After hearing about all the massive breaches over the last few years, nonprofit directors and managers are now more aware of their risks of being hacked. Security has taken on new meaning as businesses and associations start putting defensive measures in place.
Even nonprofits for children aren’t safe. The Save the Children Federation in Fairfield, Connecticut was hacked twice in 2017, where criminals stole more than $1 million. The loss was reported on the organization’s U.S. Federal Form 900 filed with the Internal Revenue Service (IRS) and picked up by news agencies – This certainly isn’t good news for PR purposes or attracting funding.
Information security should be a priority. You could be doing everything else right, but if you don’t mitigate risk and protect your nonprofit organization’s confidential data, you could face a costly data breach. Just one breach could result in hefty fines, penalties, expensive litigation and a ruined reputation that scares donors away.
Just like other businesses in the Greater Toronto Area, your nonprofit must make information security a priority. Did you know that your nonprofit is actually more vulnerable due to the volume and sensitivity of the data you store on both your donors and those who you help? Yet for many in the non-profit sector, implementing cybersecurity measures seems a daunting task due to the perceived costs and skills required to know just what to do. But it doesn’t have to be.
You should outsource your IT security and management needs to a Managed Service Provider (MSP) who will analyze your infrastructure and come up with a plan for an affordable, fixed monthly fee that you can budget for.
Along with this, there are steps you can take to protect your data. Here are 7 to get you started:
1. Tap a Cybersecurity Chief On Your Staff. Appoint someone in-house who will be your point of contact to lay down the law about secure IT best practices. This person will be your liaison with your outsourced IT team. They should also understand and help to enforce the regulations and security policies you must comply with.
2. Develop a Backup & Disaster Recovery Plan With Your IT Provider. You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored and who has access to the backups.
Back up to both an external drive in your office and a remote, secure, online data centre that your IT company provides. Do this daily. Your IT provider can set backups to occur automatically. And make sure your backup systems are encrypted. Your IT provider should also test your backups regularly for recoverability. This is fundamental to your security and your ability to restore data should something happen.
3. Train Your Users. Your IT company can provide Security Awareness Training for your employees and volunteers. Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and thus present a serious threat to your IT security.
Security awareness training helps them know how to recognize and avoid being victimized by phishing emails and scam websites. They learn how to handle security incidents when they occur. If your workers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.
And, make sure that they are trained several times a year. People must be reminded often about cyber threats. Plus, there are always new threats being distributed, so it’s essential to stay up-to-date. Ongoing training and testing reduce the instance of human error that increases cybersecurity risks.
4. Keep Your Systems & Software Current. Software developers are diligent about releasing patches for new security threats. Make sure you install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks.
If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t receive security patches or support leave you exposed.
Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. This is a popular operating system, so this creates concern for many. All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft. Over time, the security and reliability of Windows 7 will make your computers vulnerable.
5. Ask Your IT Service Company To Provide a Layered Defence. You shouldn’t rely on just one security mechanism to protect sensitive data. If it fails, you have nothing left to protect you.
6. Enforce Access Policies. Know who has access to your data and enforce a “need-to-know” policy. Restrict access to data to only those who need it to do their jobs. Employ tole-based access controls with secure logins. Limiting your employees’ authorization with role-based access controls prevents network intrusions and suspicious activities. Define user permissions based on the access needed for their particular job. For example, your receptionist might not need access to donor data.
With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets and laptops present significant security challenges. They can be exposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security.
Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your staff to only use devices that belong to them and have been protected by your security policies. Ask your IT provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.
7. Enforce Strict Password Policies. Poor password practice is one of the weakest links in your security defence. Have your users create long (more than 12 characters) and complex passwords, and never use the same passwords for different uses. If one gets cracked, then a hacker can use it to access information in other places.
It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters. And don’t use words in your passwords – only letters, numbers and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an L or including a & #@or %.
Also, consider using a password manager like Last Pass or Dashlane where your users can create and store strong passwords for your different accounts.
Did you find this information helpful? If so, check out our IT News, Information and Tech Tips.