Many nonprofit organizations continue to leverage older technology in their day-to-day operations. Unfortunately, this makes them an attractive target to cybercriminals, who can use security gaps in that older tech to infiltrate systems.
Everything from hardware and software misconfigurations to a lack of monitoring systems and proper encryption can contribute to making your organization more vulnerable. To help reduce the risk of ransomware, AP fraud, phishing and other cyberthreats, your organization should assess your information technology and security environments at least on an annual basis.
Can nonprofit organizations perform IT and cyber assessments themselves?
Time and talent permitting, there’s no reason your organization can’t do the assessment on your own. However, the tools available often do require specialized knowledge to operate. Then you need to know how to interpret the results and apply corrective action.
There are a variety of tools you can leverage — ideally in combination with each other. There isn’t one comprehensive assessment tool that will complete the entire process for you, so you’ll need to select the ones that align best with your current technologies and desired goals.
Here are some of the top tools:
Microsoft 365 Productivity Score and Secure Score: If your organization uses Microsoft cloud solutions, these two scores can be very useful. The Productivity Score gives you insights into how you can improve productivity and satisfaction among employees, while the Secure Score reports on your current security posture and provides guidance on how to improve that posture. The Secure Score also provides benchmarks and KPIs you can measure against.
The two scores only work within Microsoft 365, so any outside systems you use will require you to leverage other tools.
Microsoft Assessment and Planning (MAP) toolkit: If you don’t have cloud-based Microsoft tech but do have on-premises Microsoft tech, the MAP toolkit can help. The automated assessment tool analyzes your Microsoft tech, from how old it is to how well it could migrate to the latest version of the Microsoft platform or even to the cloud, and provides actionable recommendations to help your organization accelerate its IT infrastructure planning process.
Note that this tool does take some specialized technical knowledge to use, and you need to be familiar with the latest Microsoft technologies to understand its recommendations.
Tenable Vulnerability Scanning Products (e.g., Nessus, Tenable.io): Nessus is a vulnerability scanning tool that conducts network scans looking for vulnerabilities, misconfigurations, password weaknesses, etc., throughout your systems, devices and infrastructure. The Nessus Essentials version lets you scan up to 16 IP addresses for free, Nessus Professional allows for unlimited scans for a yearly license fee, and Tenable.io is the cloud-based scanning and reporting platform built on top of the Nessus scanning technology. Note that Nessus does require specialized knowledge of networking to run it.
In Tenable.io there are more advanced reporting and dashboards, as well as the ability to install as many scanners as needed to cover your network. It also grants you the ability to install end-point agents through patch management software to allow remote scans without going over the network until the scan is complete. Tenable.io also allows for large-scale user control features to allow practitioners, remediation implementation personnel and even management to see their specific view of the vulnerability management process.
Haveibeenpwned.com: This is a website where your organization can check whether your employees’ user credentials have been exposed. Many people use the same password for different accounts — both work and personal — so if that information has been exposed during one data breach, it makes any other account where they used the same email address and password vulnerable.
FFIEC Cybersecurity Assessment Tool: If you’re looking for a robust cyber assessment framework that you can download and walk through, the FFIEC Cybersecurity Assessment Tool is a good one. Because it’s designed for financial institutions, it’s extremely robust and is a great reference source of cybersecurity leading practices. It can help your nonprofit identify and close gaps in your IT and cybersecurity.
Of course, it isn’t written with the average person in mind. You’ll need specialized knowledge to use the tool. And note that it looks at internal controls around cybersecurity, not at your system configurations, so it should be used in combination with other tools.
Qualys Community Edition: This free tool will identify IT assets, scan a web application and give you insight to help manage vulnerabilities and more. Because it’s a free tool, it’s a limited to how many computers and applications you can scan, so in larger environments, you will need to upgrade to a fully licensed scan.
KnowBe4: KnowBe4 not only provides robust security awareness training but also lets you run your own phishing simulations to determine your susceptibility to phishing attacks. They have different — and free — security tools to help your identify risk of social engineering, spear phishing, ransomware and other attacks.
Do these tools help with IT roadmapping?
Used in combination, these tools can give you a better idea of where your vulnerabilities are and how to improve your security posture. But since they provide point-in-time snapshots, they’re not going to be as useful in helping you build out an IT roadmap to make overall improvements to your infrastructure.
IT roadmapping can be extremely beneficial to nonprofit organizations because it highlights what needs to be addressed now versus later, how these needs align with your organization’s budget priorities, how to build a budget for improvements and how to gain consensus from leadership and the board.
When you take this into account alongside the fact that cybersecurity talent is expensive and difficult to hire and retain — and that many IT and cyber assessment tools require a specific level expertise and experience to use them — working with a third party can actually be more cost-effective and save you a lot more time. This is especially true if your staff tend to wear multiple hats. The sooner you identify and address your security vulnerabilities, the sooner you can reduce the risk you’re taking every day.
Wipfli can help with your cyber and IT assessment
At Wipfli, we have a team of specialists who regularly perform cyber and IT assessments, as well as IT roadmapping, for nonprofit organizations. You can learn more here.
We’ve also developed a sample RFI for a cybersecurity and IT assessment that your nonprofit can use to find the ideal third-party. Click here to learn more.