Sensitive Data Security: Steps All Nonprofits Should TakeOctober 2, 2018
By: Charly Shugg, Partner, Sylint Group, Inc.
Nonprofits are unique organizations in many ways, including their cybersecurity risk mitigation needs. The success and sustainability of many nonprofits rely heavily on the organization’s reputation. But the public disclosure of a cybersecurity breach that compromises intellectual property (IP), donor personally identifiable information (PII) or financial information can lead to a loss of confidence in the organization’s stature and leadership.
The majority of private and public sector organizations have operating procedures that incorporate the inherent objective of protecting most, if not all, data and information from public disclosure. In contrast, the operating mantra of most nonprofit organizations is to widely distribute and share information, with little to no restrictions, in order to raise public awareness.
Surprisingly, this operational philosophy simplifies the scope of cybersecurity. Whereas other organizations may desire to protect all their information, reality forces them to downsize their expectations. Nonprofits can start from the other end of the spectrum and look to define what constitutes “sensitive” data and therefore narrow the scope of what needs to have increased security protection.
Two of the biggest technical vulnerabilities associated with the security of sensitive information are:
- Not understanding where “sensitive” information resides
- Not determining and enforcing who should have access to “sensitive” information
Determining where information resides within the nonprofit organization can be an extremely challenging task. Many times, data within an enterprise network metastasizes to include ever increasing endpoints (i.e., portable devices.) For much of the data, its location is insignificant; however, for sensitive data, its location is imperative to its security.
Once sensitive data is located and corralled, it is critical to limit access to only those who must use the information to perform their job. Liberal access credentials can lead to the loss of accountability and potentially unauthorized release of sensitive information.
STEPS TO SECURING SENSITIVE DATA
- Identification - Effective security cannot begin until the object of protection is identified. Identifying nonprofit “sensitive” data can become problematic due to various objectives among volunteers, donors, administrative staff, management and the board of trustees. One group may advocate unlimited access to research data or sponsors to maximize marketing and increase the scope of potential funding from all available sources. Another group could view that same data as creating confidential or proprietary intellectual property that could be potentially monetized and therefore must be tightly controlled to meet the terms of a grant or funding source. Working through this potential conflict paves the way for the implementation of effective security measures.
- Adequate resources - Typically, nonprofit security staffs are minimally resourced, and many IT personnel simultaneously perform IT and security duties. Therefore, it may be cost effective to partner with a cybersecurity firm that is familiar with the nonprofit operating environment. Incorporating outside security expertise can assist in quickly identifying potential “sensitive” information vulnerabilities and provide security measure options for risk reduction. With the approval of the nonprofit management/board, IT staffs can implement those options, although the process can be resource intensive. Therefore, seeking the assistance of a cybersecurity firm may be the most cost effective method, or potentially the only option due to constrained organizational resources.
- Ongoing monitoring - Once “sensitive” information is identified and properly secured (to include access control), it must be monitored for compliance. Since nonprofit operations are dynamic (i.e., new donors, volunteers, staff, projects), so must the organizations’ cybersecurity strategy and measures be. As operations morph, a dynamic security lens must be applied keep up with an evolving threat and to ensure additional information is properly protected and old information is retired or destroyed. This will reduce the scope and cost of security and potential risk.
MASTER THE BASICS
Execute the basics of cybersecurity well: segregation, least privilege, multi-factor authentication and data reduction.
- Segregation – Once sensitive data is identified, segregate it from the enterprise general information to reduce the risk of unauthorized exposure or exfiltration.
- Least privilege – Control access to the sensitive data by ensuring that users have only the minimum amount of access that is essential to accomplish their job.
- Multi-factor authentication – Once this access list is paired down to the minimal number, those individuals should then be provided further protection from fraud or information theft by instituting multi-factor authentication into the sensitive data base. As a result, even if their user name and password credentials are compromised, the malicious actor would still be denied access. In addition, those same trusted individuals should have their mobile devices, with which they can access sensitive data, encrypted so that if the device is lost or stolen, the information that resides on the device(s) cannot be accessed by an unauthorized individual.
- Data reduction – Similarly, data should be retained and stored on an as needed basis. The less sensitive data that is in your enterprise network, the less the exposure risk.
PROACTIVE ACTION IS KEY
In my experience, many nonprofit clients seek out cybersecurity assistance reactively (i.e., after a cybersecurity breach has been identified) instead of proactively requesting assistance to reduce the risk of a potential breach – which is dramatically more cost effective. For example, one of our clients did not take appropriate measures to secure their staff’s sensitive personal individual information (PII), including their direct deposit banking information, and funds were diverted from their employees’ authorized banking institutions. Another client failed to take appropriate security measures and malicious actors compromised their donors’ PII and bank account information.
Both instances may have been averted if those nonprofit organizations had proactively identified and analyzed current security measures for their sensitive information and made a conscious decision regarding their security measures and risk tolerance level.
Marks Paneth has formed a strategic alliance with Sylint Group, Inc. an internationally recognized cybersecurity and digital data forensics firm that has successfully helped nonprofits, government entities and public and private companies address some of today’s largest data breaches, cyber incidents and precedent setting legal cases. For more information on our cybersecurity prevention, risk assessment, incident response and compliance services, please contact your Marks Paneth advisor or visit www.markspaneth.com/cybersecurity.