Most people will say security is important, but if pressed, chances are they don’t really know what that means. What is IT security, exactly, and what’s the worst that can happen? Most pressingly: How can often cash-strapped nonprofit organizations keep their information—and their clients’ or donors’ information—safe and sound?
Leon Wilson, Chief for Digital Innovation & Chief Information Officer for the Cleveland Foundation and past NTEN Lifetime Achievement Award winner, is leading an online NTEN course on security basics for nonprofits: Intro to IT Security, in May. He was kind enough to answer a few questions about IT security and the special considerations for nonprofit organizations.
Why are nonprofits at greater risk of information breaches and other hacks?
Because hackers know that they’re easy prey; that is, they presume that nonprofits not only don’t have a sophisticated or a secure environment as say a bank or hospital, but that they aren’t even performing the basics well enough. Also, nonprofits have a trove of donor and client information that can be pilfered for identity theft and social media trolling.
What are the potential consequences to nonprofits and their clients?
Loss of trust between the nonprofit and their client that can lead to loss of donors/donations and loss of business/clients wanting to work with the nonprofit.
What are a few things that nonprofits can do to assess their risk?
1) Hire a credible IT consultant to perform a comprehensive IT security & risk assessment; 2) Identify any compliancy regulations they must conform to (e.g. HIPPA, PCI-DSS, Personally Identifiable Information (PII) pertaining to kids).
Why is having an IT security strategy important?
Most, if not all, IT security experts will tell you that these days, it’s not a matter if you’ve been hacked, but when. It’s nearly inevitable in this day and age. Therefore, having a “constantly” current IT security strategy is akin to being a fiscally responsible organization.
What’s the first step that at-risk nonprofits should take to improve their practices?
I can’t say it enough: You don’t know how bad of a situation you have until you assess the situation. Thus, the first step is for nonprofit leadership to take IT security seriously and have a IT security assessment performed. A good IT security assessment should not only identify your vulnerabilities, but rank them by severity. Tackle the severe ones first.
What is the number one pitfall or roadblock for nonprofits implementing an IT security policy?
Unfortunately, it’s a four-way tie: a) lack of awareness, b) not knowing who to turn to for help; that is, finding a good IT security consultant that will help them identify and plug any holes without going overboard, c) lack of finances to perform a good IT security assessment, and d) funding to implement those changes warranting additional technology solutions and consulting work.