When I hand over my personal data to a business or organization, I expect a certain level of discretion on their part when handling that information.
The latest hack into the Equifax credit bureau is the perfect example of the mistrust that festers when companies don’t take the security of their customers’ data seriously.
This is just as important, if not more important, for nonprofits.
Every donation made to a nonprofit includes information that is put into a donor profile—the donor’s name, date of birth, address, phone number, credit card information, and other sensitive personal information. All of this is stored on various forms of nonprofit software. The more data you handle, the higher the risk of a breach.
Donors trust nonprofits to keep their information safe, so it’s important for your nonprofit to maintain that trust. In order to ensure that your nonprofit data remains secure, here are five cybersecurity tips you should implement as soon as possible.
1. Automate all software updates
According to Data Privacy Monitor, most data security breaches are due to human error:
Last year, we identified human error as the leading cause of incidents (37 percent), followed by phishing/malware (25 percent), external theft of a device (22 percent), and employee theft (16 percent). This year, however, phishing/hacking/malware took the top spot, accounting for approximately 31 percent of incidents… When we took a closer look at the underlying issues that allowed the phishing/hacking/malware incidents to occur, however, they could often be attributed to human error in some way.
We are imperfect creatures. We forget things, we put off important tasks, and in doing so, we open ourselves up for future problems.
Relying on your employees to install regular software updates, which typically include improved cybersecurity measures, can weaken your security. These delayed updates create gaps in your security apparatus, leaving your data potentially exposed to hackers.
In order to solve this problem, it’s better not to rely on your employees to implement these updates and rather, automate the process. If possible, set updates to occur overnight so as not to interrupt your employee’s work during the day, which is the most likely reason your employees delay them in the first place.
2. Fix your login process
While it may be convenient to have your employees use the same login information for certain programs, as many software vendors charge “per user,” all this does is expose your data to breaches that are harder to trace.
With separate login accounts for all employees using a program or database, it is far easier to track logins, changes, and even data removals, down to the individual.
Some IT professionals recommend the age old practice of regularly changing passwords in order to deter outside invaders, but it turns out that this doesn’t necessarily do much to hinder attackers, according to Wired:
The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.
The truth is, taking the time to create passwords that are hard to guess also makes them hard to remember, so most of the time employees will just make slight variations on an already memorized password.
That’s not to say passwords should never change, but it is far more important to make sure that employee passwords are strong from the get go. In order to build strong passwords, recommend that your employees use tools such as the Password Meter to test the strength of their new passwords before changing them.
As for the frequency of changing passwords, the FTC recommends that passwords should be changed by necessity, not on a regular schedule:
So, should you ever change your password? Well, sometimes. If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it.
In other words, if it isn’t broken, there’s no need to fix it.
3. Implement mobile device protocols
All of your employees carry powerful computers in their pockets that are able to access almost everything that a computer can—this creates potential security weaknesses for your nonprofit.
While it isn’t reasonable that you ban the use of mobile phones at work or for work-related purposes, it’s important that you set up protocols for doing so.
These protocols could include:
- Require employees to set up password protections for their device and if they already have them, to make sure they are hard to guess. For instance, if your employees use 4-digit pin numbers to access their devices, implement a 6-digit password requirement in order to access your organization’s network.
- Require employees to install security apps chosen by your organization to protect your nonprofit data when employees are using public networks.
- Require employees to use secure email apps or encryption services when dealing with sensitive organization data on personal devices.
Taking these precautions guards your nonprofit data from human error, especially since we all tend to spend a lot of time on our mobile devices.
4. Limit employees’ access to data
While we all worry about external threats to our technology, what is often overlooked is the frequency of internal leaks and breaches of data.
According to Harvard Business Review and IBM’s 2016 Cybersecurity Intelligence Index, 60% of all breaches and attacks were carried out by insiders. Three-quarters of these internal breaches were done with malicious intent, while only one-quarter of them were due to “inadvertent actors”, or in other words, on accident.
It’s impossible to completely isolate yourself from internal breaches, but you can limit the likelihood of it happening if you only give access to data to those who truly need it.
While it’s convenient to simply give access to all systems to all employees, all that does is increase the chances that data will end up somewhere it shouldn’t be. There are instances where employees will need information that they don’t have access to, but that information should only be given on a case-by-case basis, rather than through a blank check.
Luckily most nonprofit software options offer administrative controls which limit access to certain areas and functions, giving you that control to limit certain employee’s access.
5. Limit administrative authority on computers
It’s not necessarily productive to seize all administrative functions on work computers, since every exception would require assistance from your IT team. However, there are methods to maintain control of major computing functions while granting your employees some discretion.
PCWorld put together a guide in order to maintain control of your work computers running Windows while keeping your employees happy. This guide is from 2012, however the suggestions they make are still applicable to modern Windows systems.
They recommend granting certain administrative privileges, while leaving the baseline functions to your IT team. Your employees still have the ability to change certain settings on their computers to suit their personal needs, including installing new programs. However, you can restrict certain functions, such as uninstalling or disabling proprietary software such as antivirus tools, firewalls, and monitoring programs.
But maintaining control of proprietary software removes the threat of employees disabling (maliciously or accidentally) security features that protect your nonprofit data.
Other nonprofit tips and resources
Data security is an increasing concern and we all share the responsibility for keeping sensitive information away from those who would use that data for less than noble purposes. What policies have you implemented at your nonprofit to protect your data? Let me know in the comment section below!
If you enjoyed this piece, there are plenty of other useful tip lists, guides, and resources on the Capterra nonprofit technology blog. Check out these other blog posts: