The blunt truth is that companies get hacked. If the Equifax breach taught us anything, it’s that any business can be a target and the road to recovery is often grueling and ugly.
Just as any for-profit company is susceptible to attack, nonprofits aren’t immune to the threat of being compromised. In fact, it’s a major concern that all nonprofits need to pay attention to, especially since they:
- Conduct e-commerce, like accepting and transacting donations
- Store and transfer personally identifiable information (PII)
- Collect data on donor habits and preferences, like newsletter subscriptions
In order to prevent data and security breaches, you need to implement and maintain the right infrastructure.
We spoke with Classy’s technical engagement manager, Michael Prodor, to discuss why you can’t afford to overlook your nonprofit cybersecurity, as well as some ways you can stay prepared.
Identifying the Issues
Look at the different systems operating at your nonprofit—like CRM and financial tracking systems—as pieces in a closed circle. Information flows freely between all systems in this circle. When you integrate a fundraising platform like Classy, you’re adding another system into that circle.
Because they’re constantly exchanging information between one another, every system in your circle needs to be held to the same standard of security. According to Michael, you’re only as strong as your weakest link here.
For example, when you add a new member in Classy they become a new member in your financial system, and if you use Salesforce, then they become a new member in there as well. Their personally identifiable information (PII) like social security number, driver’s license, and credit card get passed from system to system.
If, along this pathway, the PII hits a system that has weak security it can become exposed to outside malicious parties. It doesn’t matter if your CRM has the most advanced protocols in the world—if one of your systems is weak, the entire circle becomes compromised. You’re only as strong as your weakest link.
When identifying your nonprofit cybersecurity concerns, it’s a safe bet that most revolve around financial information, sensitive data, and PII. However, don’t limit your analysis to only those three realms. There may be concerns elsewhere, even in something as simple as a supporter’s home address.
Understanding the Laws
Aside from monitoring these systems and PII, there are also government regulations and laws that demand attention as well. For example, certain states require you to protect PII no matter where it lives. It could be on your personal network, stand-alone systems, laptops, cell phones, and even paper.
Losing a sensitive device or important papers with PII doesn’t just mean facing potential fines. You also risk losing the trust of your supporters.
It’s important for your organization to understand these regulations, but it’s doubly important that the tech partners you work with do too. Make sure you conduct research on your state’s laws so if a breach does occur, you’re equipped to handle the fallout and recover.
Questions to Help Evaluate Your Nonprofit CyberSecurity
When you partner with an outside company or tech vendor, remember that it’s their responsibility to fit into your existing security infrastructure. If you have to fit into their protocols, you could potentially weaken your systems and open them up to attack.
Always ask your vendors if they’re regulated by the same security guidelines you hold your own organization accountable to. Outside of that question, Michael recommends these helpful questions when vetting new partners or reassessing your own security protocols:
- Does the partner conduct background checks on their employees?
- What services do they use to dispose of waste, like shredded papers?
- What kind of security protocols do they already have in place?
- When was the last time they audited their security?
- Have they been exposed to data breaches before?
There are ways your organization can attempt to control the situation, like enacting a clean desk procedure. This ensures that sensitive information isn’t exposed by your or your partner’s employees and affiliates.
The University of California Long Beach has a thorough clean desk procedure. Its purpose is that information, either electronic or paper, stays secure when work areas are left unattended.
There are many things that go into a successful clean desk procedure, but some important ones are:
- People must turn on their password protected screensaver when they leave their desk
- Filing cabinets must be secured with locks
- Copies or prints of sensitive documents must be immediately removed from printers
- Passwords can’t be posted in openly accessible areas
It also helps to partner with a software company who knows the details of strong security, like Classy.
IT sometimes get deprioritized for nonprofits, but it should always stay top of mind. Remember, your systems are only as strong as the weakest link, and you should continually be strengthening your technology stack.
Data and security are areas of the technological world that are rapidly evolving. To stay on top you need to choose the right vendors and partners—ones who also have a passion for staying ahead of the curve.
Classy follows industry best practices. You’re covered with us. If you want to learn more about how we keep organizations secure, talk with one of our experts today.