Building a Culture of Data Security in Nonprofits

I recently returned from a national information technology conference in Nashville where I saw the jaw-dropped statistic that nonprofits were the second-most targeted sector among Okta (a company that provides cloud-based software to help organizations secure user access to applications and systems) customers behind the energy, mining, oil and gas sector. I wasn’t surprised given the increase in phishing emails we receive at Propel, and the growing instances of our partners in the sector falling victim to fraudulent attacks, but I wanted to be able to do something about it.

Attackers know that nonprofits represent low risk and high reward. The presenters from Okta said, “attackers know nonprofits are critical infrastructure to society and are backed by $557 billion in charitable donations.”  Given this important role, and often under resourced systems for education, prevention, and detection, nonprofits become an easy target.

What Can Be Done

Cybersecurity isn’t just an IT issue, but a business-wide concern. The foundation of strong cybersecurity is a robust security culture. At Propel, one of our most important tools at combating risk is creating a positive information security culture in our workplace. To do that, I focus on the following in my role:

• Knowledge of inventory
• Education and buy in
• Strong policies and procedures
• Fostering secure habits

These elements all work together to create a cybersecurity culture that integrates in our daily work lives. Here’s how each of them looks for us; I hope these give you a few ideas for how to keep your organization more secure.

Security Basics for Every Organization

Some essential steps include:

• Enabling multi-factor authentication everywhere
• Using strong, unique passwords and password managers
• Changing default passwords on devices
• Keeping systems and applications updated
• Deploying modern anti-virus solutions (EDR/MDR)

Knowledge of Inventory

You can’t protect what you don’t know exists. Nonprofits should maintain an up-to-date inventory of all hardware (laptops, servers, networking devices) and software (web apps, IoT devices). Visibility is the cornerstone of effective cybersecurity. Your inventory might include:

• Hardware
  • Laptops
  • Servers
  • Networking Devices (Routers, Modems, Switches)
• Software
• Web Applications (3rd Party)
• Internet of Things (IOT) cameras, badge readers, TVs

If you don’t have an inventory of these items, challenge yourself to make a list by the end of October. It is Cybersecurity month!

Education and Buy In

My partners at KnowBe4 often say: “Your employees are simultaneously your greatest vulnerability and strongest line of defense.”  Something Propel tries to foster is a culture of learning and buy-in around cyber security. That looks like:

• Educating staff about threats and best practices
  • Our team takes monthly trainings created by KnowBe4; all new staff go through the same eight trainings to create a baseline of knowledge. This includes topics like strong passwords, public Wi-Fi usage, phishing, and social engineering.
  • Cybersecurity training is an investment that protects the organization and is a transferable life skill for the employee
• Gaining buy-in from leadership and employees
  • Executive support, knowledge, and participation in cybersecurity culture are crucial.

Strong Policies and Procedures

As I mentioned earlier in this post: cybersecurity isn’t just an IT issue, but a business-wide concern. As a nonprofit leader, you are responsible for stewarding assets, sensitive information, and more. Here are a few ideas for you to consider as you create comprehensive policies:

• Understand what laws apply to your organization
• Only collect and retain data that you really need
• Review your policies annually to make sure they are up to date with best practices
• Involve as many staff as practical into the development of your workplace policies; this creates better buy in across the org
• Consider cyber insurance and run tabletop exercises to prepare for real-world scenarios

Foster Secure Habits

One of the most important things to create a more secure organization is fostering ongoing secure habits. This is one of my favorite parts of my job as it means connecting with my colleagues about the importance of cybersecurity in their work and celebrating when they do a great job. Always avoid shame, and instead focus on how you are building a strong culture and working together.

Here’s how I like to foster habits:

• Provide practical and easy to use tools:
  • Trainining reminders are sent to their emails daily when they have a training available and overdue
  • Our password management software integrates with all our platforms seamlessly
  • IT requests automatically turn into internal helpdesk tickets
• Provide a safe way to report suspicious activity and celebrate wins
  • Encourage staff to report suspicious activity without fear of shame. Integrate security into daily routines and provide safe ways to report concerns. For example, we can report suspicious emails as “phishing” in our email client. Sometimes these are simulated attacks. When a colleague correctly identifies a phishing email, I make sure to celebrate this as a win.
  • Another example: when a colleague reports something “funny, weird, or odd,” I make the time to thank them for reporting. I want everyone to always feel comfortable in reporting anything suspicious.
  • When everyone has done their security trainings in a quarter, I celebrate by bringing ice cream treats for the team.

Where to Find Support

Nonprofits don’t have to go it alone. There are commercial and nonprofit organizations offering support:

• Managed Services Providers for system updates and threat detection
• Security firms for assessments and program development
• Nonprofit-focused resources like TechSoup.org, TechImpact.org, Apparo.org, Techtoherescue.org, Developforgood.org, and Nten.org

Local user groups such as the Twin Cities Salesforce Nonprofit User Group and MN365.org provide opportunities to learn and share best practices.

You’re On the Right Path

If you’ve made it this far in this post, you are on the right patch. Cybersecurity is a journey, not a destination. By building a culture of security, investing in training, and leveraging community resources, nonprofits can better protect their data, their people, and their missions.

If you’d like to talk about cybersecurity or have any questions. Feel free to contact me at dnozal(at)propelnonprofits(dot)org.