You have a lot of data! How can you keep your member and client information secure? What legal rules does you nonprofit need to follow when it comes to data hosting? What tools and apps won't get your in trouble? We have four experts who will answer all your questions. * Alejandra Brown: Introduction to privacy and overview of privacy and data residency rules that apply to BC nonprofits. * Mack Hardy: Five practical things you can do to secure your online self. Policies, 2FA, password managers, and more. * Damien Norris: A suite of curated tools that organizations can use to locally/securely replace the US owned cloud services in their lives. * Kris Constable: IDVPN: a VPN for complying with justistional regulations.

1. 5 basic ways to improve
the digital security
of your organization
Presented by Mack Hardy,
CEO Affinity Bridge
October 14th, 2019

2. #1
Cultivate a Security Mindset

3. ● Identify organizational
assets
● Who has access or
control?
● What are the risks?
● How do we safeguard?
3
Risk Analysis

4. ● What are the threats to
organizational assets?
● Who might unauthorized
stakeholders be?
● What are mitigation
strategies?
● Physical security
sufficient? 4
Threat Model

5. ● Everyone in the org needs to
share the security mindset
● Ensure on-boarding includes
security training
● Make an accessible security
policy
● Review and reassess
regularly as a team
5
Security Mindset and Training

6. #2
Passwords and 2FA

7. ● Keep passwords secret
● Password quality
● Use a password keeper
● Use 2FA for key access
7
Passwords and 2FA

8. ● Make passwords longer
12-20+ characters
● Make passwords unique
● Don’t need to be able to
remember them
● Don’t email or store in
plain text
8
Password Quality
M@k3
B3tt3R
P@$$w0rd$

9. ● Team management of
credentials
● Access control
management by Vault
● Checks for duplicate and
weak passwords
● Generates strong
passwords
9
Password Keepers

10. ● Protect important
accounts with 2FA
● Shared access possible w
Google Authenticator
● Might feel like a hassle,
but so is losing your
domain or email provider
10
2FA - Two Factor Authentication

11. #3
Harden your communication

12. ● Signal or Wire for secure
messaging
● Caution: FaceBook
Messenger and WhatsApp
- consider the source
12
Secure Messaging

13. ● On public wifi, use a VPN
service to encrypt your
communications and hide
your location
● Use HTTPS everywhere
13
VPN and HTTPS

14. ● SPF - Sender Policy
Framework
● DMARC - Domain-based Message
Authentication, Reporting & Conformance
● DKIM - DomainKeys Identified Mail
14
Validate Email Senders

15. #4
Reduce your attack surface

16. ● Monitor for know viruses
and malware with an
antivirus
● Use one across the
organization
16
Anti-Virus

17. ● Pi-Hole - DNS level ad
blocking
● Privacy Badger - EFF.org
ad blocker
17
Ad blocking and Trackers

18. ● Be wary of browser
extensions, app installs
● Be careful of what data is
disclosed to app providers
● Double check URLs in
email
● Use HTTPS urls
18
Preventing Phishing

19. ● Keep operating system
updates current
● Update Firmware on routers
● Update website codebase
regularly, budget for help
with this
● Monitor security disclosures
for platforms you use
19
Limit Zero-day exploits

20. #5
Protect Organizational Data

21. ● Backup computers
● Keep offsite backups
● Automate backup process
● Test recovery from
backups
21
Backups

22. ● Clean up cloud storage, use
less services
● Delete old email accounts,
email with credentials, or
personally identifiable data
● CRM - keep active records,
archive older records
22
Clean your closet

23. ● Data Liability
- think about what data you
are storing, and why
- where is it stored?
- whats your disclosure risk?
- who is liable in the event of
breach
- what is the impact on your
constituents
- delegate some risk
● Consider insurance options
23
Liability and Insurance

24. ● Add a proxy / cache like
CloudFlare or Varnish
● Harden CMS login
● Add Captcha on forms
● Audit admin accounts
● Test your backups
24
Secure your Website

25. Questions