In January 2022, a data breach against Broward Health—a nonprofit organization that manages health care in Florida—affected 1.35 million private data records, including social security numbers. Another breach against the International Committee of the Red Cross resulted in the compromise of 500,000 personal data and confidential records. Cyber attacks are more common than you think. In fact, the count of global cyberattacks increased nearly 40% in 2022. This begs the question, how strong are your organization’s data cybersecurity measures?
In this guide, we’ll detail the top data cybersecurity dos and don’ts for your organization to stay safe from online threats. Adopt these best practices into your organization’s data hygiene routine to stay protected for years to come.
Do: Invest in secure software.
According to Double the Donation’s donor data guide, nonprofit data protection is of utmost importance as “failing to take proper security precautions can result in a violation of donor trust.”
For nonprofits, protecting donor data is essential as it travels between systems frequently. Organizations use donor databases to collect donor names, contact information, and payment information. When marketing systems are used, this data passes from your donor database to your marketing software to reach supporters.
Here are some key features to look for when considering software security:
- Encryption or tokenization. This process describes how data is transformed into a different format that requires either a key or a token for the data to be read. Healthcare nonprofits typically use encryption to keep their integrated electronic health records (EHRs) safe from attacks.
- Firewalls. These can either be a part of your software or hardware as a security measure that monitors incoming and outgoing traffic, blocking suspicious activity based on preset protocols and security rules. Firewalls create an additional protective barrier between your organization’s data and hackers.
- Automated updates. The software you choose should include regular updates to fortify existing security systems as out-of-date software will make your data more vulnerable to cyberattacks.
Smart data management begins with storing your data in a safe and reliable location. Ensure your software includes these features, and if you’ve found your current software does not measure up, look for a new solution with increased protection.
Don’t: Use weak passwords.
Did you know that an estimated 81% of data breaches are due to poor password security? This sobering statistic should encourage your team to reassess your password management. Fortunately, this vulnerability is easily amended with password safety protocols.
According to Swoop, your password should adhere to the following best practices:
- Use at least 8 characters.
- Include a mix of uppercase and lowercase.
- Be different for other accounts.
- Be random.
On the other hand, your password should omit:
- Dictionary words.
- Personal information.
- Predictable phrases or numeric patterns.
Avoid changing your password frequently as this can increase the risk of hackers accessing your data. If you often forget passwords, consider using a trusted password manager that adheres to the tips mentioned in the above section. Also, steer clear from writing your passwords down on your computer, such as in your notes app or a document, as that makes it much easier for attackers to exploit your data.
Do: Stay up to date on compliance requirements.
The software you choose should be compliant with the latest security regulations, but that doesn’t mean you shouldn’t be mindful of basic compliance stipulations and updates. Doing so will also inspire loyalty among your supporters and customers as they know your team proactively stays informed. Not to mention, being mindful of these security requirements also protects you from severe penalties, fines, and potential legal actions against you.
Depending on the nature of your organization, there will be different compliance requirements as they can vary across educational, healthcare, and human rights-based organizations. Here are a few standards and resources to familiarize yourself with:
- Payment Card Industry (PCI) compliance. This process refers to fulfilling necessary security requirements that will keep your customer’s data protected. PCI-compliant or PCI-certified software specifically protects cardholder data, so that your supporters can safely make transactions online.
- International Organization for Standardization (ISO) compliance. This organization is the world’s best-known standard for information security management systems (ISMS) and defines the requirements needed to adhere to it. Conformity to these standards indicates that your organization has put in place the highest measures to manage security risk.
- Family Educational Rights and Privacy Act (FERPA). Organizations that receive funding from any program administered by the U.S. Department of Education must comply with FERPA’s standards to protect student educational records. This requires consent for disclosure and secure storage of student data.
- Healthcare Insurance Portability and Accountability Act (HIPAA) compliance. Nonprofits that handle protected health information (PHI) must choose systems that comply with HIPAA. There are several negative consequences that non-compliant organizations can run into from financial penalties to professional license revocation.
As you research these regulations, ask for more information from your software provider if you’re unsure about your compliance. For example, if a healthcare nonprofit decides to partner with an analytics company, it should ask about HIPAA compliance and standards across the vendor’s platform.
Don’t: Forget to incorporate additional privacy measures.
Strengthening your security goes beyond just understanding regulations. In fact, there are a few key measures you can take to level up your existing security. These include:
- Applying for an SSL certificate. SSL stands for “secure sockets layer.” This offers security for online interactions between your website and its users. Websites with SSL certificates include HTTPS in their URLs which indicates high levels of encryption and verifies your website’s validity to search engines.
- Investing in a VPN. VPN stands for “virtual private network” and includes additional safety and security measures by building a data tunnel to hide your IP address. It also encrypts your data and connections.
- Managing user account permissions. The more individuals who have access to your data, the more vulnerable it becomes. By managing account permissions, you’ll be able to safeguard sensitive information if one team member’s account is compromised.
Consider finalizing security breach response protocols in addition to utilizing the above security tips. Your plan should include defined responsibilities, contact protocols, and data recovery best practices. This plan will provide you with instructions on how to handle worst-case scenarios should any of your systems unexpectedly fail. Consider running through simulated exercises to be sure each team member understands their duties.
Do: Educate your staff.
Over half of companies do not offer mandatory security awareness training. Even if your security measures are up to date, not having an informed staff is an exposed vulnerability. Break away from the majority by educating your employees on key safety protocols.
A proven method for security education is to incorporate it into your organization’s regular activities. This can look like:
- Adding cybersecurity training to your onboarding process for new members to quickly get up to speed.
- Creating a data training procedure for your whole staff and new employees. NPOInfo’s guide to data hygiene suggests developing a shared document that includes the information employees need to manage your database securely.
- Keeping a running list of security documentation within your organization’s policy handbooks.
- Attending online training, conferences, and reading resources to sharpen existing cybersecurity protocols.
- Providing instructions for proper data handling for both data exchange and data aggregation.
- Hosting cybersecurity workshops to talk through relevant, real-life examples of cybersecurity attacks and how your organization can learn from them.
Proactive staff education is the best way to stay ahead of cyberattacks. To maintain integrity and security, everyone on your team needs to be on the same page. This way, you can avoid knowledge gaps and keep your donor data safe.
Cybersecurity threats are not to be taken lightly. Do the necessary research to ensure all of your systems are compliant, updated, and protected from those who would like to steal your information. By incorporating these dos and don’ts, you’ll enhance your organization’s reputation and trustworthiness among your stakeholders.