T security has become more of a concern to organizations big and small. Major security breaches or hacks are frequently reported in the media, and for every reported hack, dozens more are unreported. Small and medium-sized nonprofits are not immune to potential security breaches. Many nonprofit leaders consider the work they do of little or no value to hackers, since they’re not a bank or major retailer. Hackers prey on this naïve perception.
If you’re storing and working with data regarding members, donors, volunteers, clients or patrons, or credit cards, you could be at risk. Any breach could have severe ramifications, including loss of trust among your community or possible financial penalties.
Bad IT habits and practices make smaller nonprofits prime targets for hackers. Management, IT controls, and procedures introduce security risks to the organization. Hackers know that most small and medium-sized nonprofits don’t have the financial capacity or technical resources to implement security controls rivaling those of large organizations. Still, there are some basic sound IT practices and controls that can be put in place to provide a comfortable measure of control.
We’ll walk through the seven commonly-found bad habits and consider the potential IT security risk within each practice. We’ll also discuss effective IT policies, procedures, and tools to minimize security risks and transform bad habits into good ones.
This session is appropriate for any small or medium-sized nonprofit staff member responsible for making technology decisions, as well as nonprofit leaders influencing IT operations.
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
1. 7 Highly Risky Habits of Small to
Medium-Sized Nonprofits:
IT Security Pitfalls
March 23, 2016
Leon Wilson, Cleveland Foundation
Dan Rivas, Idealware
3. What Are Your Security Habits?
Find the survey link in the Collaborative Notes or just type in the link
below.
Survey link: https://www.surveymonkey.com/r/7LFFJRF
4. Share Your Notes
Collaborative Notes allow you to add your thoughts, observations,
opinions, and “aha!” moments to a running record of this session.
To view or edit notes go to: http://po.st/7riskyhabits-16NTC
5. Tell the World What it’s Missing
You can live Tweet
this event using
#16NTC7riskyhabits
6. Why Is Everyone Talking About Security?
In the digital age, data risk is the new normal.
8. Do Nonprofits Need to Be Concerned?
If you:
• Maintain financial information.
• Maintain sensitive personal
information.
• Maintain contact information.
Then the answer is unequivocally…
9. A False Sense of Security
Some are overwhelmed, others are just gambling that their number
won’t come up.
Survey link:
11. Neither Will Your Nonprofit Status
Survey link:
Hackers are pros
—they don’t care
who their target is.
If they can steal
valuable
information, they
will.
12. Small Nonprofits Are Attractive Targets
• Fewer resources
• Limited IT
security
• Not likely to
notice an attack
until much later
14. The Risks to Your Organization
• Loss of trust.
• Reputational damage.
• Negative impact on donor,
member, and volunteer
retention.
• Financial liability.
• Fines from banks and
regulators.
15. Practical Security Is Within Reach
Don’t leave the door unlocked. Follow these simple steps.
16. The 7 Highly Risky Habits
1. Using personal computers for work
2. Unmanaged personal mobile devices at work
3. A lack of password management
4. Using consumer-oriented Cloud storage
5. Poor backup and disaster recovery infrastructure
6. A lack of network security
7. Poor software management
17. Habit 1: Using Personal
Computers for Work
Allowing staff members to use their personally-owned computers
for work—either as their primary or secondary workstation.
18. Why Do Nonprofits Do it?
• Convenience
• Cost Savings
• Staff preference
Habit 1: Using Personal Computers for Work
19. What Are the Risks?
Habit 1: Using Personal Computers for Work
21. You Can’t Control Access
• A personal device may
have additional users
who can access data.
• Terminated employees
are likely to still have
organizational
information after leaving.
Habit 1: Using Personal Computers for Work
22. Virus/Malware Risk
How do you know
personal computers
and devices have
basic protections?
Habit 1: Using Personal Computers for Work
23. Software Ownership
Your nonprofit may
have purchased the
software, but does not
control the license.
Habit 1: Using Personal Computers for Work
24. How Do You Reduce the Risks?
Habit 1: Using Personal Computers for Work
25. Require Minimum Software Standards
Define minimum
software and
versions to access
network.
Habit 1: Using Personal Computers for Work
26. Establish a Strong Password Policy
• Establish and enforce
strong passwords.
• Require periodic password
updates.
• Establish automatic screen-
saver.
Habit 1: Using Personal Computers for Work
27. Provide Virus/Malware Protection Software
Set standards and
ensure virus protection
is actively running and
kept up to date.
Habit 1: Using Personal Computers for Work
28. Establish Software Licensing Policies
For example, you can
reclaim licenses and
reassign them to
other machines.
Habit 1: Using Personal Computers for Work
29. Habit 2: Unmanaged Personal
Mobile Devices @ Work
The use of personal cellphones, tablets, and other devices in the
workspace.
30. Why Do Nonprofits Do it?
• Convenience.
• Anytime anywhere
information.
• Cost Savings.
• Staff preference.
Habit 2: Unmanaged Personal Mobile Devices @ Work
31. What Are the Risks?
Habit 2: Unmanaged Personal Mobile Devices @ Work
32. Data Travels
The device is
mobile. That makes
your data mobile
too.
56%
of employees
frequently store
sensitive data on their
personal devices.
Habit 2: Unmanaged Personal Mobile Devices @ Work
33. Mobile Devices Can Get Stolen
“Apple picking”
happens frequently
in bars and
restaurants.
37%
of iPhone users don’t
password protect their
phones.
Habit 2: Unmanaged Personal Mobile Devices @ Work
35. Devices Are Often Shared
Kids, spouses,
people looking at
pictures, someone
who needs to make a
quick phone call….
Habit 2: Unmanaged Personal Mobile Devices @ Work
36. More Tech Issues
IT staff have to be more
nimble and keep up with
how mobile changes
affect nonprofits.
Habit 2: Unmanaged Personal Mobile Devices @ Work
37. Malicious Apps and Other Attacks
Most people don’t
run anti-virus
software and are not
aware of app risks.
Habit 2: Unmanaged Personal Mobile Devices @ Work
38. How Do You Reduce the Risks?
Habit 2: Unmanaged Personal Mobile Devices @ Work
39. Strong Password Policies
• Establish and enforce
strong passwords.
• Require periodic
password changing.
• Establish automatic
screen-locking.
Habit 2: Unmanaged Personal Mobile Devices @ Work
40. Encourage the Use of Anti-Virus Software
Set standards and
ensure virus protection
is actively running and
kept up to date.
Habit 2: Unmanaged Personal Mobile Devices @ Work
41. Employee Termination Policies
Develop policies and
procedures for handling
access removal for
terminated employees.
Habit 2: Unmanaged Personal Mobile Devices @ Work
42. Establish and Enforce BYOD Policy
• Require written review,
acceptance, and compliance of
policy.
• Ensure policy includes theft/
loss of device reporting.
• Address wiping of organization
data and personal data, if
possible.
Habit 2: Unmanaged Personal Mobile Devices @ Work
43. Mobile Device Management (MDM)
If your organization
expects staff to do a lot of
work on personal mobile
devices, this may be worth
the extra expense.
Habit 2: Unmanaged Personal Mobile Devices @ Work
44. Habit 3: A Lack of Password
Management
Lack of or ineffective standards around the use of passwords for
computers and systems.
45. Why Do Nonprofits Do it?
• Convenience—too many
passwords to remember.
• Unaware of what makes
a good password.
• Management feels like a
lot of work.
16%
Report being able to
use old usernames and
passwords after
leaving their
organization.
Habit 3: Lack of Password Management
46. What Are the Risks?
Habit 3: Lack of Password Management
47. Weak Passwords
2/3 of data
breaches
involve weak
passwords.
Habit 3: Lack of Password Management
48. No Password Policies
Without guidance,
staff members
often take the
path of least
resistance.
Habit 3: Lack of Password Management
49. Default Passwords in Place
Default passwords
are publicly known
and often the first
password a hacker
will try.
Habit 3: Lack of Password Management
50. Bad Habits
• Sharing passwords with co-workers.
• Writing down passwords on unsecured notepads and post-it
notes.
• Trying to keep it too simple.
Habit 3: Lack of Password Management
51. How Do You Reduce the Risks?
Habit 3: Lack of Password Management
53. Set Technology Controls
Most major software
systems can be set to
force staff to change
their passwords
periodically and comply
with standards.
Habit 3: Lack of Password Management
54. Make Sure Default Passwords Are Changed
Don’t forget routers
and other network
devices around the
office.
Habit 3: Lack of Password Management
56. Habit 4: Using Consumer-
Oriented Cloud Storage
Using solutions such as Dropbox or Google Drive to store,
share, and access organization files.
57. Why Do Nonprofits Do it?
• Convenience.
• Ease of use.
• Don’t have to involve IT
support.
• It’s free!
• Can be synced among
multiple devices.
Habit 4: Using Consumer-Oriented Cloud Storage
58. What Are the Risks?
Habit 4: Using Consumer-Oriented Cloud Storage
59. Hard to Control Access to Data
• Convenience
• Cost Savings
• Staff preference
Habit 4: Using Consumer-Oriented Cloud Storage
60. Personal Accounts
If work is being stored on
personal Cloud accounts,
it’s the same as if it’s on
their computers at home.
Habit 4: Using Consumer-Oriented Cloud Storage
61. Personal Accounts
• No way to retrieve data and
files post employment.
• Data instantaneously
replicated to multiple
devices.
• No way to control who has
access and is viewing your
data.
Habit 4: Using Consumer-Oriented Cloud Storage
62. How Do You Reduce the Risks?
Habit 4: Using Consumer-Oriented Cloud Storage
63. Provide Business-Grade Cloud Storage
And discourage or
prevent the use of
personal accounts.
Habit 4: Using Consumer-Oriented Cloud Storage
65. Block Unauthorized Syncing
Work with staff to
prevent the
unintentional
spread of access.
Habit 4: Using Consumer-Oriented Cloud Storage
66. Habit 5: Poor Backup and
Disaster Recovery Infrastructure
Not being sure whether you can quickly and effectively recover
from an accidental or intentional loss, destruction, or corruption
of your organization’s systems, data, or files.
67. Why Do Nonprofits Do it?
• Shortsightedness.
• Not putting a price
on data or key
systems.
• Lack of adequate IT
support to lead
effort.
• Blind faith.
62%
of small
organizations do
not routinely
back up data.
Habit 5: Poor Backup and Disaster Recovery
68. Why Do Nonprofits Do it?
• Backup: is the result of copying or archiving files
and folders for the purpose of being able to restore
them in case of data loss
• Disaster Recovery: the process, policies and
procedures related to preparing for recovery or
continuation of technology infrastructure critical to
an organization after a natural or human-induced
disaster
It’s about
more than
just data!
Habit 5: Poor Backup and Disaster Recovery
69. What Are the Risks?
Habit 5: Poor Backup and Disaster Recovery
70. Consider the “What if” Scenarios
What would you do if you lost
all of your data due to a virus,
an accidental deletion, or a
natural catastrophe?
Habit 5: Poor Backup and Disaster Recovery
72. How Do You Reduce the Risks?
Habit 5: Poor Backup and Disaster Recovery
73. Regularly Schedule Backups
Any work you can’t easily
replace should be
backed up and stored off
site or in the Cloud.
Habit 5: Poor Backup and Disaster Recovery
74. Create a Disaster Recovery Plan
What will you need to do
to get up and running if
any of your “what if”
scenarios come true?
Habit 5: Poor Backup and Disaster Recovery
75. Test Your Plans
At least once a year
restore a deleted file
or a crashed server
just to make sure
you can do it.
Habit 5: Poor Backup and Disaster Recovery
76. Habit 6: A Lack of Adequate
Network Security
Haphazard IT infrastructure to protect from malicious attacks
and unauthorized access.
77. Why Do Nonprofits Do it?
• Shortsightedness.
• Lack of adequate IT
support to lead effort.
• Too complicated.
• Assume that its not
necessary…until it is.
Habit 6: Lack of Adequate Network Security
78. What Are the Risks?
Habit 6: Lack of Adequate Network Security
79. Unauthorized Access to Critical Information
Your organization’s
future is on the line.
Habit 6: Lack of Adequate Network Security
80. Disruption of Work
An attack that halts work
means:
• You can’t get
anything done.
• The loss or corruption
of data.
Habit 6: Lack of Adequate Network Security
81. Malicious Software
It can not only infect a
single machine—
malicious code can
spread throughout your
network.
Habit 6: Lack of Adequate Network Security
82. How Do You Reduce the Risks?
Habit 6: Lack of Adequate Network Security
85. Multiple Layers of Protection
Both at the server/
network level and
workstations.
Habit 6: Lack of Adequate Network Security
86. Remove Former Employees from Network
Make it part of your
HR employee off-
boarding process.
Habit 6: Lack of Adequate Network Security
87. Habit 7: Poor Software
Management
Proper lifecycle management, identification, and control of
wanted versus unwanted applications.
88. Why Do Nonprofits Do it?
• Convenience.
• Shortsightedness.
• Lack of adequate IT
support to lead effort.
• Blind faith.
Habit 7: Poor Software Management
89. What Are the Risks?
Habit 7: Poor Software Management
90. Potentially Unwanted Applications (PUAs)
They affect everyone’s
productivity and are
hard to get rid of.
Habit 7: Poor Software Management
91. Security Vulnerabilities
Hackers keep up to date on
security holes and are always
looking for opportunities to
exploit them.
Habit 7: Poor Software Management
93. How Do You Reduce the Risks?
Habit 7: Poor Software Management
94. Establish a Patch Management Policy
A policy that governs
how, when, and by
what means software
is updated helps
everyone do their best.
Habit 7: Poor Software Management
95. Manage Software Installs
Consider only
allowing authorized
IT support
personnel to
perform installs.
Habit 7: Poor Software Management
96. Perform Routine PC Tune-ups
Your PC is like your
attic—it collects a
lot of junk over
time.
Habit 7: Poor Software Management