Laurie: Joe, you’ve evolved into our clients’ best friend and worst enemy; our clients appreciate you keeping them informed and aware. But you also give them more things to worry about in the cyber realm. What type of cyber activities are you seeing that target NFP organizations?
Joe: We appreciate our role in helping keep Baker Tilly’s NFP clients safe and secure on the Information Technology (IT) front. Cybercrime continues to grow and advance, making it reasonable to estimate that approximately half of all incidents occur at smaller companies and organizations such as not-for-profits. Some of the most common attack strategies we’re seeing are business email compromise, wire fraud and ransomware. Many of these attacks leverage advanced social engineering tactics to give them a sense of authenticity. With advancements in artificial intelligence (AI) technology, these attacks are getting more sophisticated and easier to launch.
Laurie: That’s scary. I remember you mentioning how these ‘cyber bad guys’ are investing in talent and operating with more of a business-like mindset. It seems to be paying off for them.
Joe: You’re right. In years past, cybercrime was more about data theft and disruption, but now it has become a booming black-market business that generates significant income. While it’s difficult to truly measure the size of the problem, recent estimates indicate that cybercrime generated $8 trillion dollars in 2023! For some context, only the U.S. and China have a larger economy than that of these cyber criminals. That level of “earning” has given rise to niche criminal groups who specialize in a particular type of attack and then “sell” their services to other “cyber bad guys.” This has led to a rise in highly talented and organized criminals with the ability to leverage the most advanced technology, significantly reducing the barrier to entry. With the use of advanced AI technology and social engineering techniques, I wouldn’t be surprised to see attacks start to incorporate voice replication and other convincing tactics. Imagine getting a phone call from your executive who is on vacation, asking you to process an urgent wire payment. It is only going to get more difficult to identify fraud going forward.
Laurie: With the cyber threat evolving and becoming so sophisticated, it would seem like organizations will need highly technical protective measures in place. How should NFPs prepare themselves and what next steps should they take?
Joe: There are some baseline technical solutions organizations should have in place such as endpoint detection, multi-factor authentication, malware protection and firewalls; however, the good news is that improving human behaviors is more often the best bang for your buck. Approximately 90% of cyber incidents occur due to human error, so paying attention to good awareness and sound security behaviors goes a long way. I would advise my clients, especially NFPs who may be financially constrained, to focus on improvements in the following areas: