Minimizing the risk of a data breach – a guide for nonprofit organizations

NetSquared Vancouver
NetSquared VancouverCreative Services Lead
Government & Nonprofit

Saved resource from Charity Village

Minimizing the risk of a data breach – a guide for nonprofit organizations

NetSquared Vancouver
NetSquared VancouverCreative Services Lead
Government & Nonprofit

Saved resource from Charity Village

Minimizing the risk of a data breach – a guide for nonprofit organizations

1 of 4
10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 1/4 3646 Views 0 Comments 1 Recommends Written by: Angela Byrne   March 8, 2017   More about:  Board of directors, Governance, IT, Management, Planning, Risk, Tools & Tips Text Size: A A 37 back Minimizing the risk of a data breach: A guide for nonprofit organizations About this article The risk of a privacy breach is a very real possibility for many organizations, including charities, and the consequences can be severe. The following headlines demonstrate that no organization is exempt. B.C. woman shocked to find private medical information of 10 other people in file A Calgary liquor store paid a ransom this week to regain access to its computers after hackers infected its database with a virus — and even got an unofficial receipt thanking it for its involuntary "purchase. It’s still unclear if personal data on an unencrypted hard drive missing from the BC Ministry of Education has been used by anyone. Family services sued after personal info hacked, posted on Facebook As many as 8,300 patients had contact information turned over to private RESP companies by employees Despite these headlines we know that many breaches are not reported and organizations are often caught off guard. According to the SC Magazine, about 77% of organizations are unprepared for cyber­security incidents. They quietly go about repairing damage and strengthening security; unbeknownst to the individuals who may be affected. For others, it is only when hearing news of a breach at a neighbouring organization that questions arise about the effectiveness of controls and security of information and systems. This will all change when the mandatory breach reporting requirements included in the new Digital Privacy Act (Bill S­4) comes into force. The Digital Privacy Act amended Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). A number of important changes to PIPEDA to strengthen privacy protection came into effect in 2015. Regulations for mandatory data breach reporting are in process with no effective date announced. It is important to note that once mandatory reporting is in place, failure to meet requirements will carry fines of up to $100,000. In my experience charities are particulary vulnerable. The pressure to minimize administrative expenses and funnel all revenue into service delivery often means there is little left over to invest in technology. Particularly in smaller organizations, technology infrastructure is often cobbled together and heavy reliance is placed on the one “IT person” to fill a myriad of roles; from IT strategist to help desk support. To minimize the risk of data breaches, avoid the negative headlines and ultimately comply with emerging regulations, charities will want to implement a systematic approach that provides assurance that risks to the information that they collect and store and the systems that hold that information are being addressed. Implementing the following 5 steps will provide valuable information on the level of vulnerability of a data breach: 1. Formally define the objective 2. Identify and prioritize risks to achieving the objective 3. Evaluate risk treatments 4. Close the gaps
10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 2/4 5. Review and Refresh A discussion of each of these steps follows. 1. Formally define the objective The first step is to formally define an objective related to data privacy and security. Although this may seem obvious, it may come as a surprise that many organizations have not done so. Often attention and resources are focused on value creation objectives. They are aptly named, as they create value for the organization when achieved. Common examples relate to: Improving quality of service delivery Increasing revenue Reducing wait times for service Less familiar are those objectives that strive to preserve or prevent the erosion of the value of an organization. Although there are often no accolades or celebration for achieving these objectives; if not realized, they can cost money, expose the organization to fines and penalties, damage reputation and may even have catastrophic consequences as could be the case with the organizations in the headlines noted above. These objectives often address such areas as: Health and safety compliance Integrity of financial reports Compliance with legislation Protecting assets Preventing fraud We can see that objectives in any of the above areas, if not achieved present considerable risk to an organization and have the potential to erode value. Similar to the areas mentioned above objectives related to data privacy and security would also fall into the category of value preservation. Objectives may be developed for any of the following areas: Safeguarding personal and confidential data Protecting information systems from unauthorized access Ensuring full compliance with all privacy legislation Although many organizations may informally acknowledge the importance of value preservation objectives, often they not formally established, managed and monitored. Formally articulating objectives that relate to the security and safety of information and technology increases the chances they will be achieved. An important step in establishing the data security objective is to ensure an owner accountable for action is assigned. To demonstrate the following steps we will use the following example of a value preservation objective for data security: “Prevent unauthorized access to all information technology systems in 2017.” 2. Identify and prioritize risks to achieving the objective To achieve an objective it is necessary to understand what can get in the way of success. Anticipating the risks helps organizations to understand what could go wrong and how to get the organization back on track. As risks are identified, it is necessary to prioritize them based on likelihood and impact. This is critical to ensuring that scarce resources are focused on the highest priority risks. The two questions to ask are: 1. What is the likelihood that this will happen? 2. What is the impact to the organization if it does? A number of basic risks readily come to mind when we think about our objective above; “Prevent unauthorized access to all information technology systems in 2017.” The wrong people have access to information systems Information systems are not protected Users can modify or delete data
10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 3/4 As we apply the two basic questions to the risk examples, we may conclude that likelihood may be high and any breach to systems or the data will have a significant impact. Avoid the temptation to be lulled into a false sense of security with rationale that your organization is too small to bother or that you have nothing of value. According to Richard Wilson, partner, cyber security and privacy practice, PwC Canada: "Canadian business and public sector leaders need to better understand the full range of impacts a cyber security breach can have on their organizations. This issue has evolved far beyond data loss. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public." 3. Evaluate risk treatments in place Risk treatment is a term used to describe the action that the organization takes to control the exposure to risk. The most common types of risk treatments are: avoid, transfer or share, accept, or implement controls. Avoiding the risk involves stopping the activity that is creating the risk. For charities this may mean stopping service. Not a realistic option if the mission is to be achieved. Transfer or sharing risk is when the organization gets someone else to fully or partially accept the risk. Examples include purchasing insurance or sharing risk with another party. Risk acceptance is when an organization accepts the risk. This happens informally all the time, as organizations recognize a risk and move forward without taking any action. Whether acknowledged or not, the risk has been accepted. Implementing controls are actions that the organization takes to reduce the level of exposure to the risk. Actions can include staff training, policies and procedures, reviews, approvals, supervisor sign offs, completeness checks, etc. Assessing and determining the appropriate risk treatments to address priority risks provides an organization with the information they need to close the gaps. Continuing with our example, risk treatments may include a number of measures such as: Implementing access and permission controls such as ensuring users access is approved on a “need to know” basis Partnering with IT service providers that detect and monitor security Educating users on appropriate security protocols Regular evaluation of qualifications and competencies of IT staff Purchasing cyber security insurance Implementing retention and destruction policies to ensure personally identifiable information is not kept longer than necessary 4. Close the gaps With an understanding of the objective, the potential risk and risk treatments it is now time to take action to close any gaps. By taking action, the organization is increasing its chances of achieving the objective. It is not only important to take action but to also ensure that the action taken to mitigate risks is effective. That means evaluating the activities to ensure this is the case. Keep in mind that the only way to completely remove a risk is to avoid it. All other actions serve to reduce the risk but will not eliminate it. With that in mind, organizations need to understand the level of risk that continues to exist after action has been taken and if they can accept the remaining level of risk. In our example above, perhaps we conclude that users are not as security aware as needed. In this case, a common response is to implement user training. We know that after receiving training there is still a chance that users will not follow best practices and a security risk remains. Organizations need to determine if they can live with the remaining risk or if additional steps need to be taken. 5. Review and Refresh At least annually, or when major change occurs, objectives, risks and risk treatments need to be reviewed. Change is constant. This is particularly relevant in the field of technology where information security continually needs to address new and emerging threats. Objectives may need to be revised and risks to achieving the objective will change. Risk treatments also need to be continually reviewed to make sure they are working and reduce risk to an acceptable level. Implementing these five steps will ensure that value preservation objectives, such as those needed to protect data and information systems, are managed and dire consequences for organizations are reduced.
10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 4/4 Angela Byrne, president of Angela Byrne Consulting Inc., is passionate about helping organizations develop good structure and processes that manage risks and deliver results. She has extensive knowledge of charities and has worked with a number of organizations across Ontario. Angela is a Chartered Professional Accountant, Certified Management Accountant, Certified Internal Auditor and holds certifications in Information Systems Auditing and Risk Management Assurance. Angela welcomes thoughts and comments on this article by email to info@angelabyrnecma.com as well as any questions she might address in future articles. You can also find her on twitter at @byrne_angela and on LinkedIn. Go To Top Comments Sort by  Newest first No Comments Found                Please Login to Post Comments.

Recommended

How to vet charities for immigrant children by
How to vet charities for immigrant childrenHow to vet charities for immigrant children
How to vet charities for immigrant childrenEdgar Gonzalez Anaheim
29 views4 slides
IT Trends - Cyber Security by
IT Trends - Cyber SecurityIT Trends - Cyber Security
IT Trends - Cyber SecurityDatix Consulting
322 views1 slide
Panel Cyber Security and Privacy without Carrie Waggoner by
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
666 views43 slides
NSTIC and IDESG Update by
NSTIC and IDESG UpdateNSTIC and IDESG Update
NSTIC and IDESG UpdateIan Glazer
1.5K views58 slides
Group letter to FTC calling for workshop examining data breaches - March 2014 by
Group letter to FTC calling for workshop examining data breaches - March 2014Group letter to FTC calling for workshop examining data breaches - March 2014
Group letter to FTC calling for workshop examining data breaches - March 2014nationalconsumersleague
878 views2 slides
How to Secure Your Digital Life.pdf by
How to Secure Your Digital Life.pdfHow to Secure Your Digital Life.pdf
How to Secure Your Digital Life.pdflogmeonce1
5 views2 slides

More Related Content

Similar to Minimizing the risk of a data breach – a guide for nonprofit organizations

DataKillers by
DataKillersDataKillers
DataKillersBrian Ethridge
74 views1 slide
We Need to Prioritize Cybersecurity in 2020 by
We Need to Prioritize Cybersecurity in 2020We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020Matthew Doyle
21 views6 slides
Personal Information Security Report by
Personal Information Security ReportPersonal Information Security Report
Personal Information Security ReportJill Bell
3 views80 slides
Big Data And Information Privacy by
Big Data And Information PrivacyBig Data And Information Privacy
Big Data And Information PrivacySandra Willey
3 views42 slides
he nonprofit organization that I have decided to discuss is Childr.docx by
he nonprofit organization that I have decided to discuss is Childr.docxhe nonprofit organization that I have decided to discuss is Childr.docx
he nonprofit organization that I have decided to discuss is Childr.docxpooleavelina
3 views1221 slides

Similar to Minimizing the risk of a data breach – a guide for nonprofit organizations(20)

DataKillers by Brian Ethridge
DataKillersDataKillers
DataKillers
Brian Ethridge74 views
We Need to Prioritize Cybersecurity in 2020 by Matthew Doyle
We Need to Prioritize Cybersecurity in 2020We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020
Matthew Doyle21 views
Personal Information Security Report by Jill Bell
Personal Information Security ReportPersonal Information Security Report
Personal Information Security Report
Jill Bell3 views
Big Data And Information Privacy by Sandra Willey
Big Data And Information PrivacyBig Data And Information Privacy
Big Data And Information Privacy
Sandra Willey3 views
he nonprofit organization that I have decided to discuss is Childr.docx by pooleavelina
he nonprofit organization that I have decided to discuss is Childr.docxhe nonprofit organization that I have decided to discuss is Childr.docx
he nonprofit organization that I have decided to discuss is Childr.docx
pooleavelina3 views
BBB April 2017 Market Monitor by Better Business Bureau Serving Greater Cleveland
BBB April 2017 Market Monitor BBB April 2017 Market Monitor
BBB April 2017 Market Monitor
Better Business Bureau Serving Greater Cleveland189 views
BBB Market Monitor: April 2017 by Better Business Bureau Serving Greater Cleveland
BBB Market Monitor: April 2017BBB Market Monitor: April 2017
BBB Market Monitor: April 2017
Better Business Bureau Serving Greater Cleveland6 views
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost by Ulf Mattsson
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Ulf Mattsson3.2K views
The 10 most trusted healthcare it security solution providers 2018 by insightscare
The 10 most trusted healthcare it security solution providers 2018The 10 most trusted healthcare it security solution providers 2018
The 10 most trusted healthcare it security solution providers 2018
insightscare47 views
Cyber for Counties Guidebook by Kristin Judge
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
Kristin Judge334 views
Hot Topics in Privacy and Security by PYA, P.C.
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
PYA, P.C.535 views
Ivanti Threat Thursday for September 26th by Ivanti
Ivanti Threat Thursday for September 26thIvanti Threat Thursday for September 26th
Ivanti Threat Thursday for September 26th
Ivanti244 views
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS by Randall Chase
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase124 views
You Are the Target by EMC
You Are the TargetYou Are the Target
You Are the Target
EMC737 views
What's Hot In IT - Cybersecurity by Row Murray
What's Hot In IT - CybersecurityWhat's Hot In IT - Cybersecurity
What's Hot In IT - Cybersecurity
Row Murray562 views
LifeLock Javelin Presentation by LifeLockBusinessSolutions
LifeLock Javelin PresentationLifeLock Javelin Presentation
LifeLock Javelin Presentation
LifeLockBusinessSolutions901 views
Cyber Security Threats | IIA Boise Chapter by Patricia M Watson
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson1.1K views
Social Media & Social Networking: A Cautionary Tale by Mike Gotta
Social Media & Social Networking: A Cautionary TaleSocial Media & Social Networking: A Cautionary Tale
Social Media & Social Networking: A Cautionary Tale
Mike Gotta896 views
Creating a culture of security.pdf by TechSoup
Creating a culture of security.pdfCreating a culture of security.pdf
Creating a culture of security.pdf
TechSoup 117 views
Veritas-Information-Governance-Solution-Brochure-EN by Richard Williams
Veritas-Information-Governance-Solution-Brochure-ENVeritas-Information-Governance-Solution-Brochure-EN
Veritas-Information-Governance-Solution-Brochure-EN
Richard Williams424 views

More from NetSquared Vancouver

TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and... by
TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...
TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...NetSquared Vancouver
96 views98 slides
Video Marketing Quick Plan from David Phu by
Video Marketing Quick Plan from David PhuVideo Marketing Quick Plan from David Phu
Video Marketing Quick Plan from David PhuNetSquared Vancouver
37 views3 slides
How to Make Your Donors’ Dollars Go Even Further by
How to Make Your Donors’ Dollars Go Even FurtherHow to Make Your Donors’ Dollars Go Even Further
How to Make Your Donors’ Dollars Go Even FurtherNetSquared Vancouver
142 views15 slides
Show, Don’t Tell: How Your Data Can Reveal Your Impact Story by
Show, Don’t Tell: How Your Data Can Reveal Your Impact StoryShow, Don’t Tell: How Your Data Can Reveal Your Impact Story
Show, Don’t Tell: How Your Data Can Reveal Your Impact StoryNetSquared Vancouver
119 views19 slides
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime Value by
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime ValueWhat is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime Value
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime ValueNetSquared Vancouver
99 views21 slides
Digital Marketing Diagnostics Part 1 by
Digital Marketing Diagnostics Part 1Digital Marketing Diagnostics Part 1
Digital Marketing Diagnostics Part 1NetSquared Vancouver
92 views21 slides

More from NetSquared Vancouver(20)

TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and... by NetSquared Vancouver
TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...
TechSoup Connect Western Canada: Data To Action: Making Your Data Visible and...
NetSquared Vancouver96 views
Video Marketing Quick Plan from David Phu by NetSquared Vancouver
Video Marketing Quick Plan from David PhuVideo Marketing Quick Plan from David Phu
Video Marketing Quick Plan from David Phu
NetSquared Vancouver37 views
How to Make Your Donors’ Dollars Go Even Further by NetSquared Vancouver
How to Make Your Donors’ Dollars Go Even FurtherHow to Make Your Donors’ Dollars Go Even Further
How to Make Your Donors’ Dollars Go Even Further
NetSquared Vancouver142 views
Show, Don’t Tell: How Your Data Can Reveal Your Impact Story by NetSquared Vancouver
Show, Don’t Tell: How Your Data Can Reveal Your Impact StoryShow, Don’t Tell: How Your Data Can Reveal Your Impact Story
Show, Don’t Tell: How Your Data Can Reveal Your Impact Story
NetSquared Vancouver119 views
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime Value by NetSquared Vancouver
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime ValueWhat is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime Value
What is a New Member Worth? A Guide to Acquisition Costs + Member Lifetime Value
NetSquared Vancouver99 views
Digital Marketing Diagnostics Part 1 by NetSquared Vancouver
Digital Marketing Diagnostics Part 1Digital Marketing Diagnostics Part 1
Digital Marketing Diagnostics Part 1
NetSquared Vancouver92 views
Digital Marketing Diagnostics pt. 2.pdf by NetSquared Vancouver
Digital Marketing Diagnostics pt. 2.pdfDigital Marketing Diagnostics pt. 2.pdf
Digital Marketing Diagnostics pt. 2.pdf
NetSquared Vancouver58 views
Jai Djwa — User Experience FTW by NetSquared Vancouver
Jai Djwa — User Experience FTWJai Djwa — User Experience FTW
Jai Djwa — User Experience FTW
NetSquared Vancouver53 views
Meaningful Work: Building Resilience and Capacity through Skilled Volunteering by NetSquared Vancouver
Meaningful Work: Building Resilience and Capacity through Skilled VolunteeringMeaningful Work: Building Resilience and Capacity through Skilled Volunteering
Meaningful Work: Building Resilience and Capacity through Skilled Volunteering
NetSquared Vancouver1.2K views
Demo Event: Four Innovative Apps for Food Pantries and Food Banks by NetSquared Vancouver
Demo Event: Four Innovative Apps for Food Pantries and Food BanksDemo Event: Four Innovative Apps for Food Pantries and Food Banks
Demo Event: Four Innovative Apps for Food Pantries and Food Banks
NetSquared Vancouver269 views
Motivating Group Leaders by NetSquared Vancouver
Motivating Group LeadersMotivating Group Leaders
Motivating Group Leaders
NetSquared Vancouver176 views
Measuring the Impact of Your Nonprofit by NetSquared Vancouver
Measuring the Impact of Your NonprofitMeasuring the Impact of Your Nonprofit
Measuring the Impact of Your Nonprofit
NetSquared Vancouver1.5K views
Measuring the Impact of Your Nonprofit by NetSquared Vancouver
Measuring the Impact of Your NonprofitMeasuring the Impact of Your Nonprofit
Measuring the Impact of Your Nonprofit
NetSquared Vancouver157 views
How Nonprofits Can Create 10x the Content Without More Work by NetSquared Vancouver
How Nonprofits Can Create 10x the Content Without More WorkHow Nonprofits Can Create 10x the Content Without More Work
How Nonprofits Can Create 10x the Content Without More Work
NetSquared Vancouver1.5K views
Leah Chang — E-tapestry lingo bingo worksheet by NetSquared Vancouver
Leah Chang — E-tapestry lingo bingo worksheetLeah Chang — E-tapestry lingo bingo worksheet
Leah Chang — E-tapestry lingo bingo worksheet
NetSquared Vancouver162 views
Leah Chang — CRM naming poll sample by NetSquared Vancouver
Leah Chang — CRM naming poll sampleLeah Chang — CRM naming poll sample
Leah Chang — CRM naming poll sample
NetSquared Vancouver117 views
Leah Chang — CRM roles and responsibilities worksheet by NetSquared Vancouver
Leah Chang — CRM roles and responsibilities worksheetLeah Chang — CRM roles and responsibilities worksheet
Leah Chang — CRM roles and responsibilities worksheet
NetSquared Vancouver147 views
Leah Chang — CRM video worksheet by NetSquared Vancouver
Leah Chang — CRM video worksheetLeah Chang — CRM video worksheet
Leah Chang — CRM video worksheet
NetSquared Vancouver93 views
Leah Chang — What is a CRM training slides by NetSquared Vancouver
Leah Chang — What is a CRM training slidesLeah Chang — What is a CRM training slides
Leah Chang — What is a CRM training slides
NetSquared Vancouver98 views
#VanGives — #GivingTuesday for Vancouver Nonprofits by NetSquared Vancouver
#VanGives — #GivingTuesday for Vancouver Nonprofits#VanGives — #GivingTuesday for Vancouver Nonprofits
#VanGives — #GivingTuesday for Vancouver Nonprofits
NetSquared Vancouver1.1K views

Recently uploaded

Autumn (Statement) Watch by
Autumn (Statement) WatchAutumn (Statement) Watch
Autumn (Statement) WatchResolutionFoundation
244 views18 slides
2023-11-17-building_inspector_posting (1).pdf by
2023-11-17-building_inspector_posting (1).pdf2023-11-17-building_inspector_posting (1).pdf
2023-11-17-building_inspector_posting (1).pdfNorthwestBOCA
54 views6 slides
How to Find Contractors and Architects for Your Historic Home Renovation by
How to Find Contractors and Architects for Your Historic Home RenovationHow to Find Contractors and Architects for Your Historic Home Renovation
How to Find Contractors and Architects for Your Historic Home RenovationNational Trust for Historic Preservation
57 views8 slides
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptx by
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptxDr Getaw Tadesse - 2023 ReSAKSS Conference .pptx
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptxAKADEMIYA2063
8 views19 slides
Support a Child Bright Future kurnool by
Support a Child Bright Future kurnoolSupport a Child Bright Future kurnool
Support a Child Bright Future kurnoolSERUDS INDIA
8 views3 slides
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San... by
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...AlvaroTojongDioquino
15 views17 slides

Recently uploaded(20)

Autumn (Statement) Watch by ResolutionFoundation
Autumn (Statement) WatchAutumn (Statement) Watch
Autumn (Statement) Watch
ResolutionFoundation244 views
2023-11-17-building_inspector_posting (1).pdf by NorthwestBOCA
2023-11-17-building_inspector_posting (1).pdf2023-11-17-building_inspector_posting (1).pdf
2023-11-17-building_inspector_posting (1).pdf
NorthwestBOCA54 views
How to Find Contractors and Architects for Your Historic Home Renovation by National Trust for Historic Preservation
How to Find Contractors and Architects for Your Historic Home RenovationHow to Find Contractors and Architects for Your Historic Home Renovation
How to Find Contractors and Architects for Your Historic Home Renovation
National Trust for Historic Preservation57 views
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptx by AKADEMIYA2063
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptxDr Getaw Tadesse - 2023 ReSAKSS Conference .pptx
Dr Getaw Tadesse - 2023 ReSAKSS Conference .pptx
AKADEMIYA20638 views
Support a Child Bright Future kurnool by SERUDS INDIA
Support a Child Bright Future kurnoolSupport a Child Bright Future kurnool
Support a Child Bright Future kurnool
SERUDS INDIA8 views
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San... by AlvaroTojongDioquino
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...
Creation of Policy, Ordinance, Minutes of Meeting and Activity Design for San...
AlvaroTojongDioquino15 views
Taking care for elders by SERUDS INDIA
Taking care for eldersTaking care for elders
Taking care for elders
SERUDS INDIA7 views
Dr Jean Paul Latyr FAYE - 2023 ReSAKSS Conference.pptx by AKADEMIYA2063
Dr Jean Paul Latyr FAYE - 2023 ReSAKSS Conference.pptxDr Jean Paul Latyr FAYE - 2023 ReSAKSS Conference.pptx
Dr Jean Paul Latyr FAYE - 2023 ReSAKSS Conference.pptx
AKADEMIYA20636 views
Moving up into upper secondary by Hannah Kitchen - OECD Education Webinar 23N... by EduSkills OECD
Moving up into upper secondary by Hannah Kitchen - OECD Education Webinar 23N...Moving up into upper secondary by Hannah Kitchen - OECD Education Webinar 23N...
Moving up into upper secondary by Hannah Kitchen - OECD Education Webinar 23N...
EduSkills OECD81 views
2023 Veterans Day Exhibit.pptx by lday4
2023 Veterans Day Exhibit.pptx2023 Veterans Day Exhibit.pptx
2023 Veterans Day Exhibit.pptx
lday448 views
2023 First Tee - Greater Richmond Holiday Gift Guide by bill151498
2023 First Tee - Greater Richmond Holiday Gift Guide2023 First Tee - Greater Richmond Holiday Gift Guide
2023 First Tee - Greater Richmond Holiday Gift Guide
bill15149880 views
Taking care of the elders by SERUDS INDIA
Taking care of the eldersTaking care of the elders
Taking care of the elders
SERUDS INDIA6 views
Ms. Julie Collins - 2023 ReSAKSS Conference.pptx by AKADEMIYA2063
Ms. Julie Collins - 2023 ReSAKSS Conference.pptxMs. Julie Collins - 2023 ReSAKSS Conference.pptx
Ms. Julie Collins - 2023 ReSAKSS Conference.pptx
AKADEMIYA20638 views
ecb.sp231121_1~8df317dc17.en.pdf by Société Tripalio
ecb.sp231121_1~8df317dc17.en.pdfecb.sp231121_1~8df317dc17.en.pdf
ecb.sp231121_1~8df317dc17.en.pdf
Société Tripalio409 views
Dr. Ousmane Badiane - 2023 ReSAKSS Conference.pptx by AKADEMIYA2063
Dr. Ousmane Badiane - 2023 ReSAKSS Conference.pptxDr. Ousmane Badiane - 2023 ReSAKSS Conference.pptx
Dr. Ousmane Badiane - 2023 ReSAKSS Conference.pptx
AKADEMIYA20636 views
UNiTE- Invest to Prevent Violence against Women & Girls! by Christina Parmionova
UNiTE- Invest to Prevent Violence against Women & Girls!UNiTE- Invest to Prevent Violence against Women & Girls!
UNiTE- Invest to Prevent Violence against Women & Girls!
Christina Parmionova9 views
ST-15631-2023-INIT_en.pdf by Société Tripalio
ST-15631-2023-INIT_en.pdfST-15631-2023-INIT_en.pdf
ST-15631-2023-INIT_en.pdf
Société Tripalio2K views
IEA Report: The Oil and Gas Industry in NetZero Transitions by Energy for One World
IEA Report: The Oil and Gas Industry in NetZero TransitionsIEA Report: The Oil and Gas Industry in NetZero Transitions
IEA Report: The Oil and Gas Industry in NetZero Transitions
Energy for One World10 views
Permit & Zoning Tech 2023 1116.pdf by NorthwestBOCA
Permit & Zoning Tech 2023 1116.pdfPermit & Zoning Tech 2023 1116.pdf
Permit & Zoning Tech 2023 1116.pdf
NorthwestBOCA54 views
How can the social and solidarity economy help refugees along their journey? by OECD CFE
How can the social and solidarity economy help refugees along their journey?How can the social and solidarity economy help refugees along their journey?
How can the social and solidarity economy help refugees along their journey?
OECD CFE63 views

Minimizing the risk of a data breach – a guide for nonprofit organizations

  • 1. 10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 1/4 3646 Views 0 Comments 1 Recommends Written by: Angela Byrne   March 8, 2017   More about:  Board of directors, Governance, IT, Management, Planning, Risk, Tools & Tips Text Size: A A 37 back Minimizing the risk of a data breach: A guide for nonprofit organizations About this article The risk of a privacy breach is a very real possibility for many organizations, including charities, and the consequences can be severe. The following headlines demonstrate that no organization is exempt. B.C. woman shocked to find private medical information of 10 other people in file A Calgary liquor store paid a ransom this week to regain access to its computers after hackers infected its database with a virus — and even got an unofficial receipt thanking it for its involuntary "purchase. It’s still unclear if personal data on an unencrypted hard drive missing from the BC Ministry of Education has been used by anyone. Family services sued after personal info hacked, posted on Facebook As many as 8,300 patients had contact information turned over to private RESP companies by employees Despite these headlines we know that many breaches are not reported and organizations are often caught off guard. According to the SC Magazine, about 77% of organizations are unprepared for cyber­security incidents. They quietly go about repairing damage and strengthening security; unbeknownst to the individuals who may be affected. For others, it is only when hearing news of a breach at a neighbouring organization that questions arise about the effectiveness of controls and security of information and systems. This will all change when the mandatory breach reporting requirements included in the new Digital Privacy Act (Bill S­4) comes into force. The Digital Privacy Act amended Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). A number of important changes to PIPEDA to strengthen privacy protection came into effect in 2015. Regulations for mandatory data breach reporting are in process with no effective date announced. It is important to note that once mandatory reporting is in place, failure to meet requirements will carry fines of up to $100,000. In my experience charities are particulary vulnerable. The pressure to minimize administrative expenses and funnel all revenue into service delivery often means there is little left over to invest in technology. Particularly in smaller organizations, technology infrastructure is often cobbled together and heavy reliance is placed on the one “IT person” to fill a myriad of roles; from IT strategist to help desk support. To minimize the risk of data breaches, avoid the negative headlines and ultimately comply with emerging regulations, charities will want to implement a systematic approach that provides assurance that risks to the information that they collect and store and the systems that hold that information are being addressed. Implementing the following 5 steps will provide valuable information on the level of vulnerability of a data breach: 1. Formally define the objective 2. Identify and prioritize risks to achieving the objective 3. Evaluate risk treatments 4. Close the gaps
  • 2. 10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 2/4 5. Review and Refresh A discussion of each of these steps follows. 1. Formally define the objective The first step is to formally define an objective related to data privacy and security. Although this may seem obvious, it may come as a surprise that many organizations have not done so. Often attention and resources are focused on value creation objectives. They are aptly named, as they create value for the organization when achieved. Common examples relate to: Improving quality of service delivery Increasing revenue Reducing wait times for service Less familiar are those objectives that strive to preserve or prevent the erosion of the value of an organization. Although there are often no accolades or celebration for achieving these objectives; if not realized, they can cost money, expose the organization to fines and penalties, damage reputation and may even have catastrophic consequences as could be the case with the organizations in the headlines noted above. These objectives often address such areas as: Health and safety compliance Integrity of financial reports Compliance with legislation Protecting assets Preventing fraud We can see that objectives in any of the above areas, if not achieved present considerable risk to an organization and have the potential to erode value. Similar to the areas mentioned above objectives related to data privacy and security would also fall into the category of value preservation. Objectives may be developed for any of the following areas: Safeguarding personal and confidential data Protecting information systems from unauthorized access Ensuring full compliance with all privacy legislation Although many organizations may informally acknowledge the importance of value preservation objectives, often they not formally established, managed and monitored. Formally articulating objectives that relate to the security and safety of information and technology increases the chances they will be achieved. An important step in establishing the data security objective is to ensure an owner accountable for action is assigned. To demonstrate the following steps we will use the following example of a value preservation objective for data security: “Prevent unauthorized access to all information technology systems in 2017.” 2. Identify and prioritize risks to achieving the objective To achieve an objective it is necessary to understand what can get in the way of success. Anticipating the risks helps organizations to understand what could go wrong and how to get the organization back on track. As risks are identified, it is necessary to prioritize them based on likelihood and impact. This is critical to ensuring that scarce resources are focused on the highest priority risks. The two questions to ask are: 1. What is the likelihood that this will happen? 2. What is the impact to the organization if it does? A number of basic risks readily come to mind when we think about our objective above; “Prevent unauthorized access to all information technology systems in 2017.” The wrong people have access to information systems Information systems are not protected Users can modify or delete data
  • 3. 10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 3/4 As we apply the two basic questions to the risk examples, we may conclude that likelihood may be high and any breach to systems or the data will have a significant impact. Avoid the temptation to be lulled into a false sense of security with rationale that your organization is too small to bother or that you have nothing of value. According to Richard Wilson, partner, cyber security and privacy practice, PwC Canada: "Canadian business and public sector leaders need to better understand the full range of impacts a cyber security breach can have on their organizations. This issue has evolved far beyond data loss. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public." 3. Evaluate risk treatments in place Risk treatment is a term used to describe the action that the organization takes to control the exposure to risk. The most common types of risk treatments are: avoid, transfer or share, accept, or implement controls. Avoiding the risk involves stopping the activity that is creating the risk. For charities this may mean stopping service. Not a realistic option if the mission is to be achieved. Transfer or sharing risk is when the organization gets someone else to fully or partially accept the risk. Examples include purchasing insurance or sharing risk with another party. Risk acceptance is when an organization accepts the risk. This happens informally all the time, as organizations recognize a risk and move forward without taking any action. Whether acknowledged or not, the risk has been accepted. Implementing controls are actions that the organization takes to reduce the level of exposure to the risk. Actions can include staff training, policies and procedures, reviews, approvals, supervisor sign offs, completeness checks, etc. Assessing and determining the appropriate risk treatments to address priority risks provides an organization with the information they need to close the gaps. Continuing with our example, risk treatments may include a number of measures such as: Implementing access and permission controls such as ensuring users access is approved on a “need to know” basis Partnering with IT service providers that detect and monitor security Educating users on appropriate security protocols Regular evaluation of qualifications and competencies of IT staff Purchasing cyber security insurance Implementing retention and destruction policies to ensure personally identifiable information is not kept longer than necessary 4. Close the gaps With an understanding of the objective, the potential risk and risk treatments it is now time to take action to close any gaps. By taking action, the organization is increasing its chances of achieving the objective. It is not only important to take action but to also ensure that the action taken to mitigate risks is effective. That means evaluating the activities to ensure this is the case. Keep in mind that the only way to completely remove a risk is to avoid it. All other actions serve to reduce the risk but will not eliminate it. With that in mind, organizations need to understand the level of risk that continues to exist after action has been taken and if they can accept the remaining level of risk. In our example above, perhaps we conclude that users are not as security aware as needed. In this case, a common response is to implement user training. We know that after receiving training there is still a chance that users will not follow best practices and a security risk remains. Organizations need to determine if they can live with the remaining risk or if additional steps need to be taken. 5. Review and Refresh At least annually, or when major change occurs, objectives, risks and risk treatments need to be reviewed. Change is constant. This is particularly relevant in the field of technology where information security continually needs to address new and emerging threats. Objectives may need to be revised and risks to achieving the objective will change. Risk treatments also need to be continually reviewed to make sure they are working and reduce risk to an acceptable level. Implementing these five steps will ensure that value preservation objectives, such as those needed to protect data and information systems, are managed and dire consequences for organizations are reduced.
  • 4. 10/31/2017 Minimizing the risk of a data breach: A guide for nonprofit organizations https://charityvillage.com/Content.aspx?topic=Minimizing_the_risk_of_a_data_breach_A_guide_for_nonprofit_organizations#.WebOoxNSznX 4/4 Angela Byrne, president of Angela Byrne Consulting Inc., is passionate about helping organizations develop good structure and processes that manage risks and deliver results. She has extensive knowledge of charities and has worked with a number of organizations across Ontario. Angela is a Chartered Professional Accountant, Certified Management Accountant, Certified Internal Auditor and holds certifications in Information Systems Auditing and Risk Management Assurance. Angela welcomes thoughts and comments on this article by email to info@angelabyrnecma.com as well as any questions she might address in future articles. You can also find her on twitter at @byrne_angela and on LinkedIn. Go To Top Comments Sort by  Newest first No Comments Found                Please Login to Post Comments.