From the Summer 2024 Issue

Cybersecurity and Nonprofits

Henry J. Sienkiewicz
Faculty | Georgetown University

Rick Smith
Vice President - IT Strategy | American Bankers Association

While all companies with an online profile are at risk, nonprofit organizations face significant challenges. Not only are they increasingly targeted by cybercriminals due to their valuable donor data, storage of financial information, and stance on specific political issues, but nonprofits often lack the resources and expertise to adequately protect their online systems and data. This lack of resources makes them frequent targets of ransomware, data breaches/exfiltration, and hacktivism attacks.

According to its Digital Defense Report in 2021, Microsoft noted that attacks against nonprofits were the second most frequently targeted sector, at 31%. The CyberPeace Institute found in 2023 that 41% of nonprofits had been the victims of an attack in the previous few years (Lazar, 2024).

Bad actors target nonprofits for two reasons: they are visible and accessible to target. Nonprofits often handle sensitive information, including donor financial details, personal data of beneficiaries, and confidential organizational records. This valuable data makes them attractive to cybercriminals seeking financial gain or sensitive information for exploitation; donor financial information is a particularly rich target. Nonprofits’ online presence for fundraising and outreach increases their exposure to cyber threats.

A cyberattack can severely damage the public trust and goodwill that nonprofits rely on, leading to a loss of donor support and credibility.

Nonprofits are resource-constrained. Their limited budgets and resources often result in weaker cybersecurity measures than for-profit organizations, making them easier targets. A cyberattack can severely damage the public trust and goodwill that nonprofits rely on, leading to a loss of donor support and credibility. Cybercriminals exploit these vulnerabilities, knowing that a successful attack’s impact can be financially and reputationally devastating for the nonprofit, often forcing them to pay ransoms or incur significant recovery costs.

Donor databases are valuable data sources, often relying on donations to fund their operations. Due to the wealth of sensitive information that they contain, such as personal contact details, financial information, and donation histories, donor databases are prime targets for cybercriminals. Unauthorized access can lead to identity theft, fraud, reputation damage, and financial loss for donors.

Specifically, they store personally identifiable information (PII) about their donors and customers, data that could be particularly valuable in the wrong hands. Moreover, conducting financial transactions via credit card presents an even greater risk.

Nonprofits may be targeted due to the causes they support. For example, nonprofits assisting Ukraine have been increasingly targeted since the 2014 invasion of Crimea, likely perpetrated by state-led actors (CrowdStrike, 2022). Finally, nonprofits frequently face significant budget challenges that make it difficult to fund cybersecurity initiatives fully and often lack internal security expertise (Poireault, 2024). This combination of inadequate resources and high-value information makes them a target-rich environment for bad actors.

Bad Actors

Bad “actors are highly active adversaries, creative rivals, not passive targets. Attacks are disguised by deception. Incursions are delivered with blinding speed to unexpected places. Cyber actors are always adjusting and reacting, with no intention of adhering to someone else’s plans.” (Sienkiewicz, 2017). While nonprofits encounter multiple types of bad actors, three in particular stand out: 

Criminals:  A cybercriminal is an individual or group that uses technology to illegally access, steal, or damage data and systems. Their activities include hacking, phishing, spreading malware, and executing ransomware attacks for financial gain or malicious intent (Sienkiewicz, 2017).

Hacktivists: These attacks are carried out to disrupt operations and/or damage the reputation of nonprofit organizations with whom the attacker disagrees from a support or policy perspective. Denial of Service (DoS) attacks may cripple websites and prevent donors from contributing. Website defacement may cause reputational harm to the organization, and sensitive information may be leaked to the public (Lutkevich, 2021).

Nation-state:  A nation-state cyber actor is a government-affiliated entity that conducts cyber operations. These operations often aim to gather intelligence, disrupt systems, or achieve political and strategic objectives. Notable examples include the 2017 WannaCry ransomware attack, which was attributed to North Korea, and the 2015 OPM data breach, which was linked to China. These actors leverage sophisticated techniques and resources typically unavailable to non-state actors (Sienkiewicz, 2017).

Common Nonprofit Attacks

Like any other organization, nonprofits face the most common cyber threats, which include ransomware, data breaches, phishing, social engineering, malware, insider threats, Distributed Denial of Service (DDoS) attacks, and third-party risks, which are routinely exploited through weak passwords, unpatched software, and social engineering. 

While nonprofit organizations may be targeted by hackers with different motivations and using a variety of different methods, there are several threats more familiar to these companies:

Ransomware Attacks

Ransom demands can be substantial, and nonprofits often have limited budgets. Paying the ransom can divert funds away from their mission-critical activities. Ransomware can lock organizations out of their own data and systems, halting operations. This can be particularly damaging during critical periods such as fundraising campaigns or event preparations. As seen in the media, even if the ransom is paid, the data is not guaranteed to be restored. Permanent data loss can occur, affecting donor databases, financial records, and programmatic data.

With limited resources, many nonprofits operate with small IT teams or even volunteers, leading to potential gaps in cybersecurity defenses. Budget constraints often mean using older hardware and software that may not receive regular updates, making them more susceptible to attacks. Staff and volunteers might need more cybersecurity training, increasing the likelihood of falling for phishing schemes that deliver ransomware (EideBailley, n.d.).

Data Breach/Exfiltration

A data breach can severely impact a nonprofit, including financial losses, disrupted operations, and legal liabilities. It erodes donor trust, damaging the organization’s reputation and potentially decreasing future donations. Recovery efforts divert resources from the nonprofit’s mission, exacerbating the overall harm caused by the breach.

Nonprofits store sensitive personal and financial information about donors and beneficiaries, making them attractive targets for cybercriminals. A data breach can severely impact a nonprofit, including financial losses, disrupted operations, and legal liabilities. It erodes donor trust, damaging the organization’s reputation and potentially decreasing future donations. Recovery efforts divert resources from the nonprofit’s mission, exacerbating the overall harm caused by the breach.

Risk Mitigation

To mitigate these threats and protect critical systems and sensitive data, nonprofit organizations must understand their specific risks, enforce effective security policies, and train their employees to spot and avoid cyber-attacks.

Risk Management Plans

All organizations, especially nonprofits, should have an enterprise risk management plan. Sadly, as of 2022, only 28% of nonprofits had an organization-wide risk management process (Branson, 2022).

Risk Management Frameworks

Risk management plans and assessments often utilize established frameworks that provide templates and resources to assist in identifying, assessing, and mitigating cyber threats and vulnerabilities. Initially published by the National Institute of Standards and Technology in 2014, NIST benefits nonprofit organizations. The NIST framework is flexible yet comprehensive, focusing on seven key steps in the assessment process (Stevenson, 2022):

  • Prepare: Setting the stage through activities that manage security and privacy risks
  • Categorize: Using an impact analysis to organize the systems and information they process, store, and transmit
  • Select: Determining the controls that will protect the systems and data
  • Implement: deploying controls and documenting activities
  • Assess: Determining whether the implemented controls work as intended and produce the desired results
  • Authorize: Having a senior official authorize the system to operate
  • Monitor: reviewing controls to ensure they continue to mitigate risks as intended

Using a risk management framework such as the one provided by NIST gives nonprofit organizations the clear guidance needed to implement an effective risk management plan.

Penetration Tests

Penetration testing is another essential tool in identifying and mitigating cyber threats. They are often conducted by outside resources who analyze the security of systems and help identify vulnerabilities that could be exploited and allow unauthorized access (VTEST, 2020). They provide several benefits (Wierckx, 2020):

  • Reveal vulnerabilities: Find specific weaknesses in applications and network infrastructure.
  • Third-party expert opinions: Evaluation by trained professionals.
  • Ensure business continuity: Can prevent unexpected downtime.
  • Follow regulations and certifications: Assist in maintaining compliance.

Penetration tests may target applications, networks, cloud infrastructure, and individuals. Social engineering attacks commonly steal employee credentials or gain physical access to restricted areas. Phishing and other email-based attacks mislead staff into providing their credentials to applications and networks. Tailgating may allow an unauthorized guest to enter restricted areas (Terranova et al.).

Effective communication between all parties must be maintained when conducting penetration tests. After completing a penetration test, the results must be reported correctly to the appropriate audience. The report should include an executive summary easily digestible by senior leaders to provide them with actionable intelligence without being overly technical. It should also prioritize vulnerabilities by risk and impact levels. Often, all findings must be addressed after a specified period. Prioritization allows organizations to mitigate the most critical risks first and take the time to address those that have less impact in due course.

Change Management

Change management is another critical component in a practical cybersecurity framework. Change is inevitable. As bad actors continue to improve their knowledge of systems and hacking techniques, organizations must keep their platforms up-to-date and correctly configured to mitigate against threats. Failure to apply the newest security patches to systems invites attacks from bad actors. Nevertheless, changes must be managed effectively. Poor change management practices can cause some of the same consequences, such as system malfunction and downtime, which might result in a cyber attack.

A robust change management plan should include the following elements (Abbas, 2023):

  • Conduct a cybersecurity risk assessment.
  • Identify areas requiring change.
  • Thoroughly test changes before deploying to the production environment.
  • Communicate changes to stakeholders and train them.
  • Continuously monitor cyber threats.
  • Adjust strategies based on real-time intelligence.

Nonprofit organizations should also consider using a Change Advisory Board (CAB) to manage and authorize system changes. Today’s systems are often highly integrated with one another. A change to one system may have unintended consequences for another. A CAB comprising members from across the organization helps ensure that all change impacts are understood and their implications are considered. (Team Walk Me, 2021):

  • Assessments: Understanding the potential risks and rewards of the change.
  • Authorization: The CAB may authorize, reject, or request revisions to the change.
  • Scheduling and prioritization: The CAB will determine whether the necessary resources are available to complete the change and where it should be placed in the change pipeline.

Third-Party Risk Management

Organizations of all sizes, including nonprofits, continue to move from on-premise systems to cloud-based applications and services. Today, 94% of all companies worldwide use cloud-based software, a 14% increase since the beginning of the Covid-19 pandemic in 2020 (Rizvi, 2024). Moving to cloud-based services significantly benefits organizations of all types, especially nonprofits, who may need more resources to invest in and maintain on-premise systems. Among these benefits are (Morpus, 2022):

  • Scalability: Resources can be rapidly increased or decreased without investing in additional infrastructure.
  • Improved Disaster Recovery: Cloud providers frequently host applications and data across multiple servers and locations with automatic failover.
  • Reduced Maintenance/Automatic Upgrades: Cloud providers handle security patches, software updates, and network management while ensuring that applications continue to mature without significant staff time.

These benefits significantly add to an organization’s risk management program: vetting and managing third-party vendors. Ceding control over the security of the systems that store critical organizational data requires more than trust; it also requires verification. The most effective way to verify a vendor’s security standards and protocols is to request and review System and Organization Control (SOC) reports. Organizations increasingly request third-party audits to demonstrate their safety and soundness to their customers. SOC reports cover three categories and come in two types (Poston, 2021):

  • SOC 1: Focus specifically on controls that impact the organization’s financial reporting.
  • SOC 2: Assess controls around several criteria, including security, confidentiality, availability, processing integrity, and privacy. The latter four may be optional, but security should always be part of the SOC audit report.
  • SOC 3: This report provides the same information as a SOC 2 report but with less detail. The SOC 3 report may be made public, while the SOC 2 is usually only given to current or prospective clients with a non-disclosure agreement.

SOC reports may be Type 1, a point-in-time snapshot of compliance, or Type 2, which cover compliance status over a period of time, such as one year. Some organizations choose ISO 27001 certification as an alternative to a SOC audit report. Developed by the International Standard Organization, this certification is based on a comprehensive set of security guidelines and is well respected worldwide (Drolet, 2022). Whether the vendor shares SOC or ISO 27001 reports, these should be fully vetted at onboarding and reviewed annually.

Vendors sometimes still need SOC audit reports or ISO 27001 certification. In these cases, there are still steps organizations can take to adequately vet vendors for security purposes (GRF, 2023):

  • Request Internal Documentation: Security policies, access control procedures, and risk management practices.
  • Security Questionnaires: Ask the vendor to respond to security-related questions that align with the organization’s risk management policy.
  • Architectural Diagrams: Network, storage, and data flow diagrams can clearly show where and how sensitive data is stored.
  • Customer References: Ask other vendor customers about their experiences, particularly if there has been a previous breach or security incident.

Another consideration for nonprofit organizations, many of which accept donations and payments for products and services, is Payment Card Industry (PCI) compliance certification. PCI compliance is mandatory for all systems that handle credit card transactions. The PCI Standards Council developed a series of guidelines and test procedures designed to secure payment card systems. Like SOC and ISO 27001 reports, these should also be vetted regularly.

Password Policies

Enforcing strict password policies helps organizations make it difficult for hackers to exploit system and network user accounts. Many different guidelines are available to nonprofit security leaders. PCI DSS 4.0 (Payment Card Industry Security Standards Council) provides a strong foundation for protecting user credentials (Nonprofits Decoded, 2021).

Multifactor Authentication

Relying on usernames and passwords alone gives hackers an access point to critical applications. With multifactor authentication (MFA), an additional verification step is required to gain access to a system (Trevino, 2023).

Principle of Least Privilege (POLP)

Another important security consideration for nonprofit organizations is adhering to the principle of least privilege, which asserts that users only have access to the systems and data needed to do their jobs. Limiting system privileges and disabling unnecessary services helps organizations reduce the impact of unauthorized access (Gillis, n.d.).

To effectively implement POLP, these steps should be taken (Vaideeswaran, 2023):

  • Monitor endpoints: Security teams should continuously monitor applications and endpoints, eliminating unnecessary ones. This reduces the attack surface available to would-be bad actors.
  • Minimal default user privileges: Standard user accounts should have limited access rights, with additional privileges added only as needed.
  • Conduct a privilege audit: Rights to applications and data should be reviewed regularly to ensure that only necessary privileges are assigned to users. Privilege creep, where permissions are granted temporarily and not later removed, is a common problem and can increase system vulnerability.
  • Segregation of privileges: Most systems have administrative or superuser accounts with elevated privileges. The number of these accounts should be strictly limited and only used for specific administrative tasks. Organizations should consider placing additional password complexity requirements and forcing more frequent password changes.

Following these guidelines leads to better system stability and operational functionality and may slow the spread of malware (Okta, 2022).

Dormant Accounts

Accounts belonging to employees who are no longer with the organization also pose a significant cybersecurity risk. When an employee leaves, it is not uncommon to keep an account active to automatically respond to email messages and share files. However, these accounts may need stronger passwords and updated multifactor authentication methods. Hackers using techniques such as phishing or brute-force password attacks benefit from the fact that these attempts are far more likely to go unnoticed, allowing them greater opportunities for success (Reason Labs, 2023). Nonprofit organizations should enforce a policy that has specific guidelines (Murphy, 2016):

Whether accounts will be deleted or temporarily disabled at the employee exit

  • The time that an account can remain before being permanently deleted.
  • How and how frequently are inactive accounts monitored and audited?
  • Similar policies should be enforced on guest or temporary accounts, as these can be overlooked and lead to additional cybersecurity vulnerabilities.

Security Awareness Training

A common phrase that aptly describes today’s cybersecurity landscape is “Attackers don’t hack anyone these days. They log on.” (Burton, 2024). This is because cyber attacks using valid user credentials continue to rise. According to an IBM study, these attacks increased by 71% in 2023 (Noone, 2024). Phishing attacks account for over 50% of all cybersecurity incidents (Albrecht-Fuhrmann, 2023). While implementing security tools goes a long way in preventing account breaches, employees may still inadvertently permit access, such as allowing a multifactor authentication request that they did not initiate. Security awareness training helps employees spot potential attacks, allowing them to remain safe and report suspicious activity.

Data Protection

Similar to other organizations, in order to defend against ransomware attacks, nonprofits should consider the following measures:

  • Regular Data Backups: Ensure data is backed up frequently and stored securely. Test the backup and recovery process to guarantee that data can be restored.
  • Network Segmentation: Divide the network into segments to limit the spread of ransomware if an infection occurs.
  • Email Filtering: Advanced email filtering blocks malicious attachments and links that may deliver ransomware.
  • Endpoint Protection: Implement and maintain up-to-date antivirus and anti-malware solutions on all devices.
  • Patch Management: Regularly update all software and systems to patch known vulnerabilities.
  • User Training: Conduct cybersecurity training for staff and volunteers to recognize phishing attempts and other common tactics to deliver ransomware.
  • Incident Response Plan: Develop and test a ransomware-specific incident response plan to ensure the organization can respond quickly and effectively to an attack.

Conclusion

Nonprofit organizations are not without cybersecurity options to protect themselves. Developing and implementing a risk management plan that thoroughly assesses the organization’s potentially vulnerable systems leveraging the NIST framework provides a clear picture of the threat landscape and allows it to prioritize mitigation strategies by vulnerability level and impact. Penetration testing can help identify detailed system weaknesses by trained security professionals. Nonprofit organizations should use sound change management practices to ensure systems remain current while understanding the implications of new releases and security patches. They should implement a comprehensive third-party risk management strategy that vets vendors via formal SOC reports or detailed questionnaires.

Nonprofit organizations should implement robust and complex password policies that make hacking user credentials as difficult as possible. Adding tools such as single sign-on, password managers, and multifactor authentication provides additional security. These, combined with least privileged access and monitoring of dormant user accounts, can help further harden the organization’s online position.

Finally, nonprofit organizations should implement a comprehensive security awareness training program for their employees that is required and supported by the C-Suite. Ensuring that staff understand the threats and know how to recognize and report them can make them allies in the fight against cybercriminals and keep the organization’s systems and data reasonably safe from attack. lock

References

Abbas, T. (2023, October 13). Change Management in Cyber Security – Explained. CMI. https://changemanagementinsight.com/change-management-in-cyber-security/

Albrecht-Fuhrmann, S. (2023, April 5). Phishing continues to pose major risk despite a decrease in cyberattacks in 2022, according to Statista research. Statista. https://www.statista.com/press/p/technology_market_insights_cybersecurity_2022/

Branson, B. (2022, June). THE STATE OF RISK OVERSIGHT. https://erm.ncsu.edu/wp-content/uploads/sites/41/migrated-files/2022-risk-oversight-report-erm-ncstate.pdf

Bridgetower Media Newswires. (2024, February 27). Cyber crime expected to skyrocket (CHART). Wisconsin Law Journal. https://wislawjournal.com/2024/02/27/cyber-crime-expected-to-skyrocket-chart/

Burton, H. (2024, February 6). How are user credentials stolen and used by threat actors? Cisco Talos Blog. https://blog.talosintelligence.com/how-are-user-credentials-stolen-and-used-by-threat-actors/

CrowdStrike. (2022, January 28). Past Cyber Operations Against Ukraine and What May Be Next. Crowdstrike.com. https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/

Davies, V. (2023, May 11). Four major advantages of using a password manager. Cybermagazine.com. https://cybermagazine.com/articles/four-major-advantages-of-using-a-password-manager

Drolet, M. (2022, March 23). Council Post: ISO 27001 Certification: What It Is And Why You Need It. Forbes. https://www.forbes.com/sites/forbestechcouncil/2022/03/23/iso-27001-certification-what-it-is-and-why-you-need-it/?sh=32fb120f41a6

EC-Council. (2020, May 28). Security Awareness Training: 6 Important Training Practices. Aware.eccouncil.org. https://aware.eccouncil.org/security-awareness-training-6-important-training-practices.html

EideBailley. (n.d.). Cybersecurity Challenges and Best Practices for Nonprofits. Www.eidebailly.com. https://www.eidebailly.com/insights/articles/2022/1/cybersecurity-within-nonprofits

Flynn, J. (2023, February 6). 17 Essential Multifactor Authentication (MFA) Statistics [2023] – Zippia. Zippia. https://www.zippia.com/advice/mfa-statistics/

Gillis, A. (n.d.). What is the Principle of Least Privilege (POLP)? SearchSecurity. https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP#:~:text=The%20principle%20of%20least%20privilege%20(POLP)%20is%20a%20concept%20in

GRF. (2023, October 19). A Guide to Third Party Risk Management. GRF CPAs & Advisors. https://www.grfcpa.com/resource/a-guide-to-third-party-risk-management/

Heaslip, E. (2023, January 10). What Is Single Sign-On? Pros & Cons Explained. https://Www.uschamber.com/Co/. https://www.uschamber.com/co/run/technology/what-is-single-sign-on

Ignite Solutions Group. (2022, November 28). Why Nonprofits Are Easy Targets for Phishing Attacks. Ignite Solutions Group. https://www.ignitetheday.com/ignition/why-nonprofits-are-easy-targets-for-phishing-attacks

Isaacs, A. (2023, July 22). STRIDE vs PASTA – A Comparison of Threat Modeling Methodologies. Aptori.dev. https://aptori.dev/blog/stride-vs-pasta-a-comparison-of-threat-modeling-methodologies

Kreiser, J. (2023, August 16). Top 6 Benefits of Enterprise Risk Management. www.claconnect.com. https://www.claconnect.com/en/resources/articles/2023/top-6-benefits-of-enterprise-risk-management

Lazar, A. (2024, March 25). Cyber-poor, target-rich: The crucial role of cybersecurity in nonprofit organizations. CyberPeace Institute. https://cyberpeaceinstitute.org/news/cyber-poor-target-rich-the-crucial-role-of-cybersecurity-in-nonprofit-organizations/#:~:text=As%20such%2C%20according%20to%20Microsoft

Lutkevich, B. (2021, May). What is hacktivism? SearchSecurity. https://www.techtarget.com/searchsecurity/definition/hacktivism

Miller, M. (2020, April 16). FBI sees spike in cybercrime reports during coronavirus pandemic. The Hill. https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic/

Morpus, N. (2022, May 18). 7 Benefits of Cloud Computing for Small Businesses. The Motley Fool. https://www.fool.com/the-ascent/small-business/crm/articles/benefits-of-cloud-computing/

Murphy, D. (2016, February 1). How Inactive Accounts Harm the Active Directory Security? Lepide Blog: A Guide to IT Security, Compliance and IT Operations. https://www.lepide.com/blog/how-ad-inactive-accounts-harm-security/#:~:text=Inactive%20accounts%20may%20appear%20docile

Nonprofits Decoded. (2021, February 7). What Is PCI compliance, and why is it important for my nonprofit? Nonprofits Decoded. https://nonprofitsdecoded.com/pci-compliance-nonprofit-organizations/

Noone, G. (2024, February 21). Massive spike in cyberattacks using valid user credentials. Tech Monitor. https://techmonitor.ai/technology/cybersecurity/valid-user-credentials-ibm

Okta. (2022, July 21). Principle of Least Privilege: Definition, Methods & Examples | Okta. Www.okta.com. https://www.okta.com/identity-101/minimum-access-policy/

Osterburg, J. (2023, November 29). Three Key Steps for Nonprofit Risk Assessment and Management. ASAE. https://www.asaecenter.org/resources/articles/an_plus/2023/11-november/three-key-steps-for-nonprofit-risk-assessment-and-management

Poireault, K. (2024, February 14). How Nonprofits and NGOs Deal with Cyber-Attacks. Infosecurity Magazine. https://www.infosecurity-magazine.com/news-features/how-ngo-deal-with-cybersecurity/

Poston, H. (2021, October 13). Understanding SOC Compliance: Types, Benefits & Challenges | Infosec. Www.infosecinstitute.com. https://www.infosecinstitute.com/resources/management-compliance-auditing/overview-understanding-soc-compliance-soc-1-vs-soc-2-vs-soc-3/

RiskOptics. (2022, December 19). Top Threat Modeling Methodologies [Review of Top Threat Modeling Methodologies]. RiskOptics. https://reciprocity.com/blog/top-threat-modeling-methodologies/

Rizvi, J. (2024, February 6). From Startups To Giants: The Role Of The Cloud In Business Growth. Forbes. https://www.forbes.com/sites/jiawertz/2024/02/06/from-startups-to-giants-the-role-of-the-cloud-in-business-growth/?sh=74ec107236ae

Scapicchio, M., & Forrest, A. (2024, March 1). Single Sign On (SSO) | IBM. Www.ibm.com. https://www.ibm.com/topics/single-sign-on

Senthilnathan, S. (2023, June 12). Top 10 password policy recommendations for system administrators in 2021. Securden. https://www.securden.com/blog/top-10-password-policies.html

Sienkiewicz, Henry J. (2017), The Art of Cyber Conflict (Dog Ear Press, Indianapolis, IN) 

Simsonson, J., & Watts, R. (2022, January 26). What Is PCI Compliance? Everything You Need To Know. Forbes Advisor. https://www.forbes.com/advisor/business/what-is-pci-compliance/

Sotnikov, I. (2023, June 21). Council Post: ROI For Cybersecurity: How To Position Security Solutions As Investments. Forbes. Retrieved March 9, 2024, from https://www.forbes.com/sites/forbestechcouncil/2023/06/21/roi-for-cybersecurity-how-to-position-security-solutions-as-investments/?sh=638a92a63f84

Stevenson, R. (2022, August 26). Risk Management Framework (RMF): Overview + Best Practices [Review of Risk Management Framework (RMF): Overview + Best Practices]. DRATA. https://drata.com/blog/risk-management-framework

Subedi, H. (2023, February 22). How To Create A Password Policy For Your Organization | Jones IT. Jones IT | Managed IT Services, IT Support, IT Consulting. https://www.itjones.com/blogs/how-to-create-a-password-policy-for-your-organization

Synopsys. (n.d.). What Is Threat Modeling and How Does It Work? | Synopsys. Www.synopsys.com. https://www.synopsys.com/glossary/what-is-threat-modeling.html

Team Walk Me. (2021, May 6). What Does the Change Advisory Board (CAB) Do? The Change Management Blog. https://change.walkme.com/change-advisory-board/

Trevino, A. (2023, June 27). Types of Multifactor Authentication (MFA). Keeper Security Blog – Cybersecurity News & Product Updates. https://www.keepersecurity.com/blog/2023/06/27/types-of-multi-factor-authentication-mfa/

Tunggal, A. T. (2023, October 24). How to Perform a Cybersecurity Risk Assessment (2023 Guide) | UpGuard. Www.upguard.com. https://www.upguard.com/blog/how-to-perform-a-cybersecurity-risk-assessment

What is a Tailgating Attack? | Terranova Security. (n.d.). Www.terranovasecurity.com. Retrieved March 16, 2024, from https://www.terranovasecurity.com/blog/tailgating-attack

Wierckx, S. (2020, April 7). 7 advantages of penetration testing. Toreon – Your Coach in Digital Security. https://www.toreon.com/7-advantages-of-penetration-testing/

Vaideeswaran, N. (2023, June 28). What is Principle of Least Privilege (POLP)? | CrowdStrike. Crowdstrike.com. https://www.crowdstrike.com/cybersecurity-101/principle-of-least-privilege-polp/

VTEST. (2020, October 1). Penetration Testing: Definition, Need, Types, and Process. Software Testing Company | Software Testing Services | VTEST. https://www.vtestcorp.com/blog/penetration-testing

Henry J. Sienkiewicz Rick Smith

Leave a Comment