Due to the COVID-19 pandemic, more people are working from home and relying on the Internet than before.
In fact, according to Smallbiztrends, 66% of employees are now working from home.
This is true even for nonprofits, who’ve historically been reluctant to embrace new technology.
However, as more and more organizations move online without taking the proper data security precautions, the chance of hacks increases exponentially.
Take the data breach at People Inc, for example.
In May 2019, one of the biggest nonprofit agencies in western New York experienced a huge data breach. Medical data from both previous and current clients was released, most likely from an employee email, and it was estimated that the data of up to 1,000 clients was exposed during the leak. This information included names, addresses, and social security numbers amongst other pieces of personal information.
And if you don’t have the proper data security plans in place at your nonprofit… something similar could happen to you.
In this post, we’ll cover which kinds of data breaches can happen in the nonprofit sector, and how to use the following best practices to prevent them:
Using dedicated log-ins
Backing up data
Disposing of old tech
What Kind of Data Breaches Happen in the Nonprofit Sector?
Hacks happen for many different reasons. Sometimes people are doing it for a cause. For example, ethical hackers try to find the bad or ‘illegal’ vulnerabilities of a site. These white-hat hackers then try and stop them from further exposing users to security flaws. One example of this type of organization is Infosec Girls, a female-led organization that encourages teams of women to find these flaws.
However, when it comes to data breaches for nonprofits, the reason tends to be financially motivated — meaning protecting donors’ information is of the utmost importance.
The types of breaches that you need to watch out for are:
Leak of Donor Information: As I mentioned above, many hackers may want to steal donors’ banking information in order to use it for their own gain.
Breach of Employee Information: If hackers access your database, your employees’ safety and privacy may also be at risk.
eCommerce Hack: If you’re using an online store as a fundraising tool, a lot of payment information will be stored in your database. This could leave donors vulnerable if not protected in the right way.
Human Error: Everybody makes mistakes. Unfortunately, human error does lead to security breaches. According to Bitdefender, this starts with people not being fully aware of their cyber security responsibilities. Having what they refer to as a ‘low cyber IQ’ leads to employees accidentally exposing customer data through negligence.
Data breaches due to human error come from weak password management, using old, non-updated software, careless handling of data and, as previously mentioned, lack of knowledge in the cyber security field.
An example of this is from back in 2017, a healthcare charity known as Little Red Door were victims of hackers who had stolen client information and were asking for $43,000 in bitcoin ransom. This happened because the company had not adequately protected or encrypted people’s details.
Hardware Failure: Sometimes, this can be something as simple as the hardware being physically stolen and the information being openly exposed to burglars.
Other times, it’s simply that an outdated piece of software isn’t strong enough to protect against hackers’ modern-day knowledge.
For example, a phone that has come out this year will have updated software and apps will have a higher level of security than a phone that came out ten years ago. Also, a lot of old or second hand hardware will be ‘jailbroken’, giving anyone who uses its access to the previous user’s information until it is manually protected again.
Wondering how to keep yourself safe from all of these potential pitfalls?
Here are six data security practices that will protect your organization and the people who support it.
Use Dedicated Log-Ins
You may have worked in a job where every employee uses the same login password for everything.
This is a dangerous mistake to make.
You’re practically giving the information to hackers yourself by doing this, because it means that once a cybercriminal has access to one of your organization’s accounts, they have access to all.
Plus, creating specific logins for employees helps organizations keep track of what happens internally. If a data breach does happen, you can discover where the breach came from and who was responsible. This also gives employees an extra layer of security, since they won’t be getting the blame for something that wasn’t their fault.
Instill a Strict Password Policy
Let’s face it, you might feel like you’re getting told to change your passwords all the time.
So, to save mental energy, you might decide to go with something easy to remember… like “password”.
If you do this, you may as well be saying to a group of bank robbers, “I’m going to leave the gold on the table and close my eyes for twenty minutes. I sure hope the gold’s still there when I open them!”
But we all know it won’t be.
It may seem like a joke, but techlabuzz says the password “12345” was found 23 million times in various data breaches. Therefore, if you’re working on the IT team or you’re managing other employees, you need to enforce the priority for employees to create strong passwords.
The best way to do this is to use a mix of numbers, letters, and characters, as well as uppercase and lowercase: for example, (?P&s5w0Rd33!).
Need a little bit of help remembering? Try creating a sentence and turning it into an acronym, like this:
Bobby and Margo baked 76 cakes and… ate them all!!
Translate to: !!B&Mb76c&-@3TALl!!
(Just don’t write it on a piece of paper and stick it on your laptop — that completely defeats the purpose!)
And yes, even if you do have a secure password, it’s still important to change it frequently.
Make a Back-Up. And Then Another One, Just in Case. And Then One More
When saving data, it isn’t enough to save it once.
Or even twice.
For maximum safety, you should be storing data in at least three different locations.
That’s because if a device breaks, you have no access to your information. So, you need back-ups. You can save it on to a computer’s internal memory, the cloud, or an external hard drive — preferably all three.
This might seem like overkill, but in case of any hardware malfunction, you’ll be glad you did.
(And considering the state of many nonprofit computers… hardware failure might be more common than you want to admit!)
Take The Proper Steps When Disposing of Old Tech
Not every nonprofit is able to have access to the latest tech right away, but when you finally get to update your system, make sure you don’t ditch the old one right away.
Think of it like selling a personal phone.
You wouldn’t just leave all your contacts on there for anyone to see. Instead, you would delete all the information on there and set it back to factory settings because, at the end of the day, you don’t know where that device may end up and who will have access to the info on there.
It’s better to be safe than sorry!
So, when your organization finally gets the chance to replace that fax machine (kidding! Or am I?) you want to make sure that you’ve wiped all the information off it, as well as storing it in one of those multiple backups I mentioned in the last point. Only then can you safely dispose of it (or pass it off to the next nonprofit!).
Report Possible Security Breaches ASAP
Sometimes, it doesn’t matter how much security you apply. A security breach will still happen.
So, when it does, it’s important to have a plan in place with steps you can do to mitigate the damage.
The first thing to do is to report it right away. The sooner that a breach is reported, the less data that is exposed — and the quicker the perpetrator is found and stopped.
You also need to ensure that all employees know what steps they need to take. This ensures you are all on the same page — so if you don’t know what your organization’s plan is, go ask your IT department today!
Your plan should also cover what needs to be done to inform donors of any potential breaches — before they find out through the news.
For example, let’s say you have had a breach of the computer telephony integration software you use. Contact victims and let them know. Tell them which pieces of information have been stolen and the outcome of this before they find out from national news sources.
Then, to reassure donors, inform them what you’re doing to update your system to make sure it won’t happen again. Let them know that if their information has been stolen, what this means and what you’re doing about it.
Encourage them to keep donating to your nonprofit and reassure them you are doing everything you can to keep their information safe.
Compile and Create a Security Standard For All Employees
It’s the responsibility of every staff member to practice security protection.
So, you need to talk to your fellow employees and find out where security is needed the most. Then, collaborate with your IT department to fix all possible points of vulnerability.
You should also take the time to brief your employees on the practices that will keep themselves and your organization safe. Not only does this help build a more connected workforce, but it helps keep everyone involved safe, in the workplace and in their personal lives.
Data security is essential for every nonprofit — both so that you can keep your donors and beneficiaries safe and so that your organization can continue to grow and thrive for many years to come.
So, as a quick recap, here are the most important data security practices to keep all your information safe:
Creating separate logins means that any breach can be tracked.
Ensuring all staff have complex passwords makes your accounts harder to hack.
Back up all pieces of work three times in case there’s any data failure.
Make sure to dispose of any old tech properly, wiping all memory.
Report any data breaches that may occur ASAP to stop them from getting worse.
Training staff on all these points can’t guarantee a breach won’t happen, but it can minimize the risk.
We hope that all of these points help keep your data safe!