Cybersecurity Education Series for Nonprofits – Security Basics II
In the second installment of the security basics for nonprofit organizations, we discuss hard drives, hardware decommissioning and software support, as well as unsecured devices.
Hard Drives
A key element to security basics is the protection of workstations, especially those workstations that are portable like laptops. We should protect these devices by implementing hard disk encryption. Hard disk encryption helps protect the organization by rendering data stored on these hard drives as unreadable in the event the laptop is lost or stolen. Even if stolen, the thief could remove the hard disk drive and the drive would remain encrypted, making use of the data impossible. Only the user of the laptop would be able to access the information by providing the appropriate credentials.
Hardware and Software Decommissioning
Many organizations, especially nonprofit organizations, store or transfer sensitive data in some capacity. To protect data leakage, nonprofits should establish a formal hardware deconstruction process through documented policies and procedures. All hard drives, including those from printers and office devices, should be destroyed through shredding or crushing. Any media destruction should be performed on-site, and if through a third-party, a certificate of destruction should be provided to the organization. If a device is not physically destroyed, it should be overwritten or degaussed so that data is unrecoverable.
When it comes to software, nonprofits should quickly upgrade servers running on operating systems that are no longer supported by vendors. When an operating system reaches its “end-of-life”, it is likely that the vendor is no longer issuing patches for security vulnerabilities. Often, “end-of-life/end-of-support” software has known and exploitable vulnerabilities due to this reason. Properly upgrading to vendor supported versions of software helps address these security vulnerabilities.
Unsecured Devices
In the era of the Internet of Things (IoT), many nonprofits utilize various “smart” devices in addition to traditional office devices (printers, routers, switches, etc.). Out of the box, many of these devices have default configurations and credentials that should be changed during initial setup. Often, from what we see, this does not occur. By leaving default credentials on these devices, or even worse, not having proper credentials to begin with, nonprofits leave themselves vulnerable to a malicious actor logging into their devices by easily obtaining default credentials from a web search. Nonprofits must secure devices so that they are the only ones who can access them.
For more information on securing devices at work and at home, please read this blog.
How CLA Can Help?
CLA’s cybersecurity team has a deep understanding of the current threat landscape and can assist with securing hard drives, decommissioning hardware and software, and fixing unsecured devices. Do not go at it alone. Learn more here, and reach out if you have any questions.
This content was written by Javier Young, CLA’s Cybersecurity Principal.
Keep Pace with Our Cybersecurity Education Series for Nonprofits
Cybersecurity Education Series for Nonprofits – Series Introduction
Cybersecurity Education Series for Nonprofits – Security Basics I
Comments are closed.