Beyond compliance to protection
In a time when information flows faster than ever before, the need for robust data security has become paramount, especially for organisations within the not-for-profit sector. For not-for-profits working in humanitarian and crisis response spaces, protecting sensitive data is not just a matter of compliance — it is a matter of trust, safety, and operational effectiveness.
A wake-up call
Unlike for-profit entities, many not-for-profits operate with limited resources, often prioritising service delivery over backend operations like learning and implementing technological tools, systems and cybersecurity measures.
This can leave them vulnerable to threats, a scenario that I observed as I transitioned from corporate America to the not-for-profit sector and one that became a recurring dialogue in my communication with various non-profits as an advisor as follows:
- Is there information within your possession that could endanger individuals or organisations if mishandled? Yes.
- Could there be severe repercussions if such data were compromised? Undoubtedly.
- Are you confident that your data is safeguarded the very best it can be? (pause) No.
- Are you aware of the extent of systems in use? Vaguely, no more than a small handful.
- Do you know who has access to your systems and the strength of your passwords? Not quite, we operate on a small scale, sharing credentials and favouring simplicity over complexity.
Each discussion wrapped with a misplaced reassurance: “We’re utilising cloud services; surely, they must be secure.”
What we discovered
Each instance unveiled an alarming reality. Many operations depended on over 20 disparate cloud services and products, with little to no oversight of digital inventory, usage patterns, or the risks involved. Passwords were trivial and shared. Furthermore, individuals were accessing systems years after they should have.
Debunking the Myths
- Cloud Fallacy: Clouds are not inherently secure; consumers are responsible for security.
- Sector Standards: Just because others in the sector may not prioritise security, you are not excused from doing the right thing.
- Operational Priorities: Being busy is not an excuse for neglecting critical risks. Sometimes having your operations down is better than your data stolen.
What could be at risk for your organisation?
Not-for-profits, particularly those in humanitarian and crisis response, handle a great deal of sensitive information. The risks for data breaches in this sector are high and varied, from compromising the safety of vulnerable populations, to a disruption in critical services to impacting on the credibility of the organisation. For instance, in regions of conflict, the exposure of personal data can put lives at risk, making it easier for malicious actors to target individuals and communities. Furthermore, donors or partners expect their contributions are managed with the highest level of integrity and security. A breach could erode trust and lead to a decline in support.
Building a culture of security
To combat threats, not-for-profits must foster a culture of security. This starts with recognising the importance of data protection and allocating resources accordingly. Here are some critical steps organisations can take:
- Take Inventory: If you don’t know what you have, you cannot protect it. Start your inventory by identifying the products or systems you’re using, who’s accessing them, what information you’re handling, and the associated risks. Then streamline your inventory to what you really need, reducing what you don’t.
- Invest in Technology: Modern solutions are essential. This includes firewalls, encryption and using Multi-Factor Authentication (MFA) where you can, secure cloud storage and communication channels (e.g VPN), and regular software updates.
- Staff and User Training: Regular staff training to recognise phishing attempts, securing devices, and following best practice is key.
- Policy Development: Establish clear policies for data handling, access control, file and system back ups and an incident response plan. Ensure policies are documented and regularly reviewed.
- Third Party Audits or Health Checks: Regular security audits by external experts can identify vulnerabilities and recommend improvements while mitigating risks before they become an issue. Ask your board to source an expert volunteer, and work your own rolodex. You will know someone who understands this and has time to help.
A global consideration
While regions like Europe, under GDPR, may inherently understand these practices, it’s crucial to recognise the dynamic nature of security laws and regulations. Staying informed and adaptable is imperative to safeguard those we serve and the trust they place in us.
Conclusion
In the humanitarian and crisis response space, the need for data security can not be overstated. It is not just a matter of compliance but an integral component to maintaining the trust, safety and protection of the people and causes we aim to serve.
By prioritising data security and building a culture of vigilance, not-for-profits can protect their operations, their staff, their reputation, and most importantly those they support.
The journey towards robust security is ongoing. So, take a deep breath, start with the basics and seek help as you need it.