7 Best Practices for Keeping Your Non-Profit Data Safe

No question about it, donors are the greatest asset of the nonprofit industry. The last thing you want to worry about is the potential of your donor’s personal information being stolen or compromised. This article will get you started on the 7 best ways you can improve nonprofit IT support to keep your data safe!

We live in an age of constant cyber wars, with hackers always on the prowl. Unfortunately, nonprofits are top of their list as hackers assume with resources often stretched thin, nonprofits not putting much thought, energy or dollars into cyber security protection.

For many non-profits, a donor database compromise could mean at best, a stop to critical activities.

At worst, this could mean a complete collapse of the organization if donors lose trust in their ability to keep personal data protected.

Here are seven best practices for improving your non-profit data security.

1. Multi-factor Authentication for Enhanced Password Protection.

The most basic protection of your data requires multi-factor authentication (MFA), which is a security process in where the user has to provide two authentication factors to verify they are who they say they are.

This means a username and password (what the user knows) and something the user has in their possession – such as ID card, a security token or a smartphone (what the user has.)

MFA has become a non-negotiable, must-have item for any organization taking their data protection seriously, and is an easy, cost-effective way to protect your organization.

2. Phishing Prevention Training Keeps Employees Up-to-Date.

The best spam filter in the world still won’t stop phishing emails from getting through to your employees.

The absolute only way to prevent a potential business-ending catastrophe is to train your employees on an on-going basis.

Phishing emails are used to deliver viruses, steal passwords, install ransomware, and impersonate C-level employees to defraud organizations. The worst part is, they continue to have success every day.

It’s not a matter of IF you receive phishing emails, it’s WHEN.

93% of all security events are the result of phishing - don’t let your organization become a statistic. Explore options for phishing prevention training, including the ability to have automated training managed for you by a third party provider.

3. Intrusion Detection and Response (IDR) Monitors Networks Around the Clock.

Intrusion Detection and Response is a comprehensive threat monitoring, identification, and remediation solution consisting of automated software and security experts who operate 24/7.

Security standards from the National Institutes of Standards and Technology, the International Standards Organization, and the Center for Internet Security all agree, you need to actively monitor your network for signs of attack around the clock to ensure protection.

Most managed IDR solutions consist of three important layers:

• The first is an automated threat detection system. The system monitors for anomalies and subtle indications of attack and assess risk level faster and more accurately than a human ever could.
• The second layer is where technical expertise comes in. Security experts review the alarms created by the system, and gather evidence to immediately formulate a plan for countering the attack.
• Layer three is all about action. Trained security technicians implement the plan introduced in layer two in real-time without interrupting your daily work. You can go about your day while the experst keep the threats out of your business.

Check in with your IT team or IT service provider to explore the best IDR options for your organization.

4. Endpoint Detection and Response (EDR) System Protects Remote Devices.

Endpoint Detection and Response works to protect the devices you use every day - your computers and laptops, even when they operate outside of your office walls in home offices and other remote locations.

It used to be that your antivirus software was enough, at least to protect those devices that operated inside the office. But antivirus is no longer enough to protect you from modern hacking techniques, where attackers change their tactics in real-time.

Modern EDR software agents, embedded into your endpoints such as laptops, identify suspicious activity and shut down the attack  immediately, reporting the results back to a Security Operations Center (SOC).

Advanced EDR solutions will even provide a team that analyzes trends and digs deeper into the root causes of the alert, looking for signs of the most advanced and persistent attackers. 

Again, check in with your team to investigate the best options out there, or get in touch with a reputable IT consultant who can give you an un-biased opinion on the latest EDR solutions.

5. Make sure Servers are Payment Card Industry (PCI) Compliant.

Regulatory compliance is crucial for any industry, but non-profits should pay special attention to PCI compliance, as this is required for any online transactions. If you’re accepting online donations, you need to make sure you are protecting your donors.

If you’re not sure where to begin, or just need a brief security audit, there are many IT Service Providers who can tell you what you’re doing right, and what’s lacking in your current setup.

In the end, there’s no getting around PCI compliance when dealing with online transactions, so you should budget accordingly.

6. Don’t Forget about Protecting your Mobile Devices.

Since of your employees now carry around powerful little computers in their pockets and purses, mobile device security is an important consideration.

For starters, every organization should create, document and enforce BYOD policies. Here are 3 quick tips to get you started:

• Make sure employees have password protected their devices – and consider implementing a 6-digit password requirement to access your organization’s network
• Don’t underestimate the importance of email security – whether on smartphones, laptops or workstations – consider encryption software as well
• Look into Mobile Device Management (MDM) software, which will enable you to manage and protect all of your organization’s mobile devices

<<DOWNLOAD OUR SAMPLE BYOD POLICY HERE!>>

7. Implement a data backup and disaster recovery program.

The risk of losing data from server failures, natural disasters and especially security breaches has never been higher. It’s critical to protect your organization’s mission with the right data backup and disaster recovery.

Do not leave your most precious resource – your donor data – to chance with an outdated or half-baked solution!

Learn what to look for when selecting a backup solution. Modern, highly reliable solutions will provide full backups in a smarter, storage-saving way, limit your downtime, and offer functionality likely not available on older systems.

If your in-house team doesn't have the time or expertise to source the right solution, hire a third party expert who can guide you through the process, from selection to implementation and on-going management, if required.

Learn More About Managed Security Solutions

For most organizations, it can just simply be too overwhelming to figure out which cybersecurity solutions are needed to adequately protect their business. And hiring an in-house security team to manage all of it is way out of reach for all but the largest of organizations.

Managed Security Services are the most cost-effective way to get access to an entire suite of cybersecurity solutions that are completely managed for you. For a fixed monthly fee, around the clock proactive protection can prevent the unthinkable from happening. 

Watch the video below to learn what Managed Security Services are, and to see if this is service might be a good solution for protecting your valuable non-profit data.

Interested in learning more? Reach out to us to set up a time to discuss how we can help you get the cybersecurity protection you need!

Want to learn more about IT Services and Support for Nonprofits? See Ntiva’s Managed IT Services and Support for Non-Profits.