In today's digital world, one of the most valuable assets a nonprofit has is data. But the trouble is, this data is also valuable to bad actors who may harm your stakeholders or tarnish your reputation. Where do data breaches come from? They may originate from anywhere at any time. In the 2019 IAPP-EY Annual Governance Report, 38 percent of organizations that must comply with GDPR reported a data breach last year, a 42 percent increase from 2018.
TechSoup can help you kick-start a scalable solution to secure your data. Below are five tips to help get you started.
1. Define Your Core Privacy and Security Needs
Depending on your organization's stage of data privacy and security readiness, there are a variety of tools and resources available to protect the data you collect from employees. Below is a breakdown of three stages your organization may fit into.
Do you have limited resources to protect the data you collect from your employees? You likely fit within the Functional category. Your priorities may include purchasing the right mix of tools and infrastructure. Or you may be ramping up basic data management procedures and training.
Have you already begun centralizing data privacy and security, but are looking for more? You may fall into the Standardized category. At this stage, you want to build a more robust protocol — with role-based access controls and life cycle management.
Looking to customize an existing privacy and security system? You might have reached our third stage of readiness — Optimized. With adequate internal processes and infrastructure, you may be searching for enhanced documentation and training to support distributed devices and environments. You might also be searching for tactics to scale and automate these processes to enhance user experience.
Now that you've measured your nonprofit's level of data privacy and security readiness, it's time to develop clear goals across your organization.
2. Unify Your File Management System
Next, you'll need to gather your data on a central file management system and identify what the sources of data are and who are the gatekeepers.
You may also consider creating an organizational chart to help you visualize your data management gaps. These can include
- Discrepancies between individual departments or program areas — such as duplicate or inaccurate information
- Insecure or unencrypted storage areas
- Lack of knowledge about best practices for physical access and cybersecurity
Whether you are securing emails and documents or devices, having a centralized core repository of employee-related data with real-time alerts can provide your nonprofit peace of mind. Depending on your budget and organizational needs, you may mix features with your existing human resources information system or build out a custom solution. You can further streamline operations via multi-factor authentication, client-side encryption, time stamps, session recordings, and read receipts.
Curious about implementing these tools today? TechSoup has partnered with Okta to offer nonprofits a suite of identity management solutions. Learn how you may qualify for 25 free licenses and 50 percent off public training courses and more.
Whatever vendor you choose to unify your file management system, the beauty of these solutions is that you can more easily hold personnel accountable for data breaches and rapidly track down possible leaks.
3. Implement Role-Based Access Controls
Consider key fobs, access cards, password-based entry, mobile applications, and biometrics to limit access to open offices as well as restricted areas, based on an individual's role within your organization. These tools are designed to manage access cost-effectively, while potentially minimizing the bias and human error that may come with self-managed monitoring.
As you begin investing in role-based access controls, check in with legal experts or in-house counsel to ensure that the technologies fulfill all compliance and regulatory requirements for your organization. And once these legal guidelines are in place, make sure you are taking steps to maintain a culture of data privacy and security.
Create accessible resource guides for volunteers, employees, program partners, and vendors — anyone who may need to access data at any time. Depending on the nature of information accessed, it may also be helpful to implement real-time alerts and reports about improper usage outside of work hours or a specific environment and geographic location.
In general, the use of personal devices or sharing passwords and other credentials isn't recommended by experts. And the use of public Wi-Fi or compromised networks is frowned upon. Additionally, any personnel accessing critical data should store company-related passwords on a secure password manager, work on encrypted computers and devices, and log in to their email only in secure environments. You can refer to the Electronic Frontier Foundation or this handy guide from TechSoup for basic cybersecurity tips.
Finally, empowering employees and volunteers to maintain secure access to sensitive information should be coupled with a clear protocol for your vendors. A service agreement simply isn't enough to ensure a third party's proper use and management of your data. Check in regularly, especially when switching providers to ensure that data is securely transferred or disposed of when a contract ends. This way, you avoid exposing your data to disgruntled individuals or criminals.
4. Secure Personnel Turnover
Finding an easy-to-use platform and defining role-based access is just half of maintaining data privacy and security. A primary area of oversight for many nonprofits is determining clear timelines for access. On a daily basis, you'll want to prevent access via insecure networks, personal devices, or third parties. And when an employee is terminated or a contract comes to an end, you'll want to make sure those individuals don't hold on to your business-critical information.
While these handoff processes are seen as the purview of human resources, failing to secure them may put your data at risk of falling into the wrong hands. Start with building out basic documentation for onboarding and offboarding. Depending on the requirements defined by the department director or manager, you may want to transfer information to a designated individual or hold it in a secure location. With tools like Microsoft Active Directory Federation Service (ADFS) or Okta, you can greatly reduce the administration of these processes.
Layer technology solutions and training with periodic testing across all departments and personnel types. For example, you may send out a test phishing email to gauge which employees are best equipped to respond proactively to potential threats or create a monthly quiz on basic cybersecurity terms.
As your organization grows, you may find that your needs evolve. Today, there are a variety of solutions for threat management, including automated software and security experts who operate 24/7 — also known as endpoint and intrusion detection and response.
In addition to educating your team, take measures to safeguard your most important information source — your donor database. You may be well aware that servers should be PCI compliant, but they may also operate at a scale where oversight is better managed by a third party. Whatever solution you choose, limited access to financial and personally identifiable information is critical.
While it may be a bit overwhelming to document a clear process for each data use case within your organization, the risk of not implementing endpoint and intrusion detection and response protocols far outweighs the effort. In addition, there are a variety of resources available at TechSoup to help you develop consistent standards for protecting your data.
5. Create a Crisis Management Plan
Once you've chosen a solid mix of technology and service providers, you may think that your data privacy and security needs are met. Think again — when data falls into the wrong hands, multiple communication channels may break down, affecting your organizational efficiency and public reputation.
To ensure that you protect the data of the communities you serve, invest in a system that provides vulnerability scanning with real-time alerts to notify individuals if their devices or data may have been compromised or accessed without their knowledge.
Once alerts have been sent out, it's time to craft restorative messaging to address the core needs of your stakeholders.
What types of information leaks and breaches is your organization liable for? With honest, accurate, and clear information, law enforcement and legal investigators will be better equipped to address your needs. And you may prevent the untimely disclosure of sensitive information to the press, within your organization, or to the greater public.
Second, delineate a chain of command for communicating the breach to key personnel. You'll also want to brief and train public-facing executives and spokespersons to maintain a consistent narrative and uphold your nonprofit's reputation.
Finally, depending on the nature of your liabilities and responsibilities, it may be necessary to seek legal counsel, liability insurance, and other safeguards.
Never Trust, Always Verify
It may be daunting to consider the time and money it takes to develop a solid data privacy and security plan, but the alternative is exposing your nonprofit to incalculable loss. IBM estimates that the average cost of a data breach worldwide is $3.92 million, with an average of 25,575 records compromised per incident.
The rule of thumb in today's highly distributed workforce is to trust no one — and always verify. Many nonprofits collect data on individuals including clients, donors, volunteers, and staff members. The integrity of these connections depends on how well you protect their information.
From facilitating charitable transactions to engineering solutions for the greater good, a solid data privacy and security program can ensure that your organization continues to safeguard the public trust and carries out its mission for years to come.
- Get training from TechSoup Courses on cybersecurity and cyber liability insurance.
- Watch a webinar on security and privacy.
- Find out how to Manage Identities, Not Passwords at Your Nonprofit.
- Learn what you need to know about getting hacked.