Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Assessing Your security

178 views

Published on

Anyone handling sensitive information in this day and age needs to to have a solid security setup and a plan for when something goes wrong. This webinar aims to get you looking at your security with fresh eyes and give you an outline of an action plan.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Assessing Your security

  1. 1. Assessing Your Security September 2016
  2. 2. Introductions Joshua Peskay Idealware Expert Trainer Vice President, RoundTable Technology
  3. 3. Introductions Peter Campbell Chief Information Officer, Legal Services Corporation
  4. 4. Introductions www.idealware.org
  5. 5. WhatWe’ll Cover Today • Imperfect Security • Assessing Your Risk • Common Risky Practices • What Do You Do if You Experience a Data Breach? • Establishing Policies for Your Organization
  6. 6. Poll Question On a scale of 1-5, how concerned are you with your data security?
  7. 7. A False Sense of Security
  8. 8. Why Is Everyone Talking About Security? In the digital age, data risk is the new normal.
  9. 9. A False Sense of Security Some are overwhelmed. Others are just gambling that their number won’t come up. Survey link:
  10. 10. Avoiding Security Won’t Protect You
  11. 11. Neither Will Your Nonprofit Status Survey link: Data thieves are usually pros—they don’t care who their target is. If they can steal valuable information, they will.
  12. 12. Small Nonprofits Are Attractive Targets • Fewer resources • Limited IT security • Not likely to notice an attack until much later
  13. 13. What Are Your Risks? And what should you do about them? Photo Credit: Women of Color in Tech Chat
  14. 14. Assessing Your Risk
  15. 15. It’s a Process To understand the risks and your comfort with them, you need to carry out a thorough assessment of your data.
  16. 16. Inventory Your Data Make a list on sticky notes and group them by where the data is stored (e.g., case management system).
  17. 17. Classify Your Information • Confidentiality: Data that can’t be exposed. • Integrity: Data you can’t lose. • Availability: Data you can’t lose access to for any period of time. If you have data that’s not very high in any of these categories, then it’s likely not essential to your organization.
  18. 18. Consider the Risks Think through: • What could happen to your data? • How likely is it to happen? • How bad would it be if something happened? Photo Credit: Women of Color in Tech Chat
  19. 19. Into the Chat: What Risks Worry You? Are there specific risks that keep you up at night?
  20. 20. 8 Common Risky Practices
  21. 21. 1. Unmanaged Personal Devices Do staffers use their personal devices for work?
  22. 22. You Can’t Control Access • A personal device may have additional users. • Terminated employees are likely to still have organizational information after leaving.
  23. 23. Virus/Malware Risk How do you know personal computers and devices have basic protections?
  24. 24. Software Ownership Your nonprofit might purchase the software, but not control the license.
  25. 25. What Can You Do? • Provide virus and malware software. • Establish software licensing policies. • Provide devices for work, if possible. • Mobile Device Management exists, but is expensive.
  26. 26. 2. Lack of Password Management Are a lot of people using weak passwords?
  27. 27. Bad Habits • Sharing passwords. • Reusing Passwords • Not changing default passwords. • Writing passwords on post-it notes. • Trying to keep it too simple.
  28. 28. Multi-Factor Authentication Something You Know Something You Have Something You Are
  29. 29. Password Managers
  30. 30. What Can You Do? • Implement password management software such as OneLogin. • Dual-factor authentication. • Establish password creation policies. • Provide training.
  31. 31. 3. Consumer-Grade Cloud Storage Is there a difference between Dropbox and Dropbox for business?
  32. 32. Hard to Control Access to Data • Convenience • Cost Savings • Staff preference
  33. 33. Less Security You often get what you pay for with free Cloud storage.
  34. 34. What Can You Do? • Use business-grade Cloud storage and set controls that limit access to your data. • Add-on services such as BetterCloud can also give you deeper audit and policy controls.
  35. 35. 4. Poor Backup Infrastructure What if your office experiences a disaster?
  36. 36. Data Needs to Be in a Safe Place If you have to store it physically, take your backup off site. The Cloud is a great option for backup.
  37. 37. Think Beyond Backup It’s just one of many business continuity challenges. What will you do if the data is unavailable for a period of time or you experience a data breach?
  38. 38. What Can You Do? • Regularly schedule backups. • Create incident response, business continuity, and disaster recovery plans—and test them!
  39. 39. 5. Poor Software Management Is the software your team is using safe?
  40. 40. DIY Downloads Don’t Happen It’s inconvenient, so people are likely to skip downloading patches and updates.
  41. 41. Out of Date Software Hackers keep up to date on security holes and are always looking for opportunities to exploit them.
  42. 42. Unwanted Applications They can affect both productivity and machine health. And some carry malware.
  43. 43. What Can You Do? • Establish patch management procedures. • Manage software installations. • Perform regular tune-ups.
  44. 44. 6. Overlooking Physical Security Is your office protected?
  45. 45. What if Someone Walks in the Door? Would it be easy to access or steal computers?
  46. 46. What Can You Do? • Take basic office security measures. • Lock computers to desks. • Institute a check out policy for shared devices and keep them locked away.
  47. 47. 7. Unsafe Wi-Fi Is your connection secure?
  48. 48. Office Wi-Fi Needs to Be Protected You can’t just plug in a router and assume everything is fine.
  49. 49. Coffee Shops Can Be Risky Is that connection vulnerable to spying?
  50. 50. What Can You Do? • Make sure your network is protected by a firewall and a password. • Avoid working in unsecure environments.
  51. 51. 8. Security Training Your staff members are your most important security measure.
  52. 52. Awareness Can Prevent Many Incidents People want to do the right thing, but they often don’t know what that is or why it’s important.
  53. 53. What Can You Do? • Regularly provide short training sessions. • Incorporate security issues/discussi ons in existing meetings.
  54. 54. Establishing Policies
  55. 55. Form a Committee A diverse committee can help you see risk from multiple angles and come up with smart ways to deal with those risks.
  56. 56. Ask Tough Questions Anything you overlook has the potential to be a hazard in the future.
  57. 57. What Will Prevent a Breach? Think of all the ways a breach might occur. Write rules that govern activities such as how to create and handle passwords or how files can be stored and shared.
  58. 58. How Will You Respond if a Breach Occurs? Map out a response plan that includes steps and roles for data recovery, business continuity, and communications.
  59. 59. BYOD? Write clear usage guidelines for things such as what security software needs to be installed and whether your organization provides IT support.
  60. 60. Policy Making Is Iterative You’ll need to review your rules and update them periodically to make sure they’re addressing your needs.
  61. 61. Policy Examples Go to http://bit.ly/SecurityPolicyExamples to find examples and templates that you can use as your starting point.
  62. 62. Additional Resources Idealware and RoundTable technology have many resources that can help you better secure your technology and data. • What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk (Idealware) • Incident Report Form (RoundTable) • Backup, Data Recovery, and Business Continuity Primer (RoundTable) • Information Identification and Classification Template (RoundTable)
  63. 63. Perfect Security Isn’t Possible There will always be risks out there.
  64. 64. Practical Security Is Within Reach
  65. 65. Into the Chat: What Resonated? What security steps will you take over the next month?
  66. 66. Questions? Ask Idealware… On Twitter: @idealware On Facebook: /idealware

×