Information Security for Nonprofits
Dan Keleher from KPM Consulting gave a presentation on Information Security for Nonprofits. Dan Keleher is the Executive Director of KPM Consulting, LLC, the information technology consulting arm of the CPA firm, KPM. Prior to entering consulting Dan had a distinguished 18 year career with Liberty Mutual, where he was responsible for creating cohesive integration of business needs and information technology. Dan discussed some of the key ways data breaches can occur at a nonprofit organization and steps that every employee can take to help minimize exposure. He reviewed: the top risks for nonprofits after exposure to a data breach; how to identify spear phishing attempts; and tips for improved password security
What is the goal of information security? Everything that applies to business organizations also applies to an individual’s own computers and personal devices. Information security is designed to reduce or eliminate the risk of exposure from a data breaches and the ensuing damage to your company’s reputation. It is especially important to safeguard donor/customer/ and employee data: names, addresses, date of birth, phone numbers, social security numbers, bank account information, and much more. By law, companies have to report data breaches. Since January of this year, there have been over 100 data breaches in Massachusetts alone. Hackers often use “phishing” schemes where they trick workers to unknowingly reveal a password or download malicious software. The data thieves are not necessarily going after money – it is more likely that they are going after data.
How do businesses (and individuals) protect themselves? You can protect yourself from outside threats by installing very robust next generation firewalls. You also need to install very strong internal controls. You need to have access to data controls, both physical (locked doors, file cabinets) and logical. Logical Access involves authentication controls to ensure that persons logging into the system, are who they say they are. The best way to do this is to combine two or more types of authentication: username, password, code number, secret questions, biometrics, etc. You also need to restrict access to data based on job requirements, separation of duties, and by adopting the principle of least privilege: if you don’t need access to it, you don’t get it, and if you do need access to it, you only get access for the time you need it. Having strong passwords which are complex and are changed on a regular basis is very important.
Next, you need to have a 100% reliable back-up system. You need to back-up your hard drives, networks, software programs, everything. Back-ups need to be on-site or remote and either by tape, disk, or in the cloud. If you get hit with malware or ransomware, you will either need to pay the hackers to restore your system or you can completely flush the system and restore it with your backup. You need to have a formal plan for doing periodic restore tests and validations. Keep in mind that most hackers can get into any system, given enough time and money.
Finally, you need to educate your employees and users of your system to recognize threats to the system, to avoid letting those threats in (by not clicking on or opening suspicious emails and attachments), and by reporting suspicious activity to your system administrator or help desk. Education and training of users is your last line of defense. Also, you can create an incident response plan, periodically review your MA Data Privacy Written Information Security Plan, and run vulnerability scans on your network.
A summary of the keys steps to protected your IT system and prevent data breaches are as follows: 1) Defend the perimeter with a next generation firewall; 2) control access to your system with authorization controls; 3) have strong and complex passwords; 4) keep your software up to date; 5) secure your data with strong reliable back-up and recovery plans; 6) train you users and make them aware of potential threats; 7) train your staff to be aware of spear phishing and ransomware; and 8) report incidents to your administrator or help desk.
The presentation can be found here: KPM_InfoSecurity_03-30-2017-1