Nonprofits rely on cyber-resources for efficiency which creates new risks they are poorly equipped to deal with. “Sam IAM” discusses identity and access management, highlighting the vulnerability of nonprofits to fraud and cyber-attacks.

1. Offending the Scum Bags
2. Naming Sam IAM
3. Sam IAM – the Bad News
4. Sam IAM – the Good News
5. Knowing What Sam IAM has Access To
6. References, Notes, and Further Reading

Offending the Scum Bags

In the world of trying not to offend, I plan to offend the criminals behind frauds by calling them scumbags. This is a collective noun of a group of criminals operating a scamming operation, a kid trying out their hacking chops in his/her parent’s basement, or a trusted (former) employee of an organization. If you steal, you are a scum-bag – sorry if I offended you, scumbag. 

Naming Sam IAM

Fraud, hacking, denial of service, ransomware, etc.; there are zillions of resources for each one of these threats. This and the next blog are going to deal with a specific element of this threat ecosystem: System Access Management by tracking Identity, Authorization Management. Because complex topics benefit from catchy phrases, I am calling this one Sam – IAM (which if it sounds vaguely familiar, harken back to when you had to read the book to your children AGAIN, for the third time, THAT NIGHT! [1]).

Sam IAM – the Bad News

Past and Current Frauds. According to Wikipedia, the first electronic hacking event occurred in 1903. Nothing was stolen, but it did cause reputational damage to Marconi who was demonstrating secure wireless telegraphy [2]. As of June 30, 2024, the number of frauds reported to Canadian Anti-Fraud Centre is on track to equal 2023 numbers.

Non-Profits are Ill Equipped to deal with identity and access management. Their user base may be passionate but unsophisticated and effort spent on securing systems are resources not being spent on the core reason for the organization’s existence [3].

It Gets Worse. Nonprofits are ‘soft targets’ for fraudsters. The altruism they are built on is also their weakness. There is an implicit trust that others share in the passion of the mission. Often there is cash available.

Inertia is the Enemy. Volunteers make an event happen, operations occur, or the organization responds to an emergency (see Non-Profit Flavours). Afterwards, volunteers (and staff) are exhausted and want to get back to their lives. Systems are left unsecure, strategic decisions about hardening systems passed on to the next board, decisions left unmade.

Making it Personal. Money is not the only thing of value to scumbags. Personal information can be monetized. Here in Alberta, to apply for a casino, you need to provide the home address and birth date of the executive. This information is often transmitted unencrypted. Juicy details to sell on the Dark Web so other scumbags can steal identities or conduct more sophisticated frauds.

Like Seniors, this makes a non-profit a perfect victim for a fraudster. They are unsophisticated, trusting, have a bit of cash, and have muddled communications.

In May 2021, New Zealand’s Volunteer Service Abroad (VSA), was hit by a ransomware attack that encrypted vital information in its data systems, some of which was lost as a result.

The non-profit health provider Scripps Health was taken offline by a security breach in 2021. A Philadelphia food bank was hit by a US$ 1 million ransomware attack in December 2020 at a time when 5.6 million Americans were dependent on food handouts due to Covid.

The dark side of cyberspace: the threat to NGOs and nonprofits

Sam IAM – the Good News

Not Worth the Bother. Despite being a soft target, the bad guys are likely smaller, less sophisticated scumbags. While there is ready cash, it is not in the millions or even six-figures, making it less desirable for larger scammers. London Drugs ransomware demand was for $25 million [4]; most non-profits would be hard pressed to have $2,500 in their bank account.

Too Many. Here in Alberta, there are about 25,000 non-profits (see Two Out of Three SNPs are Gone!). Some will be ripe for the plucking, but most are not worth the bother. Larger non-profits have adopted more sophisticated systems and processes of the for-profit brethren.

Using What Works. Finally, nonprofits can benefit from the work done by other targets. Multifactor authentication, active monitoring of logins, firewalls, zero-trust policies – these are some of the methods developed to keep out the scumbags from BIG targets. These defenses do not always work (ask London Drugs), but in the arms race with the scum-bags – they are readily available defenses.

Knowing What Sam IAM has Access To

The first step in hardening defenses is knowing what you are defending. In the next blog, a simple tool which is part of the content management of IPOOG. Hopefully, I have scared you sufficiently to keep reading (and commenting!). 

References, Notes, and Further Reading

1. Green Eggs and Ham | Wikipedia
2. List of security hacking incidents | Wikipedia.
3. There is an organization dedicated to nonprofit risks. Some of this overview is from this article: https://nonprofitrisk.org/resources/articles/a-violation-of-trust-fraud-risk-in-nonprofit-organizations/.
4. Tragically, there is no shortage of examples of fraud, ransomware, etc. For Canadians and their employees, their attack in April 2024 struck close to home. https://globalnews.ca/news/10521112/london-drugs-cyberattack-data-leaked/