Social Engineering: Why People with Passwords are the Biggest Threat to Your Mission

By Melanie Lockwood Herman

During a recent conversation with my daughter, she explained how despite the beautiful building, appealing inventory, and ideal location of her first retail job, she viewed it as the “worst place to work.” Why? “The people,” she explained. “If even half of the managers had been kind, supportive, patient or pleasant, I could have put up with our impatient, demanding clientele and the utter boredom of restocking shoes and re-folding sweaters.”

I was reminded during that conversation that nonprofit organizations depend on people—stakeholders of all sorts—to make their missions go ‘round. Yet risk leaders in our sector continue to believe that the people they don’t know—external bad actors—are the biggest threat to mission success. The sobering truth is that insiders—like the managers my daughter complained of—pose a far more potent threat to your mission.

How? The people who serve at your nonprofit hold the keys to your organization’s reputation, financial health and the well-being of your physical and financial assets. Bad behavior, ignorance of internal controls, and disregard for safety and security policies can drain the resources that your team spent years building. Most risk leaders seem to recognize the nexus between people peril and reputation, but may be less alert to the dangers insiders pose to sensitive information, such as donor, employee, and other sensitive personally identifiable information (PII) in the nonprofit’s possession.

In a recent risk readiness survey conducted by NRMC, 57% of respondents described their organizations as “somewhat prepared” to manage risks related to data security. An additional 10% of respondents reported being “unprepared” to manage or respond to such risks.

During Risk Assessments led by our team, we’ve heard about an array of risks becoming real in nonprofit organizations. A recent article in The Denver Post reminds us that data security threats are real. The article discusses how a nonprofit arts organization faced a data breach earlier this year involving sensitive personally identifiable information about donors, customers and current and former employees. Based on the report by writer John Wenzel, an email phishing scam led to unauthorized access of two email inboxes over a three-week period.

For his article on hacking published March 30th, 2017, writer Andy Segedin from The NonProfit Times interviewed James Franklin, CEO of TechBridge, who explained that ”The three most prominent kinds of attacks… involve user action.” Franklin reiterated that about 70% of security failures result from employee action, but “few nonprofits base security measures around employee best practices.” Franklin also shared a sobering truth: “There is nothing you can buy to make your organization secure…”

What is Social Engineering?

Franklin described social engineering as the third most prominent kind of security attack. Social engineering refers to the manipulation of individuals into doing something or divulging something that delivers confidential information to an untrusted source. Social engineering scams are said to exploit “bugs in human hardware,” versus system weaknesses. From pretexting (developing a false identity or scenario to manipulate targeted individuals) to spear phishing (highly customized phishing attacks designed to manipulate a targeted individual), to voice phishing or “vishing” phone calls, variety is the spice of life for digital scammers.

Why Smart Staff Are Susceptible to Social Engineering

The sheer dedication, the willingness to wear multiple hats, and even the niceness of your nonprofit staff members might make them surprisingly susceptible to social engineering.

  • It’s Not My Job – Have you ever heard a staff member or volunteer say, “Isn’t that someone else’s job?” Too often, uber busy staff in an organization don’t see themselves as part of the data security team. Others may simply be so swamped and overwhelmed that they feel pressure to stay in their own lane. Whether you’re talking about the security of clients, volunteers, or data, security is—and always will be—everyone’s job.
  • There’s an App for That – A common misconception about data security is that systems, rather than people, are the where the danger lies. Your colleagues might assume that by using the best or newest systems and apps, they are protecting your nonprofit’s data from hackers. Team members must recognize that they themselves pose the greatest vulnerability to the nonprofit’s data. Hackers will exploit human weakness even through the niftiest systems and apps.
  • Thank You for Calling – A quid pro quo social engineering scheme is one where the scammer offers “help” on a relevant topic to a nonprofit’s staff. If you’ve ever received an unexpected call from “your computer company” or “Technical Support” you’ve probably been targeted in a quid pro quo attack. These scammers offer to help solve any issues you’re having with your laptop, software, or Internet connection, but they need your login and other personal information–in order to help–themselves.
  • I Was Being Nice! – If you’ve ever held the door to your building or suite open to someone you don’t know without first confirming the visitor’s identify or legitimate purpose, you’ve permitted dangerous tailgating in your workplace. Being kind and respectful is an assumed condition of employment at most nonprofits, but putting warmth over wariness puts your workplace and coworkers at risk.

Managing Social Engineering Risk

Try the tested tips below to reduce your human vulnerabilities to social engineering and other data privacy risks.

  • Conduct a data risk assessment to better understand your data privacy exposures, and to develop an action plan for managing those exposures. NTEN, the Nonprofit Technology Network, shares helpful tips in the article “Assessing Risk: How to Protect Your Most Valuable Data.”
  • Adopt clear security protocols for handling all confidential and sensitive information. Helpful standards for cybersecurity include the NIST Cybersecurity Framework and the Center for Internet Security Controls. No matter the cybersecurity framework you implement, don’t make the mistake of limiting knowledge of your data privacy protocols to the privileged few. All staff members are potential victims of social engineering.
  • Provide memorable, frequent training and insights on new and novel forms of social engineering. Remember that anyone who answers a phone, opens an email, or connects to the Internet from or on behalf of your nonprofit, is a potential victim or access point to sensitive and confidential information in your nonprofit’s care or control.
  • Test your policies. Perform unannounced tests of your security protocols, including no-tech policies such as “no tailgating” as well as technical protocols, such as phishing vulnerability tests.
  • Be clear, not cryptic. Share actual examples of phishing and other social engineering attempts instead of referring to these scams in the abstract. Remember that your staff probably won’t see themselves as vulnerable victims of phishing. One NRMC client told us that after its CEO fell victim to a phishing test, he acknowledged his error as a compelling example of what not to do.
  • Verify with vigilance. On a day you feel busy at work, you might be more likely to sidestep security protocols if it means completing your work more efficiently. Encourage staff to put data privacy—and all other safety and security protocols—above efficiency. If a strange email or call comes in, take ample time to verify the inquiry rather than risk your records for a quick solution. Similarly, don’t rush to respond to emails that demand immediate action. Attackers often try to create a sense of urgency in order to manipulate targets into sharing sensitive information. Verify information requests with patience and vigilance.
  • Go straight to the source. If you receive inquiries that seem a bit shady—like emails with grammatical errors, urgent demands, or emails from sources that rarely email (the IRS)—verify these inquiries by going directly to the real organization’s website. If in doubt, don’t click email links; instead, open a web browser and visit the legitimate website to verify the inquiry. You can do the same with phone inquiries by ending the call and calling back on a trusted, legitimate phone number.
  • Simplify and speed up reporting. Remind staff as often as you can, to speak up immediately—and without shame—if they are even a tad concerned they have mistakenly clicked on a phishing email or provided confidential information to a scammer over the phone.
  • Be nicely suspicious. Encourage your team members to maintain their pleasant workplace attitudes, but inject a healthy dose of suspicion when handling inquiries. Don’t hesitate to kindly question an unverified inquirer.
  • Make it mission-related. Remind every team member that data security is your job, even if it’s not in your job description. Hammer your point home by connecting your data privacy expectations to mission stewardship.

At NRMC we offer Risk Assessments and Enterprise Risk Assessments that can include consideration of cyber risks. Whether your nonprofit’s cyber security practices are nascent or mature, the NRMC team can help you assess cyber risks from a holistic standpoint—connecting the dots between cyber exposures, financial exposures, workplace culture, insurance program oversight and risks to your reputation. To learn more about an engagement that includes consideration of cyber risk and liability, contact contact Melanie Herman or Erin Gloeckner at 703.777.3504 or submit an inquiry.

Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. Melanie welcomes your thoughts about staff vulnerability to social engineering and practical security strategies, at Melanie@ or 703.777.3504.

Read more of Melanie’s data privacy advice in a Financial Times article: Charities unprepared for cyber attack risk” by Sarah Murray, published November 8, 2017.