Many nonprofits handle sensitive personal information belonging to community members — whether it's names or email addresses or payment information. But are you handling this data properly to prevent a data breach?
This post is by no means exhaustive — after all, every nonprofit handles different sorts of data, and each organization has different security needs. That said, these are some practical things to think about when you review your handling of sensitive personal information.
This one may seem obvious, but with so many other security risks out there, it's easy to forget that malware still poses a major threat to your organization's data.
To start, make sure you have antivirus software installed, and that it's up to date. In addition, you'll want to make sure your operating system and any software installed are also up to date, with all security patches installed.
Beyond that, be careful what you click on. Don't download and install software from sites you don't trust. Be careful of the email attachments and links you click on — even from people you know. If you aren't expecting a file or link, click with caution.
Ransomware is an especially insidious form of malware that holds your computer or data hostage unless you pay a sum of money to a criminal actor. Oftentimes, ransomware will encrypt your data, preventing you from accessing it. And according to Symantec's Director of Security Response Kevin Haley, some forms of ransomware will threaten to publicly release your data.
Aside from up-to-date antivirus software and taking steps to avoid infection in the first place, there isn't a ton you can do to deal with a ransomware attack once your data's been encrypted.
In that case, according to Haley, keeping up-to-date backups of your data is your best bet. That way, you'll be able to get back up and running quickly with minimal data loss. (TechSoup offers backup and recovery solutions from Veritas.)
Public Wi-Fi is generally fine for some things, such as browsing cat videos on YouTube, or catching up on the headlines. However, for anything involving sensitive personal information, it's a security disaster waiting to happen. Bad actors could potentially eavesdrop on what you're doing while using public Wi-Fi, leaving your data and work open to prying eyes.
First off, avoid using public, unsecured Wi-Fi when handling sensitive information — whether it's internal organizational data or your own personal banking information. Using a wireless hotspot, like those from Mobile Beacon (offered through TechSoup), instead of public Wi-Fi is an easy way to keep your data more secure.
If you can't avoid public Wi-Fi, a virtual private network (VPN) is a good option — VPNs secure data between your computer and the website you're visiting. Not all VPNs provide the same level of security, though, and you'll need to make sure your VPN of choice conforms to any data security regulations that your organization may be subject to. See our previous overview of VPNs for more.
Sharing sensitive information via email, messaging apps, or similar means is a risky proposition.
Email is a notoriously insecure method of communication. Email accounts are often the target of data breaches and phishing attacks. (A phishing attack is where an attacker tries to steal your account information by tricking you to enter your account information on a phony login page.)
And whether it's through email or messaging app, it's all too easy to accidentally leak data by sharing it with the wrong person.
Avoid sending sensitive information to colleagues via email. It's easier said than done, we know. Maybe you need to share a list of donor contact information with your marketing department, for example. Consider uploading it to a secure file server on your network that can only be accessed by others in the office.
If your organization uses a cloud storage service like Box, consider using that instead — so long as it meets your organization's security needs. These cloud storage services usually encrypt data you upload to prevent it from getting stolen. You may also want to consider using constituent relationship management (CRM) software, a tool designed specifically to store and manage your organization's contacts.
In addition, pay attention to access permissions. If you can, restrict access to sensitive information to only those who need it. Revisit your permissions settings regularly and update them as needed.
To prevent your user accounts from being compromised in the first place, practice good account security hygiene. Use strong passwords and require your staff to use two-factor authentication.
A breach involving credit card data can be embarrassing for your organization, but it could wreak financial havoc on your members and supporters. All it takes is for hackers to grab a few pieces of information to rack up credit card debt in your supporters' names.
Securing credit card information is important, but you don't have to make it up as you go. Make sure your organization conforms to payment card security standards. The Payment Card Industry Security Standards Council, as well as banks and credit card issuers, provide guidelines on how to best handle credit card information to prevent breaches.
Has your nonprofit recently encountered any other notable risks? Tell us about it in the comments!
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.
Close this window