Nonprofit and community organisations need to pay careful attention to cybersecurity and compliance. Cybercriminals - and the threats that today come with them - are more sophisticated, damaging, and complex.
Nonprofits often handle sensitive information such as housing situations, donor information, health information, and other highly confidential data, making them a desirable target for cybercriminals. However, it is common for nonprofits to lack the budget, time and resources to implement cybersecurity and privacy policies effectively, making cybersecurity a more challenging task than it is for other industries.
The world depends on our amazing nonprofits to deliver services to those in need, and thanks to the cloud, many nonprofits can now do this more efficiently. However, cybersecurity and data protection is often an afterthought, potentially exposing these organisations to threats and regulatory risks, (like Australia's Data Breach Scheme). This can result in a chain reaction impacting not only the community, but the organisations themselves, as well as their budgets and future funding opportunities.
Microsoft surveyed 50 nonprofits and found that most participants didn't employ essential security practices within their organisation. Here were their findings:
- 60 percent of the nonprofits stated that they did not know their organisation's policy on security risks, equipment, and data privacy.
- 74 percent reported that they did not use multifactor authentication.
- 46 percent reported that they regularly used unsecured wireless devices on a network.
- 92 percent stated their staff could access organisational email and files using their personal devices. The remaining 8 percent that did not permit staff to use personal devices for work reported that staff did it anyway.
Unfortunately, there is no security standard designed for nonprofits, however, to reduce the risk, it is recommended that all nonprofits (big and small) develop and implement both strategies and policies within their organisations. Here are some things you should consider when implementing these within your organisation:
Understand your threats and regulatory risks
The best way to start developing plans and strategies to identify where your risks are located. When The Office of the Australian Information Commissioner (OAIC) introduced the Data Breach scheme in February 2018, only 50% of organisations were prepared. The OAIC received 31 notifications in the first three weeks of the Data Breach scheme, which may be as a result of this lack of preparedness.
To ensure your organisation isn't the next organisation notifying OAIC of a breach, conduct a risk assessment. The risk assessment should align you with any laws and regulations that affect your organisation and highlight any potential risks.
You should also add documents to support your risk assessment, such as an inventory of your organisation's assets.
Protecting your organisation
As the old saying goes - prevention is better than cure. The same could be said for protecting your organisation - develop safeguards that will reduce the risk of your nonprofits’ environment being compromised. For example:
Reduce permission and access - only give individuals access to data that their role requires.
Stay up-to-date - Did you know that cybercriminals target devices that:
- Have not been patched with the latest updates
- Have not had the default username and password changed
You organization, ideally, should only allow devices that meet a defined set of minimum security requirements - such as the latest software updates and passwords.These devices include computers, printers and security cameras.Having your organisation's devices monitored and a maintenance schedule can help resolve this issue.
Make your accounts hard to hack - ensuring your passwords meet complexity requirements, and incorporate multi-factor authentication will make your organisations' accounts harder for cybercriminals to compromise.
Ensure you have regular backups of all your valuable data. This may be your only salvation in the event of a disaster. You will also want to consider storing your backups offsite (or in the cloud), as well as how quickly your organisation is going to be able to function in the event of a disaster.
Monitor your environment - speak to the organization that provides your IT support, and check that your network is being monitored for unusual activity. Evolve IT does this for a large number of clients to ensure their protection.
Educate - educate – educate. Helping your staff through education programs is key in keeping your organisation safe from things like spear phishing and other cyber attacks. It is important to note that cybersecurity training is not a one-off thing, repeating the education with the latest threats at least every 12 months is a great place to start.
Detect and respond
When your environment is compromised, you need to have a defined policy that that you and your team can follow.
In the event of a breach, your team needs to be able to identify where & when the breach occurred, how it occurred, and what data may have been compromised. If you determine that harm may occur as a result of the breach, The Office of the Australian Information Commissioner needs to be notified.
We have written an insightful article on Australia's data breach laws that explains this.
If you need to recover your data, you may need to exercise your disaster recovery plan. When considering a disaster recovery plan, take into consideration cost versus how quickly you need to be operational in the event of an emergency.
Protecting the data of your employees, donors and vendors, can seem like a daunting task. However, if your nonprofit organisation can start with the steps above it, you’ll be on the path to becoming a resilient - and secure - nonprofit organisation.
If you need any help creating your policies or strategies, give the team at Evolve IT Australia a call.
HOW EVOLVE IT CAN HELP?
We take great pride in partnering with organisations. Our team specialises in developing customised solutions to help you get the most out of your technology