Access to your nonprofit organization’s data is one of the best tools you can provide your employees to further your mission, provided that you’re not giving away your valuable data to unauthorized users. To further this effort, an IT environment that’s monitored and managed by IT professionals promotes the security you need. A knowledgeable IT provider will prevent cybersecurity vulnerabilities and keep your technology up and running. They will ensure that your members’ and donors’ confidential information remains private.
But there are also things that you can do to help. We’ve provided ten tips for you to follow that will promote cybersecurity for your non-profit organization in the SF Bay Area.
1. Appoint A Cybersecurity Chief. Tap a trusted member of your staff to liaison with your IT service company to ensure that your employees and volunteers strictly adhere to your cybersecurity plan. Along with your IT professionals, this person will be your point-of-contact to ensure your nonprofit adheres to IT security-compliance regulations and standards so you can stay in good standing with governments and donors.
2. Develop An IT Security Plan & Policy. Consult with your IT provider and put a plan in place to ensure that your data is protected both in storage and transit. Hackers are looking to capitalize on your members’ confidential data, and you can’t afford a data breach. If this information is exposed, you may end up in expensive litigation, not to mention a reputation that’s ruined — If this happens, no one will want to fund your projects.
There are a range of flexible and affordable options for this that your IT professionals can implement for you. You needn’t be worried as long as they implement enterprise-based cybersecurity solutions and a layered defense that can automatically block and eliminate the latest threats. The idea of layering security is simple: You shouldn’t rely on one security mechanism such as an antivirus to protect your confidential information. If that security mechanism fails, you have nothing left to protect you.
You should also develop a Security Policy. This Policy should begin with a simple statement describing the information you collect about your members and donors and what you do with it. It should identify and address the use of any Personally Identifiable Information (PII) and how to keep it private.
3. Plan For Data Loss Or Theft. It’s essential that you determine exactly what data or security breach regulations affect your nonprofit. You need to know how to respond to data loss. All employees and contractors should be educated on how to report any loss or theft of data, and who to report to. Data loss can expose you to costly state and federal regulations and litigation. You must be able to launch a rapid and coordinated response to a data breach to protect the reputation of your nonprofit organization.
Your Plan should include input from all departments that could be affected by a cybersecurity incident. This is a critical component of emergency preparedness and resilience. It should also include instructions for reacting to destructive malware. Additionally, departments should be prepared to isolate their networks to protect them if necessary.
4. Implement A Disaster Recovery & Business Continuity Plan. You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically. And make sure your backup systems are encrypted.
Here in San Jose, we must always be prepared for the next earthquake or fire. And this means knowing that you can restore your saved data from a recent point in time and access it from a remote source if you must leave your work premises. The key is to back up frequently and ensure redundancy. More than one backup in different locations is required. And you won’t only need this when disasters hit. Because ransomware can lock up or crash your IT system, you’ll need a restorable backup to keep working if this occurs.
5. Arrange For Security Awareness Training. Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and thus present a serious threat to your security. So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your nonprofit’s data secure?
Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites. They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.
The human factor is still the biggest risk factor in most equations. Your staff can be your greatest asset or your weakest link. It depends on whether you take data security seriously enough to make sure that they are trained several times a year. People need to be reminded often about cyber threats. Plus, there are always new threats coming along, so it’s essential to stay up-to-date. Ongoing training and testing reduce the instance of human error that increases cybersecurity risks.
6. Make Password Privacy A Priority. Passwords remain a go-to tool for protecting your nonprofit’s data, applications, and workstations. They also remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Weak passwords are easy to compromise, and if that’s all that stands between your data in the Cloud and in applications, your nonprofit organization could be at serious risk for a catastrophic breach.
There’s a better way than scribbling passwords on sticky notes. But what is that better way, exactly? You must protect your data with hard-to-guess passwords and encryption that scrambles data unless the user has access to a decryption key. Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information. Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt files. Even if your data is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.
Another good choice is a password management solution designed to help you step up your security without making things harder for your employees and volunteers. A password manager generates, keeps track of, and retrieves complex and long passwords for you to protect your vital online information. It also remembers your PINS, credit card numbers and three-digit CVV codes if you choose this option. Plus, it provides answers to security questions for you. All of this is done with strong encryption that makes it difficult for hackers to decipher.
Your team should also be using Multi-Factor Authentication (MFA). It protects against phishing, social engineering and password brute-force attacks. It secures your logins from attackers who work to exploit your weak credentials. And, you must be able to generate the MFA for your employees and volunteers wherever they are. These tools can also generate time-based, one-time passcodes (TOTP). Your users simply key in the login prompt they receive to complete their multi-factor authentication.
7. Keep Software & Operating Systems Up To Date. Software developers are diligent about releasing patches for new security threats. Make sure you install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t receive security patches or support leave you exposed.
Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. This is a popular operating system, so this creates concern for many. All support for Windows 7 will end on January 14, 2020.
This means that you won’t get bug fixes or security updates from Microsoft. Over time, the security and reliability of Windows 7 will make your computers vulnerable:
- Your computers could be infected by malware;
- Your antivirus won’t be updated;
- Your online banking transaction protection may expire; and
- Your financial data could be exposed to theft.
8. Conduct Regular IT Inventory Assessments. Determine how your data is handled and protected. Also, define who has access to your data and under what circumstances. Create a list of the employees, volunteers, donors or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. You must know precisely what data you have, where it’s kept, and who has rights to access it.
9. Protect Data Collected On The Internet. If you collect information on your website, this must be protected. If a third party collects this data for you, they should fully protect it for you. You must ensure that any data you collect is secure.
10. Enforce Access Policies on Mobile Devices. With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets and laptops present significant security challenges. They can be exposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security. Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies. Ask your IT provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.
11. Ask Your IT Service Provider To Do The Following:
Implement Layers of Security: You shouldn’t rely on just one security mechanism to protect sensitive data. If it fails, you have nothing left to protect you.
Segment Your Networks With Firewalls: Network segmentation categorizes IT assets and data and restricts access to them. Reduce the number of pathways into and within your networks and implement security protocols on these pathways. Do this to keep hackers from gaining access to all areas of your network.
Use Measures To Detect Compromises: Use measures like Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), and anti-virus software to help you detect IT security events in their early stages. This provides 24/7 detection and response to security threats.
Secure Remote Access With A VPN: A Virtual Private Network (VPN) encrypts data channels so your users can securely access your IT infrastructure via the Internet. It provides secure remote access for things like files, databases, printers and IT assets that are connected to your network.
Employ Role-Based Access Controls With Secure Logins: Limiting your employees’ authorization with role-based access controls prevents network intrusions and suspicious activities. Define user permissions based on the access needed for their particular job. For example, your receptionist might not need access to your financial data.
Install All Of Your Security Patches and Updates: Software developers are diligent about releasing patches for new security threats. Ask your IT provider to install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. They can set your systems to update automatically. Auto-updates will prevent you from missing critical updates.
Secure and Encrypt Your Wireless Connections: Be sure your company Wi-Fi is separate from a guest Wi-Fi or public networks. Your internal wireless network should be restricted to specific users who are provided with unique credentials for access. These credentials should be preset with expiration dates and new ones provided periodically. Your company’s internal wireless should also be protected with WPA2 encryption.
Back Up Your Data: As we mentioned You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically. And make sure your backup systems are encrypted.
You help others, so let us help you by providing a complimentary IT assessment so we can implement a cybersecurity plan to protect your nonprofit. For more information, contact BC Networks. We specialize in serving nonprofits in the San Francisco Bay Area.
Did you find this article helpful? Check out the others in our Blog.