organization. We’re living in the age of NO PRIVACY, so even privacy controls on the social media we use are only as good as the next update to that software.
About Chris Dufour
Chris Dufour is a preeminent expert in employing digital strategy and technologies for defense, intelligence, and diplomacy. A founding member of what is now known as the Joint IED Defeat Organization, Chris piloted studies in web-based data gathering and sense-making to detect online criminal networks. As a program manager in irregular warfare, Chris managed the R&D portfolio for strategic communications, public diplomacy support, information operations, and psychological operations at the Combating Terrorism Technical Support Office. He has advised, led, and participated in several studies of social networking phenomena for government, academia, and industry. He has designed social media marketing strategies for small and large businesses, and he has written every type of web content from blog post to video game script.
Chris is a noted industry speaker on digital influence and social media having been recognized at conferences such as IQPC’s Information Operations Global and Sister Cities International. Presently, @Du4 (as he is known on Twitter) is a director for the White Canvas Group, where he currently manages social media strategy and digital influence training projects for the US Special Forces and Intelligence Communities as well as a host of Fortune 200 businesses and nonprofits. He has trained more than 2,000 people in advanced uses of social media and social media safety for families. If you need help securing yourself or your organization online, reach out to Chris at firstname.lastname@example.org.