By: Adeel Qayum, security enthusiast and a blog writer at Privacy Noob.
It’s common to think data breaches only happen to private/for-profit companies like Target and Home Depot, but nonprofits are targeted too. People Inc., a nonprofit human services agency operating in Western New York, suffered a data breach in 2019 that caused sensitive medical information of its former and current clients to be exposed.
Hackers can also attempt to fraudulently impersonate an organization and contact donors for their information directly (known as phishing). Such was the case with the Harry and Jeanette Weinberg Foundation, which in 2018 was the target of a phishing attack.
Criminals may also conduct sophisticated attacks for monetary gains. In 2018, ransomware attacks on two Ontario children’s aid societies resulted in a hefty loss. One nonprofit, the Children’s Aid Society of Oxford County, ended up paying the $5,000 ransom to regain access to their files. And while the other nonprofit, Family and Children’s Services of Lanark, Leeds and Grenville, did not pay the ransom, they still spent three weeks and $100,000 to regain access to their sensitive data.
These cases reinforce that hackers are still at large targeting nonprofits who do not have the necessary IT expertise to protect their data.
Don’t put your organization at risk. Here are some measures you can take to shore up your data security.
7 Steps to Improving Your Nonprofit’s Data Security
1. Secure your computers with a password and Internet Security software
Many nonprofits issue laptops and other devices to staff. These devices can be easily stolen if left unattended in unsecure places. To prevent thieves from gaining access to your organization’s data, configure the devices to require a password that you should enter every single time! Set passwords for opening your Mac and Windows computers and make it a habit to change them periodically. And while you're at it, make sure your computers have Antivirus or Internet Security programs installed (and are set to perform regular scans!), so you can rest assured that malware and other harmful computer programs are kept at bay.
2. Conduct regular IT inventory assessments
Determine what data you are storing and who has access to it. Create a list of contractors, employees, donors or volunteers who have access to specific information, under what circumstances, and how those privileges will be tracked and managed. You cannot be too vigilant when it comes to data security.
3. Keep your applications and operating system up to date
Application developers frequently issue new updates to combat security threats. Make sure you install them as soon as they’re released. Failing to do so can make your donors’ and stakeholders’ data vulnerable to security breaches. If possible, configure your applications and software to update automatically. Auto-updates help prevent security gaps and will minimize vulnerabilities that criminals find and exploit.
[ TIP ] You can use Spiceworks free IT Inventory software to keep track of your devices and automatically update software across all your devices
4. Boost your data security on browsers
Steer clear of unknown websites and always make sure the site is secured with HTTPs when entering sensitive information. The “S” in HTTPS stands for secure and it means that all communications between the website and your browser are encrypted. You can check for this manually or use a browser plugin like HTTPS Everywhere to know if a website offers an encrypted browser connection. Educate your employees as well!
5. Consider investing in a virtual private network (VPN)
HTTPS does a great job at concealing your information from prying eyes, but you may want to go a step further to protect your sensitive data. With a VPN, you can create a secure, encrypted link between the internet server and your device so hackers can’t track your online activity. There are numerous VPNs out here, so do your research to find the best option for your organization. Premium VPNS are more likely to contain the features you need to protect your nonprofit’s data.
6. Don’t use email to transmit sensitive data
Many nonprofits use email to transmit sensitive data, for example donor information, financial data and staff personal information , but it’s not the best way to share information securely. Can you imagine the consequences if a hacker with malicious intent gains access to the email? The outcome could be harrowing. Come up with ways to transmit data securely when working with donors, consultants, advertising companies, etc. For example, you can set up an internal shared folder where files can be stored and retrieved.
Related: Take the Next Step with Data Sharing for Nonprofits
7. Implement security awareness training for data security
Ultimately, data security is everyone’s job. Hackers can target anyone at a nonprofit, so every employee needs to understand how to deal with or recognize an attack. Security awareness training can help your staff avoid being victimized by scam websites and phishing emails. Start with briefing them on your security protocols and plan, and educate them on their security responsibilities. Be sure to continue updating staff about common scams and provide them with resources on blocking data breach attempts.
In addition to taking these seven measures, I recommend that you look into Cyber Insurance. It can be effective in helping your organization recover in the event that a hacker gets past your security defenses. Websites like CyberPolicy can get you a free quote so you can plan for your organization’s safety.
With these seven steps, you can guard against data breaches by equipping your nonprofit with the protection that preserves the trust of your donors and everyone else.
About the Author
Adeel Qayum is a security enthusiast and a blog writer at Privacy Noob. Besides keeping up with the latest in security trends, he is also passionate about traveling, gaming and building businesses.