Respected security researcher Dan Wallach from Rice University has published a short (18 page) guide to securing small organizations against three kinds of cyberattack: Untargeted, remote (spammers, phishers, ransomware griefers, etc.); Targeted, remote (spear phishers); and Targeted, in person (immigration agents, police, criminal trespass).
It's an essential guide for an increasingly overmatched nonprofit and small business sector who have to contend with adversaries who can avail themselves of sophisticated attack tools, even when they, themselves are not particularly sophisticated.
If there’s one thing we learned from the leaks of the DNC emails during the 2016 presidential campaign
it’s this: cyber-security matters. Whether or not you believe that the release of private campaign emails
cost Clinton the election, they certainly influenced the process to the extent that any political campaign,
any small non-profit, and any advocacy group has to now consider the possible impacts of cyber-attacks
against their organizations. These could involve espionage (i.e., internal secrets being leaked) or sabotage
(i.e., internal data being corrupted or destroyed). And your adversaries might be criminal hackers or
foreign nation-state governments.
If you were a large multinational corporation, you’d have a dedicated team of security specialists to
manage your organization. Unfortunately, you’re not and you can’t afford such a team. To help you, this
document summarizes low-cost tactics you can take to reduce your vulnerabilities using simple
techniques like two-factor authentication, so a stolen password isn’t enough for an attacker to log into
your account. This document also recommends particular software and hardware configurations that move
your organization “into the cloud” where providers like Google or Microsoft have security professionals
who do much of the hard work on your behalf.
HOWTO: Protect your small organization against
electronic adversaries [Dan Wallach/Rice University]