It's fast becoming necessary for organizations to use cloud-based tools in one way or another. This opens up a world of opportunities for collaboration, fundraising, and management, but it also requires some extra consideration to make sure you're protected from cyberattacks and data loss.
As you get started, you'll want to consider the inbuilt security features of the cloud tools you are using. You might find that there are fewer than you expect that are configured out of the box, so it's important to use other tools and methods to protect your data from theft or accidental loss. If you're making the step of moving to the cloud at your organization, here are five important tips to keep your systems secure.
1. Privileged Access Management
One of the advantages of cloud-based document storage is that you can access your files from anywhere. However, this easier access also makes them more vulnerable to prying eyes. In order to keep your sensitive data safe, you'll need to make use of privileged access features in your new tools. When assigning levels of access to each staff member, it's best to use the principle of least privilege. Following this principle, each person should have access to only the files they need in order to do their job.
Many document management tools, like Box and Google Drive, use role-based systems to manage access. They include default role assignments, such as "admin" or "read-only" as well as the option to create custom roles. This allows you to carefully consider who in your organization needs access to what and then configure access privileges accordingly. Often, you can create these permissions at the folder level, so having a well-organized folder structure will help. As well as reducing the likelihood of accidental data loss, this also acts as damage control in the event of a cybersecurity attack. If an employee's account gets hacked, only the files that person has access to are at risk of being compromised.
2. Login and Device Use Policies
Secondly, you should incorporate policies and tools that add an extra layer of protection to your systems, both by verifying who is using them and by clearly laying out how they should be used.
Single sign-on (SSO) and multi-factor authentication (MFA) tools are a great way of preventing illicit access to your databases in the event of a password breach. Single sign-on systems provide access to many different tools from one dashboard, allowing you to tighten security on your apps without the need to keep track of many different passwords. Multi-factor authentication requires employees to go through an extra authentication step when signing in, such as verifying their identity from an app on their phone. This makes it very difficult for someone to get into an employee's account even with their password because the MFA will be tied to a single device such as their personal phone. Okta is an identity management tool that can help you to implement these kinds of policies, with donated licenses available to nonprofits through TechSoup.
Also, implement a device use policy when employees are working outside the office. This helps your team to understand what appropriate and inappropriate use of their organizational computer and tools looks like and also alerts them to some threats they may not have considered. One example of this is using public Wi-Fi. When you connect to the Internet in a cafe or other public space, it's possible for someone to gain access to your data through that Wi-Fi network. So it's important to use a VPN if you are working on a public Internet connection to ensure that your data is encrypted. Also be sure to not make your computer "visible"' to others by configuring the computer's firewall setting with the public network setting.
3. Backup and Recovery
Many of the security principles for on-premises devices also apply when working in a cloud environment. It's still incredibly important to have multiple copies of your data and recovery points that you can access and restore from at a moment's notice. Some cloud-based document management tools allow you to restore previous versions of a file, but you should also keep copies in a separate location. You can use tools like Veritas Backup Exec to continually make copies of your files, helping you to get back on your feet if you suffer from an attack or accidental data loss.
4. Security Awareness Training
Cybersecurity attacks increasingly rely on social engineering in order to gain access to organizations' files. This might be an email designed to look like a file sharing message from Google Docs, or a request from your CEO. These emails are designed to make you trust them enough to click a link or share private information, giving the hacker access to sensitive files, financial information, or other kinds of important data.
To prevent these techniques from succeeding, train your staff to recognize the signs of an attempted cyberattack. You should also have protocols for the sharing of sensitive information, which will add an extra line of defense and help employees to spot red flags sooner. The principle of least privilege will also help you out in these situations. If only a handful of people have access to your organization's credit card information, there are fewer "weak points" where a hacker could convince someone to pass it on.
TechSoup offers online security and compliance training through the KnowBe4 platform. Read about how we use this training ourselves.
5. Incident Plan
Unfortunately, even if you follow all of the tips listed here, it is still possible to experience a security incident. In order to cope with and recover from this, you should draw up a security incident plan. This plan should include determining whether data has been stolen, and it should list the people you need to communicate with and any legal action you need to take.
Recognize the difference between a security incident and a data breach, since this will affect the action you need to take. If you notice irregularities in your website, file storage system, or bank account indicating that someone has gained illicit access, then a security incident may have taken place. The next step is to dig deeper in order to check whether data was actually stolen. If you discover that it was, you may be required to report the incident as well as investigate internally and recover using your backup channels. The legal requirements vary depending on where you are in the U.S., so you should ensure that your incident plan takes into account the data-handling laws in every region your organization works in.
As a rule, it's best to be as honest and transparent with your community as possible if a data breach has taken place. This, along with a holistic plan of action, will help you to recover as quickly as possible and prevent any further theft or damage, as well as maintain your organization's reputation.
Stay Secure in Your Cloud Environment
By combining software, training, protocols, and policies, you can create a web of security techniques that will help to keep your data and systems safe. You can also access a wide range of tools, advice, and courses through TechSoup that can help you to train your team and protect your organization from cyberattacks and data loss.
- Enroll in TechSoup Courses' Basic Security on the Cloud for Nonprofit Staff 101.
- Read about 10 Helpful Cloud-Based Tools for Nonprofits in 2022.
- See a webinar on Making Sense of Security Features Within Microsoft Cloud Licenses.
- Think about Building a Data Protection Strategy at Your Nonprofit.
Top photo: Shutterstock