In a world where there is an increased threat of security breaches, the collective impact is staggering. Billions of dollars are lost every year as a result of these attacks. A nonprofit’s reputation and ability to raise money could be put at risk and their ability to fulfill their mission may be forever jeopardized. According to a recent survey by the Nonprofit Technology Network and Microsoft, almost 70% of respondents have documented policies and procedures in case of cyber attack and only 40% of respondents reporting they providing regular cybersecurity training for their staff.
Nonprofit organizations need to start paying more attention, and ask yourself:
- Do you take online donations on your website or conduct any e-commerce activity?
- Do you store any Personally Identifiable Information (PII) about your patients, clients, volunteers or donors?
If you answered yes to one of the two questions above, there is a real risk to your data and your constituents’ information. Here are steps you can take today to protect your data and reputation:
Step 1: Identify the Risks
Start by developing an understanding of the cybersecurity risks confronting your organization including the risks to systems, assets, data and capabilities. As part of this process you should:
- Establish a cybersecurity governance committee. The word governance should not intimidate you, you don’t need to be an IT expert or have a large organization to form it. The committee that could be made out of business users and IT should develop information security policies and procedures to manage the cybersecurity risks.
- Assess your data and risk. Take an inventory of your data, look at all the places you are storing information including your donor database, website, newsletters, case management application, etc. What kind of data do you have? How sensitive is that information? Where is it stored? What safeguards do you have in place to protect that information?
Step 2: Protect Your Data Against Threats
Develop and implement safeguards to protect against cybersecurity threats by implementing practices that will help limit or contain the impact of a cybersecurity event. For example:
- Conduct training to all staff to ensure everyone is aware of cybersecurity risks and know the processes to report the risks or incidents.
- Establish access control procedures to limit access to your data and adjust when employees change positions or leave the organization.
- Ensure that cybersecurity is considered next time you implement new technology.
Step 3: Implement Security Controls
- Create a backup of all your data regularly to reduce the risk of data loss as a result of a natural disaster or a cyber attack.
- Update software and hardware regularly. Replace any hardware or software that is no longer supported and make sure your software updates are set to automatic or actively managed by your IT team.
- Activate multifactor authentication whenever possible. Multifactor authentication uses additional factors beyond a password to verify identity when accessing your network or an online application.
- Monitor all devices to provide additional protection. Implementing enterprise data protection to register and actively monitor all devices that access your data. In addition, this will allow you to remotely encrypt or wipe a lost or stolen device.
This is just a short list of activities you should be taking to protect your organization, however, there are no magic bullets. Nonprofits, like any other organization, need to invest the time and resources to address these challenges. In many cases, cloud computing can help.
How the Cloud Can Help Protect Your Data
As a nonprofit, you should spend most of your time on your mission and not on IT security. Moving some of your systems to the cloud will allow you to simplify the governance (no need to install and update software, maintain hardware) but most importantly the cloud allows organizations to step up their security without large upfront investments. Many cloud-based solutions have more robust cybersecurity infrastructures than what nonprofits could establish on-premise.
Donors need to understand that supporting nonprofits beyond the immediate program operations and should support more technology initiatives. Any organization operating on hardware and software that was developed many years or even decades ago will likely not be able to respond effectively to their constituents in a safe and secure manner. Furthermore, organizations that successfully modernize their technology and cybersecurity practices will not only become more efficient they will gain the trust of donors and be better positions to develop meaningful long-term relationships.