COVID-19 crisis – Security awareness is more important than ever…

…especially for not-for-profits and small businesses

In turbulent times such as these, criminals are always trying to exploit fear, hope, and uncertainty of individuals. Some of these include phone scams, such as trying to trick people into reserving a nonexistent COVID-19 vaccine (https://bit.ly/2JblSW6) or, door to door scams pretending to test for the virus at a cost (https://bit.ly/2J7w6XB). Organizations may feel this is more of a consumer issue, however, the virtual world is no different. Phishing attacks using the corona virus as a hook are on the rise (https://cnb.cx/2QBEhPV).

No alt text provided for this image
Sample Phishing Email

Social distancing is becoming a common practice not only in our private lives, but also in the workplace as organizations shift their workforce to work remotely in order to prevent the spread of the virus. This can be particularly challenging for organizations whose employees usually work at physical office locations. These new circumstances can make resource constrained not-for-profits, charities, foundations and smaller organizations especially vulnerable. With the rapid shift and unfamiliarity of working remotely adds components that pose additional threats to the organization. Employees unfamiliar with virtual environments are being targeted by attackers who try to insert themselves into business processes by sending phishing emails to get employees to click on malicious links, open malicious documents, or try to redirect payments by pretending to be decision makers within the organization. Extra precautions and education are necessary to protect employee, client/customer, and organizational data from attackers. Cases where not-for-profits have fallen victim to exorbitant amounts of ransomware (https://bit.ly/2QGDE7M) are on the rise. These organizations cannot afford the high financial cost, nevermind the exposure of client data and reputational risk. To minimize these risks, the following are some of the basic steps employees should be aware of:

  1. Confirm and double check links in emails for validity.
  2. Do not enter sensitive information such as passwords into pop-up windows or websites from links in emails or texts.
  3. Verify websites being used have https in the address bar.

The Government of Canada’s ‘Get Cyber Safe’ web page provides “The 7 red flags of phishing” (https://bit.ly/2wmU8LF). Knowing the red flags is a good first step, however organizations should be deploying technologies that assist in protecting against phishing attacks, such as ensuring anti-virus and anti-spam protections are implemented and kept up-to-date, as well as firewalls deployed on all employee workstations and mobile devices. While all the previous recommendations need to be put into practice, security awareness training of employees is the number one strategy to protect the organization and its data. There are a number of free and paid security awareness resources available for financially constraint small businesses and nonprofits (Disclaimer: Corporate links are by no means an endorsement of these companies and their respective products and services, they are simply mentioned for the security awareness information made available for free):

No alt text provided for this image

If you would like to share or comment on this topics please visit the article published on LinkedIn.


  • All views expressed in this article are my own and do not represent the opinions of any entity with which I have been, am now, or will be affiliated.
  • The information provided in this article is for educational purposes only and provided “as is”. By no means is the information provided intended to prevent breaches from occurring. As with all matters please seek professional guidance to address the unique cybersecurity risks of your organization.