Information is the lifeblood of any organization, whether that organization is a nonprofit or not. For example, a nonprofit might have a large donor database with mailing addresses, email addresses and phone numbers for all of their constituents. What would happen to this organization if that information became compromised? The last thing your organization wants is to have to explain to your donors why and how their personal information was compromised.
In 2006, personal information (including Social Security Numbers) for 26.5 million veterans became compromised because an analyst for the U.S. Department of Veterans Affairs violated procedure by taking home the information which was stored on a laptop (as reported by cnet).
In late 2012, 3.6 million individuals’ SSNs and personal information including credit card numbers were stolen from the South Carolina Department of Revenue because of shoddy security.
But this can’t happen to us, we’re a small nonprofit!
An Idaho non-profit hospice has been fined $50,000 for losing a laptop containing unencrypted data on 441 patients. -Threatpost.com
There has already been over 110 confirmed data breaches in 2013 as of March 19, exposing over 855,000 individuals’ personal information – many of these breaches coming from nonprofits, including a farmers market! (Data obtained from Identity Theft Resource Center’s daily report.)
Major security incidents occur on almost a daily basis, and all organizations – government, corporations and nonprofits – must take this reality extremely seriously.
Organizations are communicating with constituents and colleagues constantly, and communication has only gotten easier due to the ever evolving nature of email and social media. This underscores the importance of a good policy surrounding how an organization’s sensitive data is handled.
Two of the reason organizations would want to be careful with their data include:
- To protect the privacy, identity, and intent of employees within the organization
- To protect sensitive internal organization information
The second reason listed above is usually more of a concern for corporations in order to protect their trade secrets, patents, client & vendor information, and more. However, nonprofits should always make an effort to secure internal data, such as donor information.
In this post, we will tackle just a few ways in which you and your organization can securely communicate over the internet and keep your important data safe.
Don’t use personal email for organization communication
If this is not against your organization policies, then your organization needs to change its policies. Many people wouldn’t think twice about using personal email addresses for official organization communication. The key here is using a domain name other than your organization’s. “firstname.lastname@example.org” isn’t a personal email address, while “email@example.com” is.
There are several reasons why this is a bad idea:
- If an employee leaves an organization, then the organization has no way of recovering any data from that employee’s email address. If the employee, using a personal email address, was the only person in the organization who communicated with key vendors or constituents, then the organization will have lost extremely important data.
- It is unprofessional. Your brand is important. Allowing employees to use their personal email addresses for organization-related communication could likely cause confusion on the part of the recipient. This is not an obvious security concern. However, people outside your nonprofit organization might not trust the information contained in the email because it came from a personal address.
- A personal email address is likely much more vulnerable to hacking attempts than an organization email address. In the example email address above, Bob likely has registered several personal user accounts on several different websites using firstname.lastname@example.org. An attacker would possibly be able to hack into Bob’s email address. If that happened, then the attacker would have access to all emails Bob sent and received from that account – including communication meant for your organization, if Bob used his personal address for organization communication.
Domains can cost anywhere between $10 – $30 a year (they are cheap). Email addresses are not expensive either. Do yourself (and your organization) a favor, and separate all organization communication from personal communication.
Never email passwords, SSNs, or other sensitive information
Just because you have to enter a username and password to login to your email does not mean your email is safe! Email is actually notoriously insecure. Not only could an attacker attempt to guess (or find, by some other means) your email address password, but it is not uncommon for an attacker to compromise the connection to your email server, or compromise the email server itself.
- Traffic flowing over the internet is normally, by definition, insecure. Even HTTPS communication (as opposed to normal HTTP communication) has been found to have vulnerabilities. If an attacker could gain access to any part of the path between your computer and your email server, then the attacker could potentially “sniff” the packets (information) sent between the two.
- The same scenario is true between your mail server and the receiving party’s mail server, as well as the receiving party’s mail server and the person receiving the email.
- As discussed previously, there is always the potential that an email address could become compromised. A hacker could gain access to your organization email address OR to the receiving party’s email address, thereby gaining access to any information sent or received. If an email contained a password, social security number, or credit card number, then the attacker would have access to all of this information.
Use another means of communication for sensitive information, such as phone. Never email passwords or other sensitive data.
Use data encryption
The previous two points addressed secure communication over the internet. But what about the data that stays on your local computer? That must be safe, right?
It has been said that the only truly secure computer is one that is turned off, disconnected from the internet, and buried in concrete. While this is obviously not practical, there are things you can do to protect the data stored on your computer, one of which includes data encryption.
Encrypting your data encapsulates the data on your hard drive in a way that prevents it from being read of the computer (such as a laptop) is ever lost or stolen. You can encrypt just particular files or folders, or you could choose to encrypt your entire hard drive. Then, when you try to access the encrypted data, you are presented with a password (which must be kept secure, obviously) which decrypts the data and allows you to access it.
One popular open source (free) data encryption program that supports both full-disk encryption (Microsoft Windows only) and particular files and folders is TrueCrypt. [Note: At the time this blog post was published, TrueCrypt was a respected encryption utility. The project has closed, and this software is no longer considered by the original maintainers as secure.]
In summary, there are many security vulnerabilities related to any type of computing (including storing your data and communicating with other people over the internet). However, there are also ways you can protect yourself and your organization’s data. The most important step is to be informed of what’s possible and how vulnerable your data really is.
I have only outlined three ways in which you can protect this data. But there are many other possible ways to protect yourself, including email encryption, using antivirus, keeping Windows up to-date, and using common sense.