Hacking is once again in the news this week with the theft of emails from the Democratic National Convention, just ahead of Hillary Clinton’s nomination. While small nonprofits may not seem as juicy a target as the Democratic Party, we are vulnerable all the same. Nonprofits – especially those involved in service delivery – collect some pretty sensitive data about people, including dates of birth, income levels, and lots of other identifying information.
One thing that makes nonprofits an appealing target for cyber criminals is the often poor IT security infrastructure in place. Files are left kicking around on laptop hard drives and USB sticks, protected by simple or nonexistent passwords. What’s worse, a data breach can bring all sorts of nasty unwanted publicity to an organization – and might even jeopardize its ability to win future government funding.
‘Okay’, you say. ‘Digital security is a big deal for nonprofits…but how do we fix it?’. Here are four steps you can take right now to make your organization more secure:
- Create a data security policy, and ruthlessly enforce it. It’s hard to expect your employees will properly handle sensitive data if they’re not given direction. You can clear up this ambiguity by writing a concise, prescriptive policy that sets out expectations for how data will be accessed, managed and disposed of. There are loads of templates and real-world samples kicking around online. Here is a great example courtesy of Sophos, a respected cyber security firm.
- Require strong passwords for all IT devices and web-based accounts. This is a biggie. I’ve come across lots of shoddy passwords in my work with nonprofits. While ‘wearecool123’ might be easy to remember, it’s also super easy for any two-bit hacker to crack.
There are two main options for making strong passwords. One is to use a random password generator (like the one found here) in conjunction with a password management app like LastPass or 1Password. In my experience a password manager is the only sane way of managing random-character passwords. They’re almost impossible to memorize, which means your employees will likely end up writing them on stickies (!!) without an app.
The second option (my preference) is to use a diceware password. What’s diceware, you ask? It’s a method devised by a really smart computer scientist that uses dice rolls together with a a big word list to create super strong passwords that are easy to remember. Basically, for every roll of the die, there is a corresponding number on the word list. After rolling a predetermined number of times, the eventual outcome is a random string of everyday words.
You can read more about diceware and download the word list here. All you need is a pair of dice (actual casino dice are best), the list and a wee bit of patience!
- Encrypt sensitive data, especially in the cloud. With the rise of remote work and mobile offices, companies and nonprofits have started relying more on cloud services (Dropbox, OneDrive, Google Drive, etc) to store files and collaborate on work. This is a great trend, but it also makes your data vulnerable to remote hacks. While the risk might be low for generic files like newsletters and event photos, any files that contain identifying information are potentially vulnerable.
Dropbox and some of the other major cloud providers actually encrypt their data on the server side, which is good. However, this doesn’t protect your data from being accessed by someone who manages to exploit a loophole or access the servers from the inside. You can add a second layer of protection by using a free encryption tool like BoxCryptor or Viivo, both made by reputable software companies. These apps will encrypt your information on the client side (your local machine) before uploading to the cloud. This means that your data is only accessible via the private key that’s known to you alone.
Is it a bit of a hassle going through this added step? Yep. Worth the extra effort to prevent your data from being stolen in the cloud? Absolutely.
- Practice good old common sense when handling sensitive data. Working in the federal government for a number of years, it astonished me what people sometimes put into emails. The phrase ‘email is forever’ comes to mind. There is no taking an email back; once a message goes out into cyber space, it can be forwarded, altered or published by anyone. Keep this in mind when you’re next logging into Gmail or Outlook.
My goal isn’t to make you paranoid about every email you send. Rather, I’m just arguing that we should be sensible about what we put in email. Criticisms about your boss and/or employer, crass remarks about clients, and identifying information about people are all no-no’s. When in doubt, pick up the phone. And for heaven’s sake, don’t leave a portable hard drive lying around containing critical information on over 580,000 student loan borrowers! (yes, this actually happened: http://www.macleans.ca/education/uniandcollege/data-lost-on-583000-canada-student-loan-borrowers/).
With a little forethought and some solid policies, we can all make our nonprofits more secure from prying eyes and thieving hands. Happy encrypting, everyone! 🙂