Many mandatory training programs for employees, frequently rolled out in October – October is Cybersecurity Month – focus on how important it is for individual employees to feel accountable for their employer’s cybersecurity. This is for good reason. According to the World Economic Forum’s Global Risk Report from earlier this year, “Businesses… operate in a world in which 95% of cybersecurity issues can be traced to human error, and where insider threats (intentional or accidental) represent 43% of all breaches.”
Nonprofit organizations employ individuals, so they are not exempt from this trend. While our business objectives are calling for more actionable data at the same time as our state governments are calling for more transparency about what we use and how, we are left to consider data security on our own. This is NOT typically what drives most mission-based people to work for non-profit organizations. Hopefully, being mission-based does allow us to readily accept that cybersecurity is everyone’s responsibility.
Here are a few scenarios common to the charitable workplace, both large and small, where we should be asking ourselves whether our data, platforms, or workflows expose us to some risk:
- Gift processing
- System integrations and/or upgrades
- Data sharing across national/ chapter and affiliate – collaborating with data security as a priority
- Any workflow that has been “customized” over the years
- Any workflow with one point of knowledge
- Events/off-site activities
These suggestions to mitigate our risk exposure come directly from experience working at multiple non-profit organizations:
- Make sure all your donation processing focuses on protecting all the information on the reply device and check. Just like you want to set up a secure and restricted area for processing to protect the donations, you want to make sure that your data entry procedures are secure. For example, see the next bullet.
- Do not email donor lists, event attendees, really any spreadsheet that contains personally identifiable information. Instead, set up secure file transfer protocols, SharePoint, or Google Docs for sharing data and files.
- Use Visio or Lucid Charts or some software of records to document all your integrations and APIs.
- While working from home has made this a little safer, it is never a best practice to keep your passwords on a post-it note. Limit the use of who has administrative access to software and APIs and utilize a Password Protection Manager for all your administrative logins.
- Document all workflows – and keep it up to date! Long-term employees are worth their weight in gold, but organizations need to be prepared for them to move on. If a process that is critical to your efforts is not documented, your organization is at risk because there is only one knowledge-holder and zero redundancy.
- Be aware of the limitations for data collection specific to your organization. For example, even if you are a research-based organization, do not collect health information if you are not HIPAA-compliant. Certain types of other information can be collected, but should be stored carefully. For instance, Social Security numbers and credit card numbers should be tokenized.
In the event you spot a risk, know where to take your concern. Organizations should have an effortless way to report any issues to IT for their review. It could be posted on your intranet or in an internal newsletter. Some organizations publish Incident Contact Trees or create a general email alias to report suspicious emails, such as firstname.lastname@example.org. If you don’t know where to go with your concern, you should find out. And do not be afraid to report an incident you may have inadvertently caused. Alert IT and let them get ahead of the issue. Any breach will have a digital footprint, i.e. not remain anonymous, so it is better to raise your concern yourself.
We can all identify with the scenarios and with the points raised. There are some exceptional stories and tales of what NOT TO DO. We have all witnessed a colleague (or in some cases been the perpetrator) unknowingly clicking a link, forwarding an email, or attaching a data file that opened the organization to security risk. No one initially sets about to expose our organizations to risk. The key is to stay informed, share ideas, help guide our co-workers and volunteers on how to keep security in mind while working. As we embrace technology as a growing part of our day-to-day lives, we are more informed that there is everyday risk. The point is that cyber- and data security is an ongoing, evolving, and learning opportunity for all members of the organization. Setting up best practices (as well as regular audits of those best practices) for where you might have gaps in security will help establish a foundation moving forward. The reputation of your organization as a good steward of your constituent information is dependent on establishing a strong security practice and making it an organization-wide initiative.