IT Security Strategy for Non-Profit Organizations
Keeping data safe is a social responsibility of any non-profit organization (NPO). Both large and small NPOs can have valuable data that need to be secured and kept away from the public domain. These data may be information about donors, company spending and invoices, or even personal data of employees and vendors. Hackers will not care what type of organization it is. If they have a means of disrupting or stealing essential data, they will do it. These data can also be used to market certain products to NPOs. Hence, an IT security strategy plays a very important role for any NPO.
First, the NPO needs to determine what type of data they may have. They may be collecting data like first names/last names, email addresses, dates of births, addresses, and other sensitive information about donors, board members, and volunteers to comply with legal requirements. During fundraising, they may be collecting credit cards, banking information, checks, or other dollar-related transaction data from donors. They may have data related to vendors and work that they do as an NPO. Finally, the NPO may have sensitive data about their own organization. These data can be categorized as Personal Identifiable Information (PII) per California Consumer Privacy Act (CCPA) and need to be secured in a way that only authorized employees of the NPO have access to it.
NPOs may face a lot of challenges when it comes to securing the PII data. Even for-profit organizations that have IT security budgets struggle to cope with complex issues such as malware cyber threats. On the other hand, security and privacy laws are getting stricter and constantly change to keep up with the pace of threats. NPOs need to figure out if they have a security culture where involved employees are taking responsibility apart from the social work that they do. Most of the time in NPOs, no one has prepared for a worst-case scenario for a cyber threat or data leak. Data and applications with sensitive information may be distributed between multiple vendors and the NPO, and just assuming they are secure may not be the right strategy.
NPOs need to work on some key aspects to secure themselves. Are employees trained on security regularly? Are they security-compliant based on the data they have, and do they audit themselves regularly? How would Human Resources and Public Relations in the company respond if it came to a data breach of an employee or a vendor? NPOs need to figure out beforehand how they would respond to a cyber incident or a data breach. For example, they should test and run a simulated real-life scenario at least once a year. A lot of these are usually covered in IT security strategy documents.
A few IT security items are considered as low-hanging fruits, and most of the NPOs should be doing them. For example, ensuring the use of a secure email communication system is key for any data transmission through email. The system should also ensure that all phishing emails are blocked. The lockdown of a digital donation system is another aspect of security and can be done with some effort. Doing a background check for all full-time volunteers for a large NPO ensures volunteers have good-will. Ensure there is physical and virtual security for vital key assets such as server rooms and digital assets. Lastly, there should always be a backup plan, either physical or virtual, to ensure the NPO can function properly in case of a cyber attack.
Having an IT strategy that includes a security aspect creates a strategic vision for the company with respect to technology direction and usage, data, and digital assets. It creates a balance among capabilities available, daily operational needs, and future direction. Having an IT strategy can also help with business advancement and can sometimes be used as a business leverage. The security aspect of this IT strategy document defines where the sensitive data like the PII can live and how will it be audited. It also defines the processes to support data and application access. An NPO should ask itself what the audit mechanism will be, when it will be checked (for example, quarterly or yearly), what the Security Key Performance Indicators will be, and how IT security will be enforced. NPOs gain a lot with these IT security strategies in place.
CLASS can help NPOs find a way to step up to a new level of security and show them areas of improvement within their organizations. CLASS consultants can help nonprofits with formulating a strategic plan, an organizational design, key performance indicators, a volunteer development strategy, and other business consulting services. If you would like to know more, you can read our case studies here and testimonials here.
The CLASS Consulting Group is a trusted advisor to the boards of directors and senior leadership of the West Coast nonprofit organizations. It is a boutique management consulting firm headquartered in the San Francisco Bay Area that provides consulting services to senior management and boards of directors of nonprofit organizations and offers community leadership opportunities to professionals.
Since 2002, CLASS volunteers have been assisting nonprofit organizations in the SF Bay Area, and now the West Coast, and supporting the communities in which we all live and work. Learn more about our mission and story.