Information security for non-profits

The size and budgets of non-profits are expanding but their security protocols aren’t necessarily developing at the same pace

By Claudiu Popa and Mike Kinrys, CMA

There has been substantial growth in the number, size, and corresponding budgets of non-profit organizations (NPOs) in the past few years. In addition to the challenges that NPOs have traditionally faced (fundraising, staffing, donor fatigue), this growth brings with it the traditional challenges faced by any business.

Commercial companies must ensure that information on customers, vendors, and sales and marketing plans remain confidential. NPOs, which depend on the goodwill of the public and government, must ensure that member records, on-line donations, and their website domain remain safe and secure. If poor controls permit credit card fraud, identify theft, or routing of the donation to a fraudulent company, the NPO will suffer public embarrassment and loss of significant revenue.

Information security and privacy are thus at the core of an NPO’s ability to project effectiveness and inspire trust in its philanthropic pursuits. Trust and confidence are the critical selling points in the specialized business of attracting donations and motivating ongoing charitable participation from donors and customers. Therefore, organizations need to take care.

What are the biggest threats that NPOs face? Number one has to be underestimating risk. Just because an NPO is a charitable or religious group doing “good works” doesn’t protect it. Believing that there is no reason to target their organization, or believing no one would even think of targeting such an organization is a very dangerous approach to take and leads to a lower sense of awareness and vastly reduced security. In fact, NPOs are prone to attack because of their focus on conducting transactions. Fundamentally, the goal of a charitable organization is to make giving as easy and satisfying as possible. This is often done by sharing comprehensive information about the cause and implementing versatile payment systems.

Size doesn’t prevent attacks either. Small NPOs often have weak controls, which makes them attractive to criminals. Large NPOs might have stronger controls, but they have high transaction volumes, which again makes them attractive to criminals.

Threats

The major threats NPOs face fall into the following categories:

1. Online presence: Virtually all NPOs have a presence on the web. If someone strongly disagrees with their philosophy (e.g. for political, religious, or nationalistic reasons), their website is a perfect target.

2. Unauthorized disclosure: Member data, such as credit card numbers, must be kept confidential. Organizations must combat threats from outside parties, as well as inside staff (employees and contractors who may disclose information inadvertently through lack of training).

3. Unauthorized access: Hacking into an NPO’s internal data network or website is an obvious threat. However, what is less obvious is the threat facilitated by wireless networks, teleworkers, and improper handling and disposing of paper files.

4. Data confidentiality: Government regulations (such as PIPEDA) mandate that personal information must be kept private. Poor controls over data confidentiality and privacy can facilitate identity theft. The effort required to warn people if their data was accessed can be time-consuming and difficult. In a recent U.S. case, for instance, a stolen laptop contained information on millions of war veterans.

5. Business continuity: The major assets of most NPOs aren’t buildings or furniture, but information — member lists, donor records. If this information was compromised or lost, it could deal a crippling blow to the organization.

By their nature, NPOs traditionally have limited budgets for anything outside the realm of the absolutely necessary. As a result, concepts such as information security and confidentiality are often dealt with summarily without specific controls and detailed procedures. Nonetheless, the ability to see the challenges and to remain open to understanding the risks and the rewards of adequate preparation is the determining factor in an organization’s hope of continued success.

First steps

We see seven initial steps that all NPOs should take in information security:

1. Strategy: Create an information protection strategy. This must take into consideration privacy compliance, secure practices, and the concerns of clients, partners and service providers.

2. Structure: Adopt a management structure dedicated to the protection of information assets. This includes a steering committee and adoption of appropriate policies and procedures. Information security, just like quality, can’t be solely the province of one person or department.

3. Share: Share knowledge of information security with other organizations. This will allow continual improvement by adopting best practices of other NPOs.

4. Training: Adopt enterprise-wide awareness of information security risks, policies, and resources. Incorporate the best practices into employee training, enforcing accountability at the user level.

5. Back-up plan: Plan for the long term, anticipating and documenting business continuity and disaster recovery challenges.

6. C.I.A.: Establish secure connections to data and prevent access to unauthorized users. Data must remain Confidential; have Integrity; and be Available.

7. Plan for the worst: Design practices need to take into consideration that ‘there are bad people out there.’ Plan beforehand how to respond to an incident, build forensic capabilities into accounting and system tools, and arrange for expert support before a crisis hits.

Solutions

To address these threats and challenges, NPOs must proactively implement appropriate security measures. The first step is to realize that there is no magic bullet. Rather, information security is a moving target, continually requiring minor adjustments in strategy and procedures to remain effective.

The second step is to understand that security is a governance issue, not an IT problem. Too many organizations consider information security to be an IT issue. However, information security, just like quality, must be everyone’s concern. In fact, by delegating information security responsibilities to the IT department, businesses and NPOs alike place themselves at a higher risk of breach. This isn’t because IT staff are incapable of managing technology or implementing security controls. Rather, it’s due to the simple fact that security is an organization-wide management responsibility. Management is authorized to create policies, responsible for investing in training for enterprise-wide awareness, and solely able to determine the value of information assets to the organization, and thus the risk of loss and attention that must be paid to protect them.

 So, what are the steps that should be taken to address these risks and challenges? We suggest the following solutions, each of which can be scaled to fit the budget and risk exposure of any NPO:

1. Establish an overall security strategy: This strategy must describe the organization’s dedication to preserving the security of proprietary assets, member and customer data and transactional information. The security strategy is a document that inspires as well as reinforces the responsibilities and promise of upholding secure practices in the organization’s philanthropic pursuits.

2. Establish security policies: These policies must outline acceptable use, restrictions and accountabilities for the use of resources and access to valuable assets. In particular, a data classification scheme specific to the organization needs to be created and adopted as the foundation of these policies. This often complex scheme includes the definition of different types of information assets, their owners and accepted methods of access.

3. Establish security procedures and guidelines: The organization must create procedures and guidelines that flesh out the policies. They should describe best practices and acceptable use for employees, contractors and third parties.

4. Adhere to regulations/laws: Because of a dependence on a positive public image necessary to build the trust of donors, NPOs need to constantly present a credible value proposition, preferably complemented by seals of compliance. Understanding, knowledge of, and adherence to industry standards such as ISO 17799, WebTrust and PIPEDA aren’t only valuable because of the added credibility they promise but also because of the discipline they enforce.

5. Create an awareness program: It’s not good enough to document policies in a dusty manual that no one reads. Rather, it’s essential that staff become familiar with the content via an enterprise-wide awareness program, including recurring seminars that address specific issues, common problems and general discussions about risk and accountability. This program needs to take place on a recurring basis and be conveniently designed to engage, educate and motivate employees to embrace the policies.

6. Conduct information security audits: Just as NPOs conduct annual financial audits, they should regularly conduct an information security audit. This audit would identify threats, determine the risk to specific business assets, detect vulnerabilities, and create plans for mitigating risk and preserving long-term security. To be effective, audits need to be independently conducted (with the NPO’s IT department’s participation), repeated regularly, adapted to changing conditions and result in high risk fixes being quickly applied.

Information security is a governance issue, not an IT issue. It requires a high degree of commitment to understanding the risks and threats, involving layered planning and an overall strategy. These elements together with training and professional support will yield the adequate degree of risk protection, budgeting and preparedness that are critical in the long-term execution of the strategy.

With all of these elements in place, a non-profit organization can confidently compete in an increasingly crowded market, effectively communicate its goals and credibly demonstrate the degree of commitment that is of critical importance in gaining the trust of its audience.

Claudiu Popa, CISSP, (Claudiu@InformaticaSecurity.com) is president and chief security officer of Informatica Corporation. Mike Kinrys, CMA, (mike.kinrys@visionmax.com) served until recently as business development manager for Informatica.

Top