Many nonprofits are nervous about their information security, and understandably so. Even large and well-financed organizations, such as the NSA, The White House, Target, Chase Bank, Home Depot, and Sony, have all been hacked. And if they can’t protect their data, even with their extensive resources and high-priced IT experts, how can a small nonprofit possibly protect its information?
A common sense approach is to first consider what risks your organization is most likely to face and then develop a plan to address them. This is called a risk analysis.
Assessing your data
The first step is to take a kind of inventory. Exactly what data do you have? Where is it located? Most importantly, how sensitive is the information?
List all of the different types of data by location. For example, if you have a donor management system, list everything it collects and stores: addresses, donations given, petitions signed, etc. Then, move on to your website and list everything stored on it.
Repeat this process for each location where your organization stores information, including Cloud-based storage. This will provide you with a comprehensive map of the data your organization collects.
Sticky notes are a helpful tool for this exercise. You could write each type of data onto a note that’s color-coded by system. This will make it easier when you begin sorting. If you prefer to see everything on one page, RoundTable Technology has created a spreadsheet template to use for this process.
Once you have inventoried all of your data, the next question is: How much do you care about it? What’s essential to your organization’s ability to function? What would risk your constituents’ well being or your organization’s reputation if it got out?
One helpful approach is to divide up the data you’ve listed into three categories:
- Data you can’t lose
- Data that can’t be exposed
- Nonessential data
Examples of data you “can’t lose” might include the final files for a major project, templates and brand standards, or employee handbooks and manuals. Examples of data you “can’t expose” could be donor information, HR records, strategy documents, or payment information. You might even feel that some things are both “can’t expose” and “can’t lose.” That would indicate that those items are your highest priorities.
At the end of this sorting, you’ll probably have a few sticky notes left over. Those are likely to fall in the “nonessential” bucket. To be clear, the “nonessential data” category doesn’t mean that you should be careless with that data, just that you’re not going to place a high priority on securing it. For example, you may have put blog posts in the “nonessential” category because they don’t contain any sensitive or essential data. That doesn’t mean you shouldn’t take steps to protect your website content from being lost or vandalized.
Considering the risks
Once you’ve sorted out what you “can’t lose” and what “can’t be exposed,” the next step is to identify the risks your organization faces. Ask yourself:
- What could happen to that data?
- How likely is it that something would happen to it?
- How bad would it be if something happened to it?
“What could happen?” is about imagining the various scenarios that would put your data at risk. Is it at risk in a fire? What if a computer was infected by ransomware—a malicious virus that encrypts your data until you pay a “ransom” for its release? Could data be picked up by a keystroke logger? The number of security risk scenarios is potentially huge, but here are a few of the most common:
Physical theft of equipment or printed files
- Natural disaster
- Improper disposal of equipment or printed files
- Inappropriate use of software
- Phishing (employees fooled into providing data)
- Insecure mobile devices
- Spying via software that tracks activity or keystrokes
- Spying via WiFi connection
- Hacking through remote access to your network
- Vandalism through malicious viruses or adware
- Denial of Service attacks (bots flooding your website with traffic and causing it to crash)
- Social engineering (someone without authorization convincing authorized personnel to hand over information or access to systems)
More generally, these scenarios describe various ways your data can be lost, changed, misappropriated, made unavailable, or exposed.
How likely any of these are to happen is a little less straightforward. In most cases, the likelihood of any of these events occurring depends on the behaviors of your staff members. People who thoughtlessly click on links are going to significantly increase the risk of viruses and other malware. Other scenarios might depend on whether you’re likely to be singled out as a target—organizations that work on contentious issues are more likely to be vandalized or exposed. The outside perception that you handle a lot of money might also make you a target.
“How bad would it be if something happened?” is a trickier question because the consequences can be both tangible and subjective. For example, a breach that causes your organization to lose money from its bank account is easy to count and to characterize within the context of the overall budget. But if that breach is publicly known, how will attitudes about your organization change? Will people still trust you to take their donations? Will they continue to invest in your programs? And this is one of the more straightforward scenarios. How would you weigh the exposure of emails that outline your advocacy strategy? How bad is it if your donors’ names and home addresses are exposed?
Also, don’t forget to consider the possibility that old equipment and software can put you at risk. You might have tools that are rarely used and don’t contain much important information. Good candidates for the “nonessential data” pile, right? Probably, but that doesn’t mean you should ignore old technology. In fact, it may pose a bigger security risk than the tools you use everyday. If old software or equipment is connected to your network, it can be a weak link that provides a way in for hackers. If losing a piece of technology is no great loss, you should consider getting rid of it.
Managing an incident
A security incident can happen at any organization, not only because hackers are indiscriminate but also because human error is the most likely cause of data loss or exposure. It’s not hard for someone to accidently delete a file. And most of us are guilty of taking files home and working on them on machines or networks that are much less secure than what we use at work.
The policies and culture of your organization are important factors in preventing an incident. Every organization should have a written guide that outlines the steps it will need to take when a data breach or other kind of security incident occurs. In your guide, you’ll need to think through:
- What mechanisms are in place to detect a security incident?
- Who will document the events leading up to and immediately following when the breach was discovered?
- Who will lead the response if a breach occurs?
- Who will be part of the response team?
- How will you respond to various scenarios?
- How will your response team communicate with the rest of the organization?
- How will your organization recover files or repair systems?
- How will your organization communicate with your constituents (if necessary)?
Your incident response guide could be as simple as a list of a few of the most likely scenarios and bullet points outlining roles and responsibilities. What’s important is to have enough of a plan in place so that if something were to happen, you and your team aren’t left wondering what to do.
Data security can seem scary, but it doesn’t have to be. One way to reduce the stress and gain expertise is to establish a relationship with an IT consultant that has some background in security. However you choose to approach security, keep in mind that perfect security will never be possible, but every organization can take practical steps that will significantly reduce the chances of a major data breach.
For insights into nonprofit data security, download Idealware’s recent report: “What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk.