The document discusses the importance of data security for nonprofits, highlighting common risks, risky practices, and strategies to mitigate potential data breaches. It outlines steps for assessing security risks, establishing policies, and implementing better practices like password management and secure cloud storage. Additionally, it emphasizes the need for regular training and the creation of incident response plans to ensure organizational preparedness against security threats.

1. Assessing Your Security
September 2016

2. Introductions
Joshua Peskay
Idealware Expert Trainer
Vice President,
RoundTable Technology

3. Introductions
Peter Campbell
Chief Information Officer,
Legal Services Corporation

4. Introductions
www.idealware.org

5. WhatWe’ll Cover Today
• Imperfect Security
• Assessing Your Risk
• Common Risky Practices
• What Do You Do if You Experience a Data Breach?
• Establishing Policies for Your Organization

6. Poll Question
On a scale of 1-5, how concerned are you with
your data security?

7. A False Sense of Security

8. Why Is Everyone Talking About Security?
In the digital age, data risk is the new normal.

9. A False Sense of Security
Some are overwhelmed. Others are just gambling that their
number won’t come up.
Survey link:

10. Avoiding Security Won’t Protect You

11. Neither Will Your Nonprofit Status
Survey link:
Data thieves are
usually pros—they
don’t care who their
target is. If they can
steal valuable
information, they will.

12. Small Nonprofits Are Attractive Targets
• Fewer
resources
• Limited IT
security
• Not likely to
notice an attack
until much later

13. What Are Your Risks?
And what should
you do about
them?
Photo Credit: Women of Color in Tech Chat

14. Assessing Your Risk

15. It’s a Process
To understand the
risks and your
comfort with them,
you need to carry
out a thorough
assessment of
your data.

16. Inventory Your Data
Make a list on
sticky notes and
group them by
where the data is
stored (e.g., case
management
system).

17. Classify Your Information
• Confidentiality: Data
that can’t be
exposed.
• Integrity: Data you
can’t lose.
• Availability: Data you
can’t lose access to
for any period of time.
If you have data that’s not very high in any of these categories,
then it’s likely not essential to your organization.

18. Consider the Risks
Think through:
• What could happen to
your data?
• How likely is it to happen?
• How bad would it be if
something happened?
Photo Credit: Women of Color in Tech Chat

19. Into the Chat: What Risks Worry You?
Are there specific risks that keep you up at night?

20. 8 Common Risky Practices

21. 1. Unmanaged Personal Devices
Do staffers use their personal devices for work?

22. You Can’t Control Access
• A personal device may
have additional users.
• Terminated employees
are likely to still have
organizational
information after
leaving.

23. Virus/Malware Risk
How do you know
personal computers
and devices have
basic protections?

24. Software Ownership
Your nonprofit might
purchase the software,
but not control the
license.

25. What Can You Do?
• Provide virus and
malware software.
• Establish software
licensing policies.
• Provide devices for
work, if possible.
• Mobile Device
Management exists,
but is expensive.

26. 2. Lack of Password Management
Are a lot of people using weak passwords?

27. Bad Habits
• Sharing passwords.
• Reusing Passwords
• Not changing default passwords.
• Writing passwords on post-it notes.
• Trying to keep it too simple.

28. Multi-Factor Authentication
Something
You Know
Something
You Have
Something
You Are

29. Password Managers

30. What Can You Do?
• Implement password
management
software such as
OneLogin.
• Dual-factor
authentication.
• Establish password
creation policies.
• Provide training.

31. 3. Consumer-Grade Cloud Storage
Is there a difference between Dropbox and Dropbox for business?

32. Hard to Control Access to Data
• Convenience
• Cost Savings
• Staff preference

33. Less Security
You often get
what you pay
for with free
Cloud storage.

34. What Can You Do?
• Use business-grade
Cloud storage and
set controls that limit
access to your data.
• Add-on services
such as BetterCloud
can also give you
deeper audit and
policy controls.

35. 4. Poor Backup Infrastructure
What if your office experiences a disaster?

36. Data Needs to Be in a Safe Place
If you have to
store it physically,
take your backup
off site.
The Cloud is a
great option for
backup.

37. Think Beyond Backup
It’s just one of many business continuity challenges. What will
you do if the data is unavailable for a period of time or you
experience a data breach?

38. What Can You Do?
• Regularly
schedule backups.
• Create incident
response,
business
continuity, and
disaster recovery
plans—and test
them!

39. 5. Poor Software Management
Is the software your team is using safe?

40. DIY Downloads Don’t Happen
It’s inconvenient, so
people are likely to skip
downloading patches
and updates.

41. Out of Date Software
Hackers keep up to date on
security holes and are always
looking for opportunities to
exploit them.

42. Unwanted Applications
They can affect
both productivity
and machine
health. And some
carry malware.

43. What Can You Do?
• Establish patch
management
procedures.
• Manage software
installations.
• Perform regular
tune-ups.

44. 6. Overlooking Physical Security
Is your office protected?

45. What if Someone Walks in the Door?
Would it be easy
to access or steal
computers?

46. What Can You Do?
• Take basic office
security measures.
• Lock computers to
desks.
• Institute a check
out policy for
shared devices and
keep them locked
away.

47. 7. Unsafe Wi-Fi
Is your connection secure?

48. Office Wi-Fi Needs to Be Protected
You can’t just plug
in a router and
assume everything
is fine.

49. Coffee Shops Can Be Risky
Is that connection
vulnerable to
spying?

50. What Can You Do?
• Make sure your
network is
protected by a
firewall and a
password.
• Avoid working
in unsecure
environments.

51. 8. Security Training
Your staff members are your most important security measure.

52. Awareness Can Prevent Many Incidents
People want to do the
right thing, but they
often don’t know what
that is or why it’s
important.

53. What Can You Do?
• Regularly
provide short
training
sessions.
• Incorporate
security
issues/discussi
ons in existing
meetings.

54. Establishing Policies

55. Form a Committee
A diverse
committee can help
you see risk from
multiple angles and
come up with smart
ways to deal with
those risks.

56. Ask Tough Questions
Anything you
overlook has the
potential to be a
hazard in the
future.

57. What Will Prevent a Breach?
Think of all the ways a breach
might occur. Write rules that
govern activities such as how
to create and handle
passwords or how files can be
stored and shared.

58. How Will You Respond if a Breach Occurs?
Map out a response
plan that includes
steps and roles for
data recovery,
business continuity,
and communications.

59. BYOD?
Write clear usage
guidelines for things
such as what security
software needs to be
installed and whether
your organization
provides IT support.

60. Policy Making Is Iterative
You’ll need to review
your rules and update
them periodically to
make sure they’re
addressing your
needs.

61. Policy Examples
Go to http://bit.ly/SecurityPolicyExamples to find examples and
templates that you can use as your starting point.

62. Additional Resources
Idealware and RoundTable technology have many resources
that can help you better secure your technology and data.
• What Nonprofits Need to Know About Security: A Practical
Guide to Managing Risk (Idealware)
• Incident Report Form (RoundTable)
• Backup, Data Recovery, and Business Continuity Primer
(RoundTable)
• Information Identification and Classification Template
(RoundTable)

63. Perfect Security Isn’t Possible
There will always
be risks out there.

64. Practical Security Is Within Reach

65. Into the Chat: What Resonated?
What security steps will you take over the next month?

66. Questions?
Ask Idealware…
On Twitter: @idealware
On Facebook: /idealware