5 Proactive Steps for Nonprofit Organizations
If we think about it, we are no longer surprised when we hear about the always increasing number of hacking incidents when companies, governments and organizations lose large number of records containing Personal Identifiable Information (PII) of clients, tax payers, and people they serve. However, we need to think about the impact our organization could experience if we were to sustain a hacking even.
In particular, non-for-profit organizations keep important information about donors, volunteers, sponsors, and people they server through the long list of social and community services they offer. The potential consequences of losing this information could result in a public relations nightmare, loss of public confidence, loss of funding for key programs, increased difficulty receiving new grants to continue serving their community, among others.
A considerable number of non-for-profit organizations are small to midsize businesses. This is an important fact when you consider that, according to Kennet Research, in 2019, 67% of small and midsize businesses where hit by a cyberattack. Furthermore, Centrify estimates that 74% of all data breaches involved access to privileged accounts; in other words, hackers “walked” through the front door of networks utilizing valid access credentials.
These statistics should make every non-for-profit aware of the need to take preventive action to protect your data from getting compromised. The question, off course, is what do we do? In our opinion, the first thing a non-for-profit must realize is that the management of technology is an ongoing exercise of identifying potential weaknesses, protecting network and systems, detecting potential problems, responding to unusual events, and recovering data and/or systems when necessary. These five steps are the basis of the National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF).
As a first step, it is important that you identify weaknesses in how your non-for-profit stores and transmits critical data, who has access to your network and data, how are employees on/off boarded, are employees allowed to use personal devices when performing their day to day work activities, etc.
It is important for a non-for-profit to have documented policies and procedures for the use of the organization’s technology resources and to enforce users abide by them. For instance, implementation of strong passwords, automated data back-up, segmentation of access to data, ongoing user awareness training, etc. are good practices to follow to improve protection of data and systems. Whatever steps you take to protect your data and systems, make sure they are tested on an ongoing basis; you do not want to find out a specific task was not done when you have a problem.
An important thing to do as part of the management of your technology is to monitor your network for unusual activity which could identify if something is not right. Today’s networking equipment have important security features to accomplish this important function but making sure someone monitors the devices is crucial.
Respond plans should be part of your Policies and Procedures and should clearly identify who is responsible for the respond and what this person(s) will do. Your respond plans need to identify how different members of your organization will communicate when needed, regardless of the time and day.
If your plans properly addressed critical data and systems, your day to day technology management made sure protection activities were performed, and your plans are clear, recovering from an unwanted condition will become much easier if you did not follow the right steps.
Off course we recognize that non-for-profit organizations’ budgets are always tight and do not allow for a technology staff with the broad knowledge necessary to address all the challenges being imposed by the hacking we are experiencing. If this is your case, look for a technology company that can support your operation and that will accept the responsibility that comes when you place your trust on them. It is important for the technology company you work with to understand the important of the mission your non-for-profit performs and that ideals you live by.