Data Security for Nonprofits

To begin, what do we mean by Digital Security? In short, it is the protection of the digital assets that your organization maintains. There is real financial value in the digital assets of your organization. For example, a stolen credit card number sells for anywhere between $5 and $150 on the dark web. Take a minute and think about how much credit card data your organization has stored in its fundraising system.

It is not just financial information that is at risk. Sometimes, actors want access to information about those that you are serving for something other than financial gain. There’s the basic stolen identity stuff like social security numbers, addresses, and birth dates. Then there are more targeted goals, like governments trying to identify opposition actors or LGBT activists. If your organization works with individuals and populations that are marginalized or exploited you must consider that those doing the exploiting might value your data.

When it comes to digital security you must assume that someone is trying to take the valuable information you have — and that it is your job to thwart their efforts.

The most common way that information is leaked is through people inadvertently giving an adverse actor access to your system. This happens through tactics like baiting, phishing, and scareware where an adverse actor tricks an employee into giving up information allowing them to access your information. It also happens through gaining access to compromised passwords elsewhere and then re-using them on your system. So the first line of defense for your organization’s digital security is your people. Invest in password management apps that make it easy to create unique passwords for every log-in and two-factor authentication for your systems. Teach people throughout your organization how to identify when they might be the targets of these social engineering campaigns and you will be increasing the security of your data.

The reality is that sometimes an intruder will gain access to your system. It’s now important to identify that activity as quickly as possible. Cybersecurity tools from companies like Splunk or DataDog can identify these threats and help your team respond quickly and efficiently. If your system is compromised, it is important to communicate these breaches as clearly and quickly as you can. You have been entrusted with people’s information, and if that information is compromised they have a right to know in order to respond themselves.

The last best practice to get started with is a bit counterintuitive: it’s to destroy your data! If your organization is storing data it is no longer using, you should destroy that data. It’s a simple cost-benefit analysis. If you are no longer getting value from your data, it becomes a liability; it makes no sense to keep that information lying around! Create a policy and a practice for destroying data that is no longer being used. If you don’t want to destroy all of the information then destroy the identifiable aspects that have the highest risk associated with them.

As you go along your digital security journey and if you have more amounts of sensitive information there is more that can be done to ensure the safety and security of your data. For example, investigating whether your organization should pursue cyber liability insurance to invest in better tools for monitoring threats to build out a team that is solely focused on ensuring the security of your data.