Every day businesses and organizations collect personal data from people. Whether it is taking donations or payments, collecting contact information for newsletter subscriptions, or maintaining employee and volunteer records, your nonprofit probably has a large amount of personal information stored in your records. You also have financial information and other files that are private or confidential. While all this information is important for the day-to-day function of any business, it is also at risk from a variety of security breaches. So, what can you do to minimize the potential loss of information that could harm your nonprofit's business?
1. Train your staff to be security conscious
Every member of your staff uses computers and technology for some function of their job, so every member of your staff needs to undergo security training and follow guidelines and procedures regarding tech safety. Many security breaches are believed to be caused by employee negligence, so it is important to continually assess your employee’s awareness and ability to identify potential threats. In addition to making cybersecurity training a part of each employee's onboarding process you should implement a password policy which includes regular updates and test your employee's ability to recognize dangers and scams by doing things like sending phishing tests to your organization.
2. Limit the availability of information, even to employees
Often there are systems or documents that many of your employees don’t need access to in order to complete their job functions, but you may find it easier to just grant everyone access. This increases the risk that information can end up somewhere it shouldn’t, either intentionally or not. Most software comes with administrative settings which will allow you to restrict access for individuals which can end up saving you a lot of hassle in the long run. Take the time to review who needs access to confidential information and restrict access for everyone else.
3. Keep your software and devices up to date
The older the software you use is, the more vulnerable it becomes to viruses and other cybersecurity threats. Make sure that you maintain all the updates and security patches you need to keep your device safe. You should ensure that all the software your company uses is still being updated, since once a product reaches end-of-life there won’t be any more security or support updates provided. Some key Microsoft products are reaching their end-of-life in 2020, including Windows 7 and Office 2010, make sure your business has a transition plan in place.
4. Have a plan in place if a breach occurs
Every company should have a response plan set in place in case an incident occurs. These plans should define what your organization considers a data breach, outline which team members will carry out the response plan, list actionable steps to handle a breach, and include procedures for following up after the event occurs. Your response team should analyze the breach and determine what security measures failed, try to limit any further damage or data loss, and determine what you can do to prevent similar issues in the future. In some states, like Massachusetts, businesses are legally required to disclose when they’ve suffered a data breach, both to the government and to the impacted individuals whose data is at risk. If you operate in Massachusetts and retain personal information about any MA resident you are required to have a comprehensive Written Information Security Program (WISP) which considers your business size, nature, resources, record types, and security needs. Even if you aren’t in Massachusetts, having a plan that outlines these things is an important best practice to maintain.
No matter the cause, downtime can cost you and your business time, money, and stress. Taking a proactive approach to security will help keep your business running after an incident occurs. You can’t eliminate problems entirely, but you can make them easier to manage by keeping a plan in place.
Need help creating a plan for your technology? Contact us for a consultation to get you on track.