Top cybersecurity and IT assessment tools for nonprofits
Many nonprofit organizations continue to leverage older technology in their day-to-day operations. Unfortunately, this makes them an attractive target to cybercriminals, who can use security gaps in that older tech to infiltrate systems and expand their attack surface. Implementing effective vulnerability management and cybersecurity risk assessment practices is crucial for these organizations.
Everything from hardware and software misconfigurations to a lack of monitoring systems and proper encryption can contribute to making your organization more vulnerable. To help reduce the risk of ransomware, AP fraud, phishing and other cyberthreats, your organization should assess your information technology and security environments at least on an annual basis.
Can nonprofit organizations perform IT and cyber assessments themselves?
Time and talent permitting, there’s no reason your organization can’t do the vulnerability assessment on your own. However, the vulnerability assessment tools available often do require specialized knowledge to operate. Then you need to know how to interpret the results and apply corrective action through an effective cybersecurity threat assessment process.
There are a variety of vulnerability scanners and security assessment tools you can leverage — ideally in combination with each other. There isn’t one comprehensive vulnerability assessment tool that will complete the entire process for you, so you’ll need to select the ones that align best with your current technologies and desired goals.
Here are some of the top cybersecurity threat assessment and vulnerability management tools nonprofits might choose to leverage:
Microsoft 365 adoption Score and Secure Score: If your organization uses Microsoft cloud solutions, these two scores can be very useful. The Productivity Score gives you insights into how you can improve productivity and satisfaction among employees, while the Secure Score reports on your current security posture and provides guidance on how to improve that posture. The Secure Score also provides benchmarks and KPIs you can measure against.
The two scores only work within Microsoft 365, so any outside systems you use will require you to leverage other tools.
Microsoft Assessment and Planning (MAP) toolkit: If you don’t have cloud-based Microsoft tech but do have on-premises Microsoft tech, the MAP toolkit can help. The automated assessment tool analyzes your Microsoft tech, from how old it is to how well it could migrate to the latest version of the Microsoft platform or even to the cloud, and provides actionable recommendations to help your organization accelerate its IT infrastructure planning process. Note that this tool does take some specialized technical knowledge to use, and you need to be familiar with the latest Microsoft technologies to understand its recommendations.
Tenable Vulnerability Scanning Products (e.g., Nessus, Tenable.io): Tenable offers robust vulnerability management software, with Nessus being a popular vulnerability scanner. The Nessus vulnerability scanner conducts network security scans looking for vulnerabilities, misconfigurations, password weaknesses, etc., throughout your systems, devices and infrastructure. The Nessus Essentials version lets you scan up to 16 IP addresses for free, Nessus Professional allows for unlimited scans for a yearly license fee, and Tenable.io is the cloud-based scanning and reporting platform built on top of the Nessus network scanner technology. Note that Nessus does require specialized knowledge of networking to run it.
In Tenable.io there are more advanced reporting and dashboards, as well as the ability to install as many scanners as needed to cover your network. It also grants you the ability to install end-point agents through patch management software to allow remote scans without going over the network until the scan is complete. Tenable.io also allows for large-scale user control features to allow practitioners, remediation implementation personnel and even management to see their specific view of the vulnerability management process.
Tenable Vulnerability Management offers comprehensive vulnerability coverage, including cloud vulnerability scanning and web application scanning. It uses advanced vulnerability scoring methods like CVSS and VPR to help prioritize vulnerabilities based on risk. The platform also integrates threat intelligence to provide context for identified vulnerabilities and supports compliance reporting for various standards, enhancing overall cybersecurity risk assessment capabilities.
Haveibeenpwned.com: This is a website where your organization can check whether your employees’ user credentials have been exposed. Many people use the same password for different accounts — both work and personal — so if that information has been exposed during one data breach, it makes any other account where they used the same email address and password vulnerable.
FFIEC Cybersecurity Assessment Tool: If you’re looking for a robust cyber risk assessment tool that you can download and walk through, the FFIEC Cybersecurity Assessment Tool is a good one. Because it’s designed for financial institutions, it’s extremely robust and is a great reference source of cybersecurity leading practices. It can help your nonprofit identify and close gaps in your IT and cybersecurity.
Of course, it isn’t written with the average person in mind. You’ll need specialized knowledge to use the tool. And note that it looks at internal controls around cybersecurity, not at your system configurations, so it should be used in combination with other vulnerability management tools.
Qualys Community Edition: This free tool will identify IT assets, scan a web application and give you insight to help manage vulnerabilities and more. Because it’s a free tool, it’s a limited to how many computers and applications you can scan, so in larger environments, you will need to upgrade to a fully licensed scan.
KnowBe4: KnowBe4 not only provides robust security awareness training but also lets you run your own phishing simulations to determine your susceptibility to phishing attacks. They have different — and free — security tools to help your identify risk of social engineering, spear phishing, ransomware and other attacks that could exploit vulnerabilities in your systems.
Do these tools help with IT road-mapping?
Used in combination, these vulnerability management tools can give you a better idea of where your vulnerabilities are and how to improve your security posture. But since they provide point-in-time snapshots, they’re not going to be as useful in helping you build out an IT road map to make overall improvements to your infrastructure and enhance your cloud security.
IT road-mapping can be extremely beneficial to nonprofit organizations because it highlights what needs to be addressed now versus later, how these needs align with your organization’s budget priorities, how to build a budget for improvements and how to gain consensus from leadership and the board.
When you take this into account alongside the fact that cybersecurity talent is expensive and difficult to hire and retain — and that many IT and cyber assessment tools require a specific level expertise and experience to use them — working with a third-party vulnerability assessment company can actually be more cost-effective and save you a lot more time. This is especially true if your staff tend to wear multiple hats. The sooner you identify and address your security vulnerabilities, the sooner you can reduce the risk you’re taking every day and minimize your external attack surface.
Wipfli can help with your cyber and IT assessment
At Wipfli, we have a team of specialists who regularly perform cyber and IT assessments, as well as IT road-mapping, for nonprofit organizations. Our vulnerability management process includes comprehensive scanning, analysis and customizable reporting to help you prioritize and address your most critical vulnerabilities. Learn more here about our cybersecurity services for nonprofits.
We’ve also developed a sample RFI for a cybersecurity and IT assessment that your nonprofit can use to find the ideal third-party.
Related content:
