7 Steps Not-for-Profits Can Take to Protect Sensitive Data (article)
The protection of sensitive information is vital in today’s operating environment. There were more than 100,000 information security incidents and 3,141 confirmed data breaches in 2016, according to a recent Verizon Data Breach Investigation Report.
Not-for-profit organizations must be vigilant in how they manage and protect their sensitive information, including employee data, donor data and financial data. Hackers and cybercriminals use a variety of tactics to work around an organization’s information technology controls, from using fraudulent emails to ask employees for sensitive information (phishing) to finding gaps in system management.
Evaluating seven key areas of information security management can help not-for-profit organizations limit their exposure to data breaches. The following should be incorporated as part of your organization’s cybersecurity plan.
Educate Your Employees About Cyber Risks
The largest risk for cybersecurity breaches or other IT security incidents comes from human error—almost 95 percent of security incidents are caused by human error. This includes:
- Use of default usernames and passwords or easy-to-guess passwords
- Sending sensitive information to an incorrect email address or from a personal email address
- Double-clicking on an unsafe URL or attachment
- Sharing passwords with others
- Leaving computers unattended when outside the workplace
- Picking up and using random flash drives
Organizations can protect themselves from human error through employee training on their role in cybersecurity protection. Employees should be trained at least annually about cybersecurity policies, including the handling of suspicious emails and removable media, such as flash drives, computers and smart phones.
Whether you have a policy of bringing your own devices (BYOD) to work, employees likely have some form of portable electronic device they use to access your system. Mobile devices pose one of the largest BYOD risks. Your organization should evaluate its practices related to mobile devices to ensure the device is configured so that authorized mobile codes operate to a clearly defined security policy. Any unauthorized mobile code should have measures that prevent it from completing the attempt to access your network. Devices should also be encrypted and enable remote wiping of sensitive data in the event the device is lost or stolen. The remote wiping of data helps ensure unauthorized users do not have an access point into the organization’s network.
Be Aware of Emerging Threats
One of the most common threats to information security comes from malware, software designed to disable or disrupt computer systems. Many mobile phone applications contain critical or high risk vulnerabilities that leave users susceptible to malware. Individuals often inadvertently download malware or access it by clicking on unknown links, downloading unfamiliar mobile phone applications or through browser plug-ins. Regular, secured back-ups of files can help minimize the effects from a malware incident. Internal controls should be configured to minimize the damage from a potential breach. The FBI suggests application whitelisting as well, where systems only execute programs known and permitted by a security policy.
Know Your Notification Requirements
Penalties for improper breach reporting can add insult to injury in an information security incident. After an information security incident has been stopped, organizations will need to communicate what happened to the parties affected by the breach. Notification laws vary by state, but typically define when a breach has occurred, the timing and/or method of the notice, who must be included in the breach notification and penalties for noncompliance. Some states require notification to all affected users of sensitive data within four business days. There is no one size fits all with notification laws, so a careful evaluation of the jurisdictions your organization serves is highly recommended and can help your organization be prepared in advance if an incident were to happen.
Monitor Third-Party Providers
Not-for-profit organizations may contract with service providers for a number of tasks, from payroll to bookkeeping and outsourced IT providers. By their nature, these third-party relationships have a degree of risk involved because the third-party provider may need access to your organization’s network, which increases the likelihood of an unauthorized external intrusion.
An inventory of what third-party providers do, what types of systems and data they need and who manages their access permissions will help with your risk management. Limiting external access points helps ensure preventative controls exist to cover these risks. Your assessment should also identify time periods whereby access is granted. Typically, no external third party vendors should have 24/7 access to your system, even if your entire IT function is outsourced.
Third-party arrangements, particularly with service providers that will be working with valuable data, should include specific security requirements that the service provider will be required to undertake. It would be wise to review the contracts with your third-party providers to see what security elements they are contractually obligated to provide to your organization. Risk management strategies between your organization and its third-party providers should be aligned so that both parties are kept aware of new security regulations and requirements, how to report any suspicious activity and how those activities are to be resolved.
Evaluate Logical Controls
The protection of your organization’s information security will involve one key principle: control over system or software access, also known as logical security. Access can be controlled in a number of ways, from permissions within a software system to proper segregation of duties. Permissions and access codes should be routinely monitored, particularly during periods of vendor changes or employee turnover. From a software prospective, proper segregation of duties often involves proper change management controls. A user who makes several updates to a system should have at least one other person approve it before the updates are moved into production.
Once IT and management have IT policies and procedures in place around cybersecurity, it is advisable to conduct periodic testing of the controls. Simulated phishing emails and penetration testing may be useful, not only for testing how a company puts its information security protocols into action but also to see the effectiveness of logical controls and other security elements during a potential security incident.
Social engineering and external / internal network penetration testing should be considered if your organization has not conducted these types of tests in the past. The simulation of an email phishing scheme, for example, can help indicate whether employees understand how cybercriminals can use email to manipulate users into giving away sensitive data. Penetration testing can indicate where there are holes in the firewalls and the IT control environment and where processes may need to be improved to close those gaps in security.
It is advisable to use a third-party independent firm to conduct the testing to uncover unknown shortcomings that may not be obvious to internal IT management. Third parties can review existing policies and procedures, perform testing and make recommendations to mitigate risks based on their findings. In addition, it is advisable to have a third party firm perform a cybersecurity assessment to identify the gaps in their security policies and procedures, and then put a remediation plan in place to close those gaps.
For More Information
If you have specific comments, questions or concerns about your organization’s cybersecurity or are interested in a third party independent security assessment, please contact us.
Copyright © 2017, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).