How to Protect Your Nonprofit Organization's Data
March 23, 2015
Two weeks ago, I pointed out reasons why leaders of nonprofit organizations should be concerned about data security. This week, I'll tackle some simple ways that you can protect your organization and its data from hackers and criminals.
One of the resources that I find helpful is a Chamber of Commerce booklet, Internet Security Essentials for Businesses 2.0. Although it's written with for-profit businesses in mind, all of its recommendations are applicable to not-for-profit organizations as well.
Set Up a Secure System
- Designate a person to handle security and preparedness. This person could be an already existing IT or business manager, but it's critically important that someone in your organization be responsible for determining what information needs protection, maintaining the necessary hardware and software to fulfill the technology requirements of the organization should there be a data breach, and developing a plan for responding the cyber security incidents.
- Control network access. One of the easiest ways of preventing data breaches is to control the information that employees (and others) have access to. Consider installing a firewall with strong access controls or at least installing and updating effective ant-virus software in your network.
- Keep software current. Keeping your software and applications up-to-date will help guard against many kinds of data breaches. Make sure that your employees all install security updates and patches if they can't be done automatically.
Protect Business Data
- Organize business data and assess risk. Businesses and not-for-profit organizations have an array of information that requires protection (e.g., personnel records, tax forms, donor information, client and beneficiary data). You should organize the information that you keep, know where and how it is stored, and prioritize it by level of importance.
- Manage the security of business data. You keep valuable and sensitive data on your computers and networks so you should establish a policy for the acceptable use of information resources and IT systems for your team.
- Back up data regularly. Data backup is now a relatively simple and inexpensive process, but how many of us forget to do this on a regular basis? You should select the appropriate hardware to store your backed-up data and then safely store the backup device that holds the copied files.
- Dispose of data and media safely and securely. Hard drives and other computer equipment may contain saved information even if that information has been "deleted." Be sure to discard computers and equipment in a way that follows best practice and is consistent with legal requirements.
Train Your Workforce
- Defend your computer. The security of your computers and networks is crucial for your employees and your organization. Make sure that you've installed anti-virus and anti-spyware software, and protect your routers and software packages with strong passwords. Don't be tricked into downloading malicious software. Think carefully before opening suspicious attachments.
- Protect sensitive business data - and watch out for scams. Don't put sensitive and confidential information in email or text messages. If you are unsure if a message is genuine, contact the sender through another device or network. Never share sensitive data - such as personally identifiable information - in response to a phone call or online inquiry.
- Create strong passwords and keep them secret. Passwords provide the first line of defense against unauthorized access to your data, but how many of us use weak passwords - or ones that are easily identifiable to hackers? Secure passwords have at least eight characters and utilize upper and lower cases, numbers and symbols. Don't include your real name, birth date, social security number, or common brand names in your passwords.
- Guard your data when on the go. Treat all public Wi-Fi systems as a security risk. Do not expect privacy in Internet cafes, hotels, offices or public places. Use flash drives sparingly or not at all.
Be Prepared to Respond to an Incident
- Log monitoring. Managers should continuously monitor their organization's log data. Use indexing technologies in lieu of databases to help collect, analyze and correlate logs so that they are easy to use and understandable. The Chamber recommends that these technologies should include search capabilities, automated searches, statistical analysis and data visualization in order to identify abnormal activities and possible breaches.
- Make a plan to address cyber incidents. The best time to plan on how to respond to a disaster is not during the incident. Make a plan on how to respond in a fast and efficient manner in order to minimize damage, recover quickly and prevent future incidents. End users should be familiar with symptoms that might indicate an incident and know what to do. Threats against your organization can quickly spill over into other businesses, so communication and information sharing are key.
I hope these tips are helpful. They're easy to follow and they might make the difference between a secure data workplace and an insecure one. If you have a question or comment, follow me on Twitter at @timmcclimon and let's continue the conversation there.
In two weeks: Will 2015 Be the Year of Sustainability?
P.S. Time Warner Cable is hosting a conference on Cyber Resiliency for Nonprofits in Los Angeles on Friday, March 27, 2015. Here's the link.