Non-profit organizations such as associations often do not spend sufficiently on technology infrastructure. Nor do they typically have sufficient professional IT support to implement and maintain best practices for security. These factors, combined with a dangerous practice we are going to discuss shortly that many non-profit organizations are guilty of, increases the likelihood that your association will become the victim of a costly (time, money, and reputation) cyber breach.
The Risk of Insecure Passwords
Customer relationship management (CRM) and donor management software licenses are expensive. To save on costs, non-profit organizations may buy one or two licenses and share the login credentials willy-nilly with others in the organization. Sometimes these organizations are smart enough not to share the passwords. However, instead they routinely extract data into spreadsheets that are easily accessible to unauthorized users.
The Risk of Duplicate Databases
Shadow databases, which are extra copies of a central database that exist outside the main repository, are a major vulnerability for all organizations. A significant factor in many of the healthcare data breaches have been stolen laptops. On these laptops are valuable, personal data in the form of shadow databases. Patient names, diagnoses, and other sensitive information has all been exposed by such security lapses.
Associations often create shadow copies of confidential information to allow volunteers or even staff to make use of the data while working from home. This poses a risk to the data (and thus the organization) on several levels. No volunteer or employee should be able to remove sensitive information from the database off-site, in its original form or as a copy. By allowing them to do so, they are creating an unacceptable level of risk, no matter how much work they complete.
Stay tuned for next month’s installment in this four-part series entitled Getting Your Data Back in the Barn.
Cyber security articles are written by proLearning innovations. Contact proLearning to learn more about their IT Security Training Program for Employees and Volunteers and other offerings designed to help keep your association safe.
Securing your data and always being aware of just where it is and who has access begins with proper, effective governance decisions. If left to volunteers or non-management staff, it is unlikely an adequate process for sufficient cyber-security will develop. This is the sort of leadership issue addressed at the CASE Governance Forum events. This year, they will be taking place in Ottawa and Calgary.