7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls

7 Highly Risky Habits of Small to
Medium-Sized Nonprofits:
IT Security Pitfalls
March 23, 2016
Leon Wilson, Cleveland Foundation
Dan Rivas, Idealware

Introductions
Leon Wilson
Chief Technology &
Information Officer
Cleveland Foundation
Dan Rivas
Managing Writer
Idealware

What Are Your Security Habits?
Find the survey link in the Collaborative Notes or just type in the link
below.
Survey link: https://www.surveymonkey.com/r/7LFFJRF

Share Your Notes
Collaborative Notes allow you to add your thoughts, observations,
opinions, and “aha!” moments to a running record of this session.
To view or edit notes go to: http://po.st/7riskyhabits-16NTC

Tell the World What it’s Missing
You can live Tweet
this event using
#16NTC7riskyhabits

Why Is Everyone Talking About Security?
In the digital age, data risk is the new normal.

Do Nonprofits Need to Be Concerned?
If you:
•  Maintain financial information.
•  Maintain sensitive personal
information.
•  Maintain contact information.
Then the answer is unequivocally…

A False Sense of Security
Some are overwhelmed, others are just gambling that their number
won’t come up.
Survey link:

Avoiding Security Won’t Protect You

Neither Will Your Nonprofit Status
Survey link:
Hackers are pros
—they don’t care
who their target is.
If they can steal
valuable
information, they
will.

Small Nonprofits Are Attractive Targets
•  Fewer resources
•  Limited IT
security
•  Not likely to
notice an attack
until much later

Notable Nonprofit Data Breaches

The Risks to Your Organization
•  Loss of trust.
•  Reputational damage.
•  Negative impact on donor,
member, and volunteer
retention.
•  Financial liability.
•  Fines from banks and
regulators.

Practical Security Is Within Reach
Don’t leave the door unlocked. Follow these simple steps.

The 7 Highly Risky Habits
1.  Using personal computers for work
2.  Unmanaged personal mobile devices at work
3.  A lack of password management
4.  Using consumer-oriented Cloud storage
5.  Poor backup and disaster recovery infrastructure
6.  A lack of network security
7.  Poor software management

Habit 1: Using Personal
Computers for Work
Allowing staff members to use their personally-owned computers
for work—either as their primary or secondary workstation.

Why Do Nonprofits Do it?
•  Convenience
•  Cost Savings
•  Staff preference
Habit 1: Using Personal Computers for Work

What Are the Risks?

Outdated Software
Unsupported
operating systems,
applications, and
plug-ins are easier
to infiltrate.

You Can’t Control Access
•  A personal device may
have additional users
who can access data.
•  Terminated employees
are likely to still have
organizational
information after leaving.

Virus/Malware Risk
How do you know
personal computers
and devices have
basic protections?

Software Ownership
Your nonprofit may
have purchased the
software, but does not
control the license.

How Do You Reduce the Risks?

Require Minimum Software Standards
Define minimum
software and
versions to access
network.

Establish a Strong Password Policy
•  Establish and enforce
strong passwords.
•  Require periodic password
updates.
•  Establish automatic screen-
saver.

Provide Virus/Malware Protection Software
Set standards and
ensure virus protection
is actively running and
kept up to date.

Establish Software Licensing Policies
For example, you can
reclaim licenses and
reassign them to
other machines.

Habit 2: Unmanaged Personal
Mobile Devices @ Work
The use of personal cellphones, tablets, and other devices in the
workspace.

•  Convenience.
•  Anytime anywhere
information.
•  Cost Savings.
•  Staff preference.
Habit 2: Unmanaged Personal Mobile Devices @ Work

What Are the Risks?

Data Travels
The device is
mobile. That makes
your data mobile
too.
56%
of employees
frequently store
sensitive data on their
personal devices.

Mobile Devices Can Get Stolen
“Apple picking”
happens frequently
in bars and
restaurants.
37%
of iPhone users don’t
password protect their
phones.

Terminated Employees
It’s difficult to
immediately
remove data from
mobile devices.

Devices Are Often Shared
Kids, spouses,
people looking at
pictures, someone
who needs to make a
quick phone call….

More Tech Issues
IT staff have to be more
nimble and keep up with
how mobile changes
affect nonprofits.

Malicious Apps and Other Attacks
Most people don’t
run anti-virus
software and are not
aware of app risks.

Strong Password Policies
•  Establish and enforce
strong passwords.
•  Require periodic
password changing.
•  Establish automatic
screen-locking.

Encourage the Use of Anti-Virus Software
Set standards and
ensure virus protection
is actively running and
kept up to date.

Employee Termination Policies
Develop policies and
procedures for handling
access removal for
terminated employees.

Establish and Enforce BYOD Policy
•  Require written review,
acceptance, and compliance of
policy.
•  Ensure policy includes theft/
loss of device reporting.
•  Address wiping of organization
data and personal data, if
possible.

Mobile Device Management (MDM)
If your organization
expects staff to do a lot of
work on personal mobile
devices, this may be worth
the extra expense.

Habit 3: A Lack of Password
Management
Lack of or ineffective standards around the use of passwords for
computers and systems.

•  Convenience—too many
passwords to remember.
•  Unaware of what makes
a good password.
•  Management feels like a
lot of work.
16%
Report being able to
use old usernames and
passwords after
leaving their
organization.
Habit 3: Lack of Password Management

What Are the Risks?

Weak Passwords
2/3 of data
breaches
involve weak
passwords.

No Password Policies
Without guidance,
staff members
often take the
path of least
resistance.

Default Passwords in Place
Default passwords
are publicly known
and often the first
password a hacker
will try.

Bad Habits
•  Sharing passwords with co-workers.
•  Writing down passwords on unsecured notepads and post-it
notes.
•  Trying to keep it too simple.

Strong Password Management Policies
periodically!

Set Technology Controls
Most major software
systems can be set to
force staff to change
their passwords
periodically and comply
with standards.

Make Sure Default Passwords Are Changed
Don’t forget routers
and other network
devices around the
office.

Provide Training
Staff need
education on the
difference between
good and bad
passwords.

Habit 4: Using Consumer-
Oriented Cloud Storage
Using solutions such as Dropbox or Google Drive to store,
share, and access organization files.

•  Convenience.
•  Ease of use.
•  Don’t have to involve IT
support.
•  It’s free!
•  Can be synced among
multiple devices.
Habit 4: Using Consumer-Oriented Cloud Storage

What Are the Risks?

Hard to Control Access to Data
• Convenience
• Cost Savings
• Staff preference

Personal Accounts
If work is being stored on
personal Cloud accounts,
it’s the same as if it’s on
their computers at home.

Personal Accounts
•  No way to retrieve data and
files post employment.
•  Data instantaneously
replicated to multiple
devices.
•  No way to control who has
access and is viewing your
data.

Provide Business-Grade Cloud Storage
And discourage or
prevent the use of
personal accounts.

Establish Information Policies
Set policy
standards for file
management.

Block Unauthorized Syncing
Work with staff to
prevent the
unintentional
spread of access.

Habit 5: Poor Backup and
Disaster Recovery Infrastructure
Not being sure whether you can quickly and effectively recover
from an accidental or intentional loss, destruction, or corruption
of your organization’s systems, data, or files.

•  Shortsightedness.
•  Not putting a price
on data or key
systems.
•  Lack of adequate IT
support to lead
effort.
•  Blind faith.
62%
of small
organizations do
not routinely
back up data.
Habit 5: Poor Backup and Disaster Recovery

•  Backup: is the result of copying or archiving files
and folders for the purpose of being able to restore
them in case of data loss
•  Disaster Recovery: the process, policies and
procedures related to preparing for recovery or
continuation of technology infrastructure critical to
an organization after a natural or human-induced
disaster
It’s about
more than
just data!

What Are the Risks?

Consider the “What if” Scenarios
What would you do if you lost
all of your data due to a virus,
an accidental deletion, or a
natural catastrophe?

Major Costs

Regularly Schedule Backups
Any work you can’t easily
replace should be
backed up and stored off
site or in the Cloud.

Create a Disaster Recovery Plan
What will you need to do
to get up and running if
any of your “what if”
scenarios come true?

Test Your Plans
At least once a year
restore a deleted file
or a crashed server
just to make sure
you can do it.

Habit 6: A Lack of Adequate
Network Security
Haphazard IT infrastructure to protect from malicious attacks
and unauthorized access.

•  Shortsightedness.
•  Lack of adequate IT
support to lead effort.
•  Too complicated.
•  Assume that its not
necessary…until it is.
Habit 6: Lack of Adequate Network Security

What Are the Risks?

Unauthorized Access to Critical Information
Your organization’s
future is on the line.

Disruption of Work
An attack that halts work
means:
•  You can’t get
anything done.
•  The loss or corruption
of data.

Malicious Software
It can not only infect a
single machine—
malicious code can
spread throughout your
network.

Firewall Protection

Mandate Anti-Virus/Malware Software
And remember to
keep it updated.

Multiple Layers of Protection
Both at the server/
network level and
workstations.

Remove Former Employees from Network
Make it part of your
HR employee off-
boarding process.

Habit 7: Poor Software
Management
Proper lifecycle management, identification, and control of
wanted versus unwanted applications.

• Convenience.
• Shortsightedness.
• Lack of adequate IT
support to lead effort.
• Blind faith.
Habit 7: Poor Software Management

What Are the Risks?

Potentially Unwanted Applications (PUAs)
They affect everyone’s
productivity and are
hard to get rid of.

Security Vulnerabilities
Hackers keep up to date on
security holes and are always
looking for opportunities to
exploit them.

Poor Hardware Performance
Out-of-date software
can slow down your
computer.

Establish a Patch Management Policy
A policy that governs
how, when, and by
what means software
is updated helps
everyone do their best.

Manage Software Installs
Consider only
allowing authorized
IT support
personnel to
perform installs.

Perform Routine PC Tune-ups
Your PC is like your
attic—it collects a
lot of junk over
time.

Manage Software Installs
This includes
network
hardware and
firmware
updates!

7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Viewers also liked

Viewers also liked (15)

Similar to 7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls

Similar to 7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls (20)

Recently uploaded

Recently uploaded (20)

7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls