Data breaches can occur in any organization, and not-for-profits (NFPs) are not immune. Oftentimes NFPs can be at risk because their systems are not up-to-date or are simplistic in nature. It’s very important for NFPs, especially those that collect donor or member information (including names, addresses, email addresses, and credit card information), to address cyber security frequently and holistically. Data breaches don’t have to just mean cyber attacks, either. They can be caused by human error, like employee misplacement of equipment; i.e. laptops, smartphones or flash drives. Most cyber attacks can be prevented through a more vigilant approach to cyber security. There are several components to consider when assessing your organization’s overall security.
There are four cyber security principles to consider:
- Confidentiality – ensuring information is protected from unauthorized access.
- Availability – ensuring information and systems are reliable and available for end users.
- Integrity – ensuring information is protected from unauthorized changes.
- Security – ensuring that information is confidential, available, and held in integrity through the use of appropriate controls.
There are several controls or tools to consider to improve your organization’s cyber security.
- Access controls – do you have strong passwords? Are they changed often? Passwords should be user specific and never shared.
- Encryption – messages can be encrypted for secure delivery; this feature is becoming more cost effective, especially for smaller organizations as security needs increase.
- Backups – off-site backups are a key component of security.
- Firewalls – create a barrier between your secure systems and the rest of the internet.
- Anti-virus and anti-malware software – invest in good software, which includes regularly installing updates from the vendors.
Have a plan for your organization that considers the factors above. Some additional components to consider when developing your organization’s plan include considering:
- What’s important? Determine critical assets and what the threats could be.
- How to be proactive? Include controls to prevent problems, not just to detect them.
- Are we changing as often as necessary? Look at cyber security on an annual basis at a minimum and adjust accordingly.
- Do we have the right people? Sometimes it’s necessary to outsource security needs to an information technology (IT) firm. There are firms that specialize in NFP security available.
- Is open dialogue encouraged? All employees of an organization should be involved in assessing risk on a day-to-day basis. Encourage open dialogue if circumstances appear risky or out of the ordinary.
- Is proper training in place? Educating employees about all aspects of the security plan, as well as current security threats, is key to preventing data breaches.
For more information, please visit the American Institute of CPAs Cybersecurity Resource Center.