Why every not-for-profit needs to implement Multifactor Authentication (MFA)
Cyber security capabilities and the importance of keeping an organisation’s systems and data safe from online attacks and data breaches is something that needs to be addressed by the not-for-profit sector with a sense of urgency. The Office of the Australian Information Commissioner’s (OAIC) data shows 65% of data breaches are caused by malicious or criminal attacks, of which 66% of those attacks are through cyber incidents.
The number of phishing attempts and threats have increased significantly in recent years, with The Australian Cyber Security Centre’s (ACSC) 2020-2021 report showing a 13% increase in the number of cybercrimes reported in the last financial year compared to the previous year.
Not-for-profit organisations are at particular risk, as most not-for-profits do not have advanced network security protocols to protect sensitive client information. Consequently, many of these organisations experience phishing attempts on a daily basis.
The absence of secure systems and protection practices along with a lack of knowledge around cyber risks can result in phishing breaches and financial and reputational loss for an organisation.
One of the most common data breaches involves unauthorised access to sensitive information such as contact information (individual's name, home address, mobile number or email address), identity information (date of birth, passport or driver license details) and financial details (bank account and credit card details).
The OAIC’s report noted most data breaches (91%) as contact information access breaches. Identity information access comprised 55%, and financial information access involved 43% of data breaches.
One of the examples of data breaches in recent years is the Melbourne TAFE data breach in 2018, which exposed nearly 55k student and staff files.
Multifactor Authentication (MFA) is a key solution
As part of Infoxchange’s IT strategy, we have been helping not-for-profits implement ACSC’s Essential 8 mitigation strategies and develop plans to improve their IT maturity level.
In the last four months, our IT team has been supporting customers to implement MFA, one of the Essential 8 mitigation strategies, across their Microsoft systems. We enabled this security feature for more than 85% of our customers.
Since the implementation of MFA, none of the participating not-for-profits have experienced a phishing related breach, despite data from the ACSC indicating the number of attempts is increasing.
Our IT team has also been supporting customers with license clean-up to ensure:
- Old/unused licenses are removed
- Only authorised users have system access
- Licenses held are compliant
- Customers understand their licensing & licensing obligations
As part of improving our customers’ systems security, we encourage them to enable Single Sign-On (SSO) for extra protection, which expands MFA coverage across more systems with a single password.
SSO reduces the need to create and manage several passwords for different applications. It also lowers data breaching threats by moving authentication data off-premises.
Another solution we recommend our customers enable is Microsoft Intune. Intune is a cloud-based mobile device management and mobile application management solution. Intune extends an organisation’s control and access to their operating systems, devices, and data. When a device is lost or stolen, system admins can protect the organisation’s data by rendering the device unusable.
The direct results of MFA for not-for-profits
One of the immediate benefits that not-for-profits who adopt MFA experience is no phishing breaches.
Implementing MFA enables not-for-profits to demonstrate an improved security level, helping meet funders’ expectations (largely government) and board compliance expectations around systems security.
Improved privacy protection and systems security increases customer data security, one of the key benefits of enabling MFA settings for not-for-profits.
- If you would like to learn more about phishing and the different types of phishing attacks, the ACSC website provides useful information.
- Phishing.org has different examples of phishing attacks and a test to assess your organisation’s security level.