A Practical Guide to Blocking Cyber Threats

As cyberthreats dominate the news headlines day after day, it is important for large multinational organizations and nonprofits to take immediate notice of such events. Nonprofits often work under stark resource constraints, such as minimal IT staff and limited access control methods — yet the critical information they carry, from donor to staff information, must always be protected. As cyberattacks on nonprofits are rising faster than ever, the limitations that nonprofits have often put in place make them an ideal target for phishing, account takeover, and insider misuse.

One of the critical and initial methods nonprofits can implement to protect their assets is the Principle of Least Privilege. The principle is based on the simple idea that bare minimum access to the appropriate resource should be provided to the subject, and no more than what is required for them to do their job. In general, there are basically no blanket permissions and no “admin for convenience.” It is a highly practical and actionable approach to fortify their defenses — without requiring a major personnel or technical overhaul. The principle — when implemented correctly — reduces the attack surface area for nonprofits and prevents such attacks from happening in the first place. 

Now, let us look at some of the practical approaches by which nonprofits can streamline their access controls and ensure that the right people have the right permissions — at exactly the right time.

Simplify Permissions With RBAC and Eliminate Over-Privileged Accounts

Role-based access control (RBAC) is one of the easiest ways to implement least privilege. It doesn’t require the presence of a large IT team for implementation. It is fairly straightforward — instead of assigning permissions to individuals on a case-by-case basis, RBAC puts users in groups based on certain predefined roles. These roles could be volunteer, staff, program manager, finance, IT, and executive. The roles are only granted with the permissions and privileges required to perform their job responsibilities and nothing more than that. This is very important for nonprofits, as nonprofit roles often vary widely and they also shift frequently — volunteers may support data entry for a short period, program managers may need access to case management systems, and finance teams handle sensitive donor or payment information. In this way, permissions can be standardized over time, and security posture is enhanced. 

Reduce Risk With Time-Bound Permissions

Nonprofits usually manage very sensitive information, such as donor information, financial records, or CRM systems. As a result, granting elevated access to users can pose a risk. One effective way to address this risk is to provide Just-in-Time (JIT) access. This is done preferably for a limited time window. 

Once the task is complete and the session is completed, the user’s access is revoked, hence reducing the risk of a potential breach. This is particularly useful during situations where short-term access might be required for volunteers, especially during emergency or disaster response events. Contractors or consultants who work part-time for the firm and are engaged for specific projects, such as system migrations, audits, or process improvements, also necessitate this type of access. JIT access control also provides a two-pronged benefit, implementing temporary access not only strengthens security but also simplifies administrative overhead.

Build Checks and Balances With Segregation of Duties (SoD)

When no single individual has governance over a single process, segregation of duties (SoD) forms the basis of it. This is especially crucial for nonprofits, wherein a diverse set of stakeholders is involved. By separating out responsibilities amongst different people, nonprofits can significantly reduce the risk of fraud, accidental errors, and insider misuse. Basically, this also helps in creating built-in checks and balances that strengthen overall accountability. For example, considering the case of managing donor contributions into a financial system, perhaps someone from the finance or accounting team should handle reconciliation. 

Finally, refunds or payment modifications should be approved by a manager or director, ensuring a final layer of oversight. Lastly, implementing SoD doesn’t require much effort. Duties can be separated by simple RBAC principles as discussed above, requiring dual approvals for sensitive actions or involving volunteers and board members in oversight functions.

Conduct Periodic Access Reviews to Prevent Permission Creep and Excess Privileges

After implementing RBAC and SoD, it is important to continuously monitor user roles from an accounting and audit trail perspective. Access rights of users can unintentionally increase over time due to shifting roles or responsibilities. As a result, access reviews should be conducted periodically. These structured reviews make it easy to check who has access to the different systems and whether their current role requires them to have certain privileges or not. Access should be analyzed first. If deemed necessary, access should be revoked immediately for former staff, inactive volunteers, and anyone with a cancelled or changed role. In a similar manner, the access of temporary contractors and auditors should also be reviewed to ensure expired access hasn’t been ignored.