Data Privacy: Protecting Your Member and Donor Data
In an increasingly connected world, non-profits are prone to data leaks just like any other commercial business or government organisation. For grassroots organisations with limited resources, it can be difficult to identify and secure the necessary sensitive information they hold on beneficiaries, staff and donors. As a managed IT service provider in Melbourne we have seen this a lot and here are some simple and effective ways to fix common security faults that might be laying dormant in your non-profit’s IT system.
Identifying Vulnerable Data:
The first step in protecting your member, staff and donor data is to identify what data is most vulnerable and where it is stored. Holding the payment information, addresses and other identifying information of donors is usually necessary for tax-exempt charities, but where are you storing it? Likewise, who has access to beneficiary information? Many not-for-profits serve people who find themselves in very vulnerable positions.
Preventing deliberate technical security breaches is fantastic, but it is useless if attention isn’t paid to the built-in data vulnerabilities within your organisation and systems. To start, consider these four questions:
- What data would pose risks if it were to be in public hands?
- Where is it held?
- Who has access to that data? Consider third-party service providers and others outside your organisation.
- What authorisation and monitoring systems are in place to ensure that data can be protected, and access can be reviewed?
Risk Mitigation Strategies
Explore Third Party Service Providers
Who is holding your sensitive information, and what technology are they using to ensure your sensitive information stays encrypted and safe? Likewise, does your organisation have the equipment and know-how to safely store data locally? Should you consider a third-party to store your data? This is increasingly important for non-profits who store more and more data with cloud computing service providers.
Keeping Plugins Updated:
It might seem common sense, but for smaller not-for-profits without a dedicated IT administrator, many will forget to update their security plugins for their website and IT systems. You should make a point of updating all plugins and software on a regular basis. Having a review every quarter or some other meaningful business period is a good way to remember.
Data Logging and Authorisation:
If it is vital for your staff to have access to sensitive information as part of their role, you should implement software or processes to ensure all access to such information is logged. This ensures that any data leaks can be manually tracked down. Authorisation requests are another way to ensure there is some protection when dealing with sensitive information.
Multi-factor authentication is something you have probably already experienced using any mainstream software. Google, Microsoft, Facebook and plenty others all use multi-factor authentication to ensure that any users who log in from new devices or requesting new passwords are who they say they are.
Multi-factor authentication requires the user to use another factor (usually confirming a code sent by text or mobile app) to confirm their identify. It can also be adapted when performing specialised functions on your systems, e.g. transferring money.
Multi-factor authentication is fantastic, but the importance of good password security and maintenance can’t be overstated. Regular password changes should be mandated, and all passwords should be required to have specialised characters and length requirements. Pairing it with multi-factor authentication is vital, as there will be more people who forget their password as a natural consequence of having more regular and complex password changes.
If nothing else, you should get a professional review by an IT service provider into your IT systems if you’re concerned about data security. Larger non-profits and organisations will often find themselves using a slew of different IT software and have trouble identifying all the potential cracks in their system. Professional managed IT firms are experienced in identifying common security faults in specialised IT systems.