Nonprofits need to prioritize cybersecurity
As marketers, fundraisers and public service providers, nonprofits are handling sensitive information every day. Strategies to improve service delivery and execute fundraising campaigns are driven by an abundance of information and data originating from donors, employees and beneficiaries, among others. As the nonprofit sector continues to grow, already reaching more than 1.5 million nonprofit organizations in the U.S. today, the security and responsible stewardship of data is not only critical to mission delivery but an organization’s reputation.
Cyber threats and breaches have already tarnished reputations and halted business operations for major market leaders, including Target, Yahoo and the U.S. government. The lure in all three of these examples is personal data derived from employees, application users and/or customers.
The nonprofit sector is not immune to these threats. With demand for nonprofit services increasing and online and mobile payments on the rise, nonprofits are handling more sensitive information than ever before.
However, according to the most recent Not-for-Profit Governance Survey, 71% of not-for-profits have not conducted a cybersecurity vulnerability assessment, and 69% do not have a cybersecurity breach response plan in place.
But where do you start? With limited budgets and significant gaps in technically trained staff, I understand that cybersecurity seems like a daunting new frontier. However, the risk is real and the cost of not being prepared is potentially detrimental both to your organization and your stakeholders.
So here are some initial steps to get started – all of which I, a non-cybersecurity expert, has tried:
1. Data Map
Start by establishing a baseline understanding about the data your organization maintains. This is often a simple Excel spreadsheet exercise. You will want to identify the following information:
Data – what is the dataset (i.e. employee files or donor transaction records)? Is it personal identifiable information (described below)?
Use – what is the information used for?
Storage – where is it currently stored, noting when data is storage by third-party vendors or on site (i.e. a hard drive)?
Access – how is the information accessed, what information is required to gain access, and who has access (i.e. are there additional security questions, an email address or a unique user name or both, are you able to set up user roles)?
Backup – how often is the data backed up? Where is the data backed up?
Responsible individual – who is responsible for managing and protecting the data?
2. Data Classification
There are many different kinds of data within an organization. Once you know all the data your organization is collecting and using, it is important to classify the data to determine appropriate use and security. Generally, consider these three classifications to start:
Sensitive – This is the most sensitive type of data, legally classified as “personal identification information.” This is any information that can reasonably lead to the identity of an individual (i.e. name, address, social security number or other identifying number or code, telephone number, email address, etc.).
Private – This data is proprietary to the organization. It is generally protected to ensure a competitive position or confidential strategy.
Public – This is data that is publicly available through other sources.
3. Third-Party Risk
Many nonprofits rely on third-party vendors for managing and processing data, such as donor payment processors and cloud storage. These vendors are at the forefront of your data’s security; therefore, it is critical that you conduct proper due diligence before engaging their services. You should ask for proof of cybersecurity compliance. Typically, this is specialized certifications base on the industry. For payment processors, for example, you need to confirm that they are compliant with the Payment Card Industry Data Security Standard (PCI DSS), this is called being PCI compliant. Additionally, review the contract for guarantees and compliance related to the security and handling of your data.
4. Vulnerabilities & Compliance
Mitigating some vulnerabilities can be handled in-house. Mitigation actions might include setting policies for access and use of data (such as setting user roles), ensuring security protocols are in place for accessing data (such as multi-factor authentication and password policies), conducting regular software updates (including security patching), and providing training to staff and volunteers. Obtaining cyber insurance is also an option. These policies offer a range of coverage to protect the organization in the event of a data breach. Keep in mind, however, that many of these insurance policies also require the policyholder to meet a minimum level of cybersecurity due diligence to obtain a policy and receive coverage in the event of a claim.
If you feel that there are significant vulnerabilities within your data management system, consult an expert. The National Council for Nonprofits or the Center for Nonprofit Advancement are reliable resources for exploring the right service provider to help protect your organization’s information.
A data breach can come from many sources, and the consequences can be severe, ranging from bad press and loss of trust, to financial harm to those whose data is stolen, to governmental investigations or litigation against your organization. As the nonprofit sector becomes increasingly a data driven business, cybersecurity must become a priority.