In the midst of the Covid-19 pandemic, nonprofits across the country are facing challenges that none of us have ever had to ponder, let alone tackle, before. Issues related to assisting those we serve, our staff, and volunteer teams are perhaps more pronounced than ever. Along with all of the new challenges and difficulties, there are a host of vital management and operations tasks that have always been on our plates—and continue to be on the proverbial “to do list.” Certainly, issues surrounding data risk management are among the most important.
Scams and phishing schemes in the midst of these uncertain times are prevalent. I am disheartened and intensely annoyed by the frequent messages in my email box from fraudulent emailers masquerading as my supervisor. In fact, a few weeks into the pandemic, our organization was the subject of a phishing scheme that caused every member of our team to spend significant time adding additional layers of security to our emails to ensure that the scheme did not impact our data and our members’ data. For some, the “fix” had to be carried out two or three times, causing additional downtime and inefficiency. Additionally, our entire team moved to two factor password authentication protocol – which may be burdensome for our team, but worth it to avoid major losses. We were fortunate, though. It could have been MUCH worse.
We offer some advice for how to manage risk through the Standards for Excellence: An Ethics and Accountability Code for the Nonprofit Sector. One of the Standards states “Organizations should make every effort to manage risk.” One aspect of risk management is the security of our data and systems. A recent study by McAfee (a leading cybersecurity company) indicated that “nearly 2/3 of people who use online services (more than two billion individuals) have had their personal data stolen or compromised.” Moreover, the report highlights the growth in cybercrime and the new technologies that cybercriminals are taking advantage of. Preparedness and vigilance are key for ensuring that, even if the worst should come to pass, your organization will be able overcome challenges in this area.
Organizations should have adequate security in place that controls access to data. Generally, this involves controlling who has access to your system through robust login and user rights management. It also includes firewalls that secure internal systems against access from the external networks (this is the internet for most systems). Security also involves user education as unattended workstations, shared passwords, or lost laptops are the most common access points for security breaches. In instances where remote access to internal systems is allowed, special care must be taken to secure these access methods.
These are just a few suggestions for mitigating data security lapses. Nonprofits should also consider cyber liability insurance for additional protection against online attacks. For the full series of tips and guidelines on data security, as well as other guidelines for nonprofits, check out the Standards for Excellence educational packet on Administrative Policies for more useful information. The educational packet includes helpful resources on data security, what steps to take to protect your data, what to be wary of in regard to external threats, and how to mitigate a data disasters.
This educational resource packet and the full series of all packets – including sample policies, tools and model procedures to help nonprofits achieve best practices in their governance and management – can be accessed by contacting a licensed Standards for Excellence replication partner, one of the over 150 Standards for Excellence Licensed Consultants, or by becoming a member of the Standards for Excellence Institute.
We share our sincere wishes for your continued good health and patience as we all navigate these challenging and uncertain times.