March 2017 Meeting: Information Security for Nonprofits

Information Security for Nonprofits

Dan Keleher from KPM Consulting gave a presentation on Information Security for Nonprofits. Dan Keleher is the Executive Director of KPM Consulting, LLC, the information technology consulting arm of the CPA firm, KPM. Prior to entering consulting Dan had a distinguished 18 year career with Liberty Mutual, where he was responsible for creating cohesive integration of business needs and information technology. Dan discussed some of the key ways data breaches can occur at a nonprofit organization and steps that every employee can take to help minimize exposure. He reviewed: the top risks for nonprofits after exposure to a data breach; how to identify spear phishing attempts; and tips for improved password security

What is the goal of information security? Everything that applies to business organizations also applies to an individual’s own computers and personal devices. Information security is designed to reduce or eliminate the risk of exposure from a data breaches and the ensuing damage to your company’s reputation. It is especially important to safeguard donor/customer/ and employee data: names, addresses, date of birth, phone numbers, social security numbers, bank account information, and much more. By law, companies have to report data breaches. Since January of this year, there have been over 100 data breaches in Massachusetts alone. Hackers often use “phishing” schemes where they trick workers to unknowingly reveal a password or download malicious software. The data thieves are not necessarily going after money – it is more likely that they are going after data.

How do businesses (and individuals) protect themselves? You can protect yourself from outside threats by installing very robust next generation firewalls. You also need to install very strong internal controls. You need to have access to data controls, both physical (locked doors, file cabinets) and logical. Logical Access involves authentication controls to ensure that persons logging into the system, are who they say they are. The best way to do this is to combine two or more types of authentication: username, password, code number, secret questions, biometrics, etc. You also need to restrict access to data based on job requirements, separation of duties, and by adopting the principle of least privilege: if you don’t need access to it, you don’t get it, and if you do need access to it, you only get access for the time you need it. Having strong passwords which are complex and are changed on a regular basis is very important.

Next, you need to have a 100% reliable back-up system. You need to back-up your hard drives, networks, software programs, everything. Back-ups need to be on-site or remote and either by tape, disk, or in the cloud. If you get hit with malware or ransomware, you will either need to pay the hackers to restore your system or you can completely flush the system and restore it with your backup. You need to have a formal plan for doing periodic restore tests and validations. Keep in mind that most hackers can get into any system, given enough time and money.

Finally, you need to educate your employees and users of your system to recognize threats to the system, to avoid letting those threats in (by not clicking on or opening suspicious emails and attachments), and by reporting suspicious activity to your system administrator or help desk. Education and training of users is your last line of defense. Also, you can create an incident response plan, periodically review your MA Data Privacy Written Information Security Plan, and run vulnerability scans on your network.

A summary of the keys steps to protected your IT system and prevent data breaches are as follows: 1) Defend the perimeter with a next generation firewall; 2) control access to your system with authorization controls; 3) have strong and complex passwords; 4) keep your software up to date; 5) secure your data with strong reliable back-up and recovery plans; 6) train you users and make them aware of potential threats; 7) train your staff to be aware of spear phishing and ransomware; and 8) report incidents to your administrator or help desk.


The presentation can be found here: KPM_InfoSecurity_03-30-2017-1

March 2015: Assessing IT Risk and Mitigation

March 2015 Meeting:

Assessing IT Risk and Mitigation

Russell Greenwald, Vice President and Director, Technology Consulting Practice at Insource Services, Inc. gave a presentation that outlined areas of possible risk in your organization in relation to databases, files, email, computer network, and personnel. He also covered how to rate the risks, prioritize them and determine next steps.  Russell has been consulting with nonprofits, for-profits, and technology companies for the past 14 years. Read More

Maximize your Online Donation System

May 2014 Meeting: Maximize your Online Donation System

Russell Greenwald, Vice President and Director of Insource’s Technology Consulting Practice, shared his experiences with online donation systems with those in attendance. Through demonstrations and process review, he showed the group how to attract more donors, save staff time, and gather better metrics. Russell serves as CIO for many of Insource’s Technology clients and is backed by a talented team of staff and partners and has been with Insource for the past 13 years.

Read More

January 2014 Meeting

Sneakerware:  Best Financial Systems Integration Strategy for Nonprofits?

David Orlinoff, founder and principal of Concord Financial Organization (CFO), which provides interim financial management and related consulting services, primarily to nonprofits, gave a brief presentation and led a discussion on the on the integration or non-integration of financial systems and what it means for your agency. David has over 35 years of experience as a financial executive and has served about 60 nonprofits as a consultant or interim chief financial officer. He is also the board president of Third Sector New England and a member of the Audit Committee of United Way.

Read More

November 2013 Meeting

Financial Controls in an Electronic Age – Tips and Warnings

Nonprofits are continually pushed to do more with less. Technology has helped nonprofits keep up with these demands as it has enabled processes and procedures that create increased efficiency and effectiveness. However, the day-to-day processing of invoices and managing of receipts and authorizations in this digital environment require controls to limit risk when so much is easily reproducible, editable, etc. Chris Bertoncini, Director of Financial Consulting Practice, and Karen Hagerty, Senior Consultant, Financial Consulting Practice, at Insource Services Inc., presented some practices that Insource uses in its work acting as the finance and accounting department for numerous nonprofit organizations, as well as some best practices that Insource staff has observed at both nonprofit organizations and for profit companies.

Read More