Jul 27, 2018 | Informative, RIsk Management News
How many passwords do you use for work? Five? 10? More? Most nonprofit staffers have too many passwords to remember them all. This leads to bad habits –writing them down on sticky notes, sharing them with colleagues, or reusing the same password over and over. These bad habits can put your organization’s data at risk.
Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.
Some people worry that putting all your passwords in one place is too risky because one hack opens the door to all your data. That’s a valid concern, but chances are that the encrypted system used to manage your passwords and the value-added services you get from a password manager will make you more secure than whatever you’re doing currently.
If you’re interested in implementing a password manager at your organization, here are a few of the features you should look for.
- Enterprise Control. One of the biggest benefits of a password manager is the ability to manage every password user at your organization. Look for a service that allows you to turn off access for people who have left your organization and select the users who should and should not have access to specific accounts. A good system will allow you to maintain this admin-level control without giving you direct access to any password content.
- Audits and Changing. Many password managers can guide users to choose stronger passwords. Some will audit your passwords and suggest ways to strengthen them. Many also allow you to schedule password changing and even automate password changes.
- Two-Factor Authentication. A good password management vendor will understand your concern that one password in the wild can lead to dozens more roaming passwords. Two-factor authentication, a method that requires you to verify your identity in a second way, adds an extra layer of security to make it more difficult for a thief to get into the system.
- Multiple Devices. Chances are your staffers want to use various operating systems and mobile devices. Look for a password manager that is compatible with PCs, Macs, and all the various mobile devices out there.
Source: The Nonprofit Times
Jul 6, 2018 | Informative
This resource discusses and provides examples of possible financial risk that a nonprofit organization may encounter. Nonprofit grantees may find this resource useful in identifying potential risks within their organization. The risks in financial management are any actions that result in the reduction in value or loss of any of the organization’s financial assets.
The management and protection of financial resources must be a concern for all nonprofit organizations—from the smallest all-volunteer group to a large, national association. Without adequate financial resources, an organization is unable to achieve its mission and may not survive. Financial resources or assets fall into three categories—money, goods, and services. Money consists of cash, checking and savings accounts, securities and other investments. Goods involve merchandise or stock, supplies, and equipment. Services are the programs and activities the organization offers to its clients. Accountants classify goods and services as resources because they have a value or may be used to create value or revenues.
The risks in financial management are any actions that contribute to the reduction in value or loss of any of the organization’s financial assets. The decrease can be from the actions of an internal source such as an employee or volunteer, or someone outside of the organization can perpetrate the loss—a burglar, “con man,” or client defrauding the organization. Every organization should be aware of the possibility of a financial loss and take the appropriate protective actions.
A financial loss can have a tremendous impact on a nonprofit. The loss of money can create a cash flow crunch and force the organization to reduce its spending. The actions may include eliminating staff or reducing the hours worked plus adjusting the services offered to clients. Besides reduced services, the nonprofit may experience negative publicity about the incident. The bad press can lead to a decrease in donations and the willingness of volunteers to work with the organization. Lastly, a financial loss can affect the reputations of the people involved. Often, the board dismisses an executive director if a large theft occurs on his or her “watch.” Members of the board are questioned by family, friends, associates, and others about the details of the incident and how could it happen to that organization. All of these factors make it imperative for every nonprofit organization to have the proper financial controls in place.
Categories of Risk
Fraud
Fraud, the intentional pervasion of the truth in order to induce another to part with something of value or to surrender a legal right, is the umbrella term for most financial losses. Fraud is the most common crime perpetrated against nonprofits. Theft is a generic term for the fraudulent taking of property. In insurance terms, theft means any act of stealing. Types of theft include:
- Burglary – breaking and entering into a building for the purpose of committing a crime.
- Swindling – convincing someone to give or entrust property to you using deceit or false pretenses
- Forgery – the unauthorized making or altering of a writing so that it looks to be lawfully authorized
- Embezzlement – taking property lawfully entrusted to you and converting it to your own use.
Someone inside or outside the organization can commit a fraud or theft of organizational assets or resources. An employee can embezzle funds, steal office supplies or merchandise, pad their expense accounts or create a fictitious company and bill the organization for services never rendered. An outsider can sell bogus merchandise, overcharge the organization for materials or services, or entice the organization to make bad investments. Imagination is the only limit to the ways to defraud an organization. Unfortunately, for every control or security system the organization implements, there is always someone smart enough to breach it. Catching wrongdoing before it translates to sizable losses is key. Therefore, in addition to establishing internal controls, nonprofits must be ever vigilant in monitoring its programs.
Investments
The size and types of investments will vary with each organization. For the smaller organizations, investments might be cash on hand while large hospitals, colleges and universities may have sizable endowment funds. Regardless of the size of the investment funds, every nonprofit needs to control and monitor its investments. Many organizations lost money in the savings and loan crisis when banks and lending institutions closed. Another danger is that the organization may make poor investment decisions such as the purchase of junk bonds by Orange County, California that resulted in its bankruptcy.
The New Era scandal is another example of a bad investment decision. Another potential financial risk for an organization is investing in “politically incorrect” companies. If the nonprofit purchased stocks or bonds in a company that subsequently comes under public and media scrutiny, it may experience adverse publicity or a significant decrease in the value of the investment. Every board should establish an investment policy that will guide the nonprofit in its investment and financial decisions. Even an organization operating on a cash current basis should have a policy.
Misuse of Funds
All nonprofits exist for a specific purpose with a defined mission. The board is responsible for ensuring that the organization stays focused on its mission. An excellent way to monitor an organization’s progress is through its use of funds. Many nonprofits receive gifts or funding with restrictions or limitations on its use. The improper use of these funds can cause the funder to withdraw the money, require repayment of the expended funds, and refuse to provide future funding.
A similar risk is the use of funds for purposes other than serving the organization’s mission. Funds inappropriately expended can lead to the loss of the organization’s tax-exempt status or other legal actions. As pressures continue to mount for nonprofits to meet social needs, it is often easy to lose sight of the organization’s mission.
Tax Liabilities
Although most nonprofits are “tax-exempt,” the government still requires them to pay many taxes. An organization must pay the appropriate employment taxes such as Social Security, FICA, and state and federal income taxes. Failure to pay these taxes will lead to large fines.
A nonprofit may also be responsible for charging and remitting sales tax on items sold. Also, unrelated business income is becoming a significant concern as nonprofits seek creative ways to raise funds. Every nonprofit is responsible for knowing and paying its tax liabilities.
Tax-Exempt Status
The IRS’s approval of tax-exempt status is not a right but a privilege that it can easily revoke. One possible challenge to the status is that the organization is not meeting the charitable purpose guideline. If the nonprofit uses its funds for reasons not related to its charitable purpose, it can lose its tax-exempt status.
Private inurement is another cause for losing the exemption. In one case, the IRS revoked the tax-exempt status for a child care center. The board, whose members were parents of the children in the center, set a fee structure substantially below market rates. The board made up the short-fall with tax-deductible “contributions.” The IRS ruled that it was unlawful private inurement, revoked its exemption and is investigating prior years.
Nonprofits have restrictions on the types of “political” activities they can undertake. The IRS guidelines bar any direct or indirect political activity. Lobbying is another area with restrictions. An organization may, however:
- Communicate with its legislators as a constituent
- Petition the government
- Respond to governmental inquiries and testify before legislative and administrative bodies
- Offer nonpartisan analysis of an issue to educate the public
- A nonprofit cannot devote a “substantial part” of its activities to lobbying
Fundraising
The financial risks for fundraising are two-fold and extend beyond the theft of the money raised. First, an organization must protect itself from unscrupulous fundraising. Many organizations have discovered fictitious groups raising funds on their behalf. However, the organization never receives any of the money. An organization may also suffer losses stemming from injuries at a fundraising event staged by the fictitious group. Every nonprofit must guard against improper use of its name and logo, especially in regard to fundraising. The organization should respond quickly whenever it discovers someone using its name and logo without authorization.
The second issue concerns the selection and use of sponsors and cause-related marketing partners. An organization may spend hours and many dollars to negotiate a sponsorship arrangement only to later discover a flaw with the new partner. Although it did not involve a nonprofit, the Kathie Lee Gifford controversy regarding the use of child labor had a negative impact on sales. Imagine if your organization had been a partner in that deal. The potential damage to an organization’s reputation and goodwill could have a lasting impact. A nonprofit need to evaluate carefully its sponsors and partners to avoid a press relations incident and other losses.
Physical Assets
When discussing financial risks, most of the attention focuses on the loss of money or funds. However, all nonprofits have physical assets at risk. Every organization owns office furniture and other fixtures and equipment used to meet its mission that is subject to loss. A fire or flood can damage or destroy the office contents. Also, an employee, volunteer, computer hacker, or other person wanting to harm the organization can steal or damage its assets. In addition, some nonprofits may have warehouses of supplies whether it is a food bank, soup kitchen, sports organization, or mentoring program. The loss of the supplies could have a devastating effect on the organization’s mission.
The best protection is systems and procedures that limit the access to these assets. Computers contain not only a wealth of information but also confidential data. Control and limit access to the people with the “need to know.” Also, protect the organization’s supplies and merchandise. Although every employee “borrows” a pen or pad of paper, what about the merchandise (sweatshirts, briefcases, coffee mugs, books) that the organization sells to raise money? Many organizations lose money on merchandise sales due to the lack of inventory and access controls.
Risk Management Techniques
One key to controlling financial management risks is the development and use of effective internal controls. Every nonprofit needs policies and procedures to control the access and use of its financial resources. The techniques involve general management controls and accounting controls.
General Management Controls
General management controls consist of the board’s and senior management’s responsibilities for establishing the proper oversight of financial operations. The board should require clear and informative financial reports and statements on a regular basis. The organization, if possible, should use a certified public accountant and have an outside independent audit. If it cannot afford an audit, it should at least have an outside party review its financial reports and accounting records. A word of caution, an audit is not designed to detect fraud. An audit’s purpose is to affirm the organization’s financial records and position.
The board should establish the appropriate financial polices such as investment and loan policies. Senior management and the board also must ensure that the proper financial and accounting procedures are in place. Lastly, the board and senior management should set the organization’s priorities and goals, keeping the nonprofit focused on achieving its mission.
Accounting Controls
Accounting controls are the procedure used to safeguard the nonprofit’s assets. Proper accounting controls also provide reliable and accurate financial records. Both of these goals enable the board and senior management to monitor the organization’s financial operations.
The creation of adequate accounting controls should focus on four areas—authority and approval, proper documentation, physical security, and early detection. Authority and approval procedures require the identification of who has the authority to perform and approve certain transactions, such as approving invoices, expense accounts, signing checks, and dispensing supplies. Proper documentation is a part of the approval and authority process, in that every financial transaction should leave a “paper trail.” Physical security addresses limiting access to various physical assets (accounting records, personnel files, merchandise, supplies, and other equipment).
Organizations often ignore the early signs of wrongdoing. If the proper controls are in place, the systems should alert someone to possible fraud. Unfortunately, people tend to ignore the early warning signs and let the deceit continue. Everyone must follow the established procedures for the controls to work. Any deviation from the system will enable someone to defraud the organization successfully. Good risk management may prevent a financial loss or catch the culprit early in the process, thereby minimizing the loss.
Source: ECLKC
Jun 26, 2018 | RIsk Management News
Computer hacking can occur at any time and entail a wide range of problems and embarrassments. And that’s not including hackers who invade a system for the express purpose of damaging or destroying it.
So, everyone is taking steps to keep those faceless hackers from getting in, and as long as we put up walls we’ll all be safe right?
Not so fast.
At the Nonprofit Risk Management Center 2016 Risk Summit, Jim Jackson, director of campus operations at Momentous Institute, and Paul Henry, network administrator/engineer of Momentous Institute, said that the biggest threat to cyber security lies in user behavior within the system.
In other words, when people in the organization use their computers/devices for purposes other than work, they are not just taking time off from work.
They presented the following statistics:
- 29 percent of all data breaches are socially engineered attacks, taking advantage of human behavior to advance a data-breach scheme.
- 67 percent of all web traffic (40 million viewers) to the world’s most trafficked free porn site was generated from the office.
- Facebook is the Number One website visited during work hours.
- 62 percent of people say it is acceptable to transfer work documents to personal computers, smartphones and online file sharing applications.
- 95 percent of all security incidents involve human error.
Source: The Non Profit Times
Jun 15, 2018 | Informative, RIsk Management News
When speaking on encryption and surveillance at Kenyon College in April 2016, James Comey, then the director of the FBI, divulged that he’d placed a piece of tape over the camera on his personal computer.
And after Facebook Chairman & CEO Mark Zuckerberg posted a photo that showed his work computer in June 2016, thousands of people noticed that he had tape over his MacBook camera and microphone.
Why would the director of the FBI and the founder of Facebook resort to placing tape over the cameras and microphones at their personal workstations?
The answer is RATs — Remote Access Trojans.
Almost everyone in business today is familiar with remote desktop applications such as LogMeIn, TeamViewer, GoToMeeting, WebEx, and Bomgar. These enterprise tools provide remote access to a system and are useful and efficient ways to cut operating costs, ensure fast response time with help desks, or just get that much-needed document from your workplace when you are out of the office.
RATs are a malicious variant of these remote access tools — custom-created software the user can execute to control any system without the victim’s knowledge.
One of the first RATs was made public in 1999. RATs have become more sophisticated through obfuscation in the years since first created. Today, most of the popular RATs are capable of performing keylogging, screen and camera capture, file access, code execution, registry management, password sniffing, and more. Through persistence, an attacker can run malware, exfiltrate data from the victim, and sell the data or use it to extort the victims at a later date.
RATs can be installed on a system through phishing links, email attachments, ransomware, infected USB drives, and more. They are custom-built to evade antivirus (AV) programs, intrusion detection, and prevention products (IDS/IPS) and are sold relatively cheaply on clearnet hacking forums and the dark web.
RATs are near the top in the hierarchy of cybercrime. There are dozens of techniques cybercriminals use to keep their RATs from being detected. RATS can be “binded,” or merged, into a legitimate program using very basic tools. The most popular are Adobe Flash, Google Chrome installers, and any web-based or local installer trusted by the workstation or domain. This is what makes a RAT unknown and undetectable to AV vendors.
The RAT’s role, like any creative virus, is to be persistent even after detection. Ten minutes of a target being “ratted” is more than enough time to upload multiple backdoors into a network that can stay persistent long after the RAT is discovered and eradicated, allowing future attacks. Ten minutes is also enough time to gain sufficient data to use in ransoming, extorting, or threatening an individual or business. The details of extortion techniques are changing on a monthly basis.
There will never be a product that fully protects any person or organization from RATs, viruses, malware, exploits, zero-day vulnerabilities, or other cyber threats. At this stage, the best prevention against RATs is for your organization to follow these best practices recommended by security researchers, engineers, and coders:
- Do not save unencrypted private information on a home or organization workstation. Encrypt your files with fully audited open source VeraCrypt and AXCrypt (if you access remote). These provide multiple features and 99.99 percent chance of no government backdoors with access to the encryption key.
- Train everyone with access to your network on the importance of avoiding unsafe websites, particularly sites that are ad-driven and full of pop-ups, as these might contain a drive-by RAT waiting to be deployed.
- Ensure your organization performs daily backups with minimum 256-bit AES encryption and redundant data eliminated (de-duplicated). These backups should be replicated off-site.
- Watch your firewall, IDS/IPS logs for unusually large amounts of data being offloaded out. That is one of the biggest clues that your network has been penetrated. Basic network security should have egress filtering already in place with quality of service (QoS) controls to alert of such patterns.
- Use multi-factor authentication and print out the backup codes when you are offsite from your network. This is to prevent account takeovers if you have been compromised.
- Use your AV, IDS/IPS appliances and software and review the reports, especially those sent on the weekend. Most cybercrimes occur starting after hours on Friday afternoon, so customize your alerts to be a little more detailed during those times.
Also consider covering webcams and microphones when they’re not in use. If a RAT is used to activate them, the cybercriminals won’t be able to glean useful information.
Cybercrime has been unleashing significant destruction. The sinister nature of daily exploits, leaks, and hacks is numbing even the most hardened security researchers, and it seems the end is not in sight. While emerging technologies might be helpful in the fight against RATs in the future, for now your best protection is to follow the best practices above and layer your cybersecurity controls so that if one fails, others can help protect your organization.
Source: The Non Profit Times
Author: Lisa Traina
May 15, 2018 | Events, Informative, RIsk Management News
Recently, I had the chance to spend some time at Walt Disney World in Orlando, Florida, when I attended the NAMIC conference in February. One session included a presentation by Barry Dillard, director of claims for Walt Disney World, where he shared the company’s approach to handling a wide variety of claims.
I sat down with their vice president of risk management to learn about some of the strategies they employ, and I had the opportunity to tour Walt Disney World itself to peek behind the curtain and see how this massive theme park creates the magic for its guests and cast members, while keeping everyone safe.
Believe it or not, the Walt Disney World Resort covers 40 square miles and is twice the size of Manhattan. Within its confines, this world-class attraction employs 75,000 cast members, each of whom play a critical role in spreading the Disney magic. Their emphasis on safety is both taught and caught, which is especially important when serving the millions of guests who visit the Disney attractions around the world.
The Walt Disney Company is extremely proactive in their risk management strategies — it truly is everyone’s responsibility — not just the realm of those at the corporate level. As is often the case in life, the simplest things can make the biggest difference. Merely walking the parks, hotels, shops and restaurants can yield valuable information, allowing cast members to identify small issues before they become larger ones. Even in one of the most magical places on earth – reality tends to intrude.
Unexpected risks arise every day and training plays a key role in mitigating them. Hackers are constantly devising new ways to access company information or hold it for ransom. The use of ransomware is expected to increase 350% this year, so being vigilant and backing up data has never been more important.
The number of shooting incidents in businesses and other settings is increasing at an alarming rate. Knowing what to look for and how to respond in these situations can literally be the difference between life and death.
For better or worse, new risks are changing our behavior — how observant we are in open spaces of our surroundings, what we post on social media, where and how we protect our personal information, what we open online and how we train our staffs. It really is the smallest things that can make the biggest difference in keeping people safe.
Source: PropertyCasualty360
Author: Patricia L. Harman