Internet Security and Mobile Security: 10 steps to peace of mind for nonprofits

Guest author: Allan Jacks, vCISO, Morefield Communications

Nonprofits juggling limited resources know that internet security is essential, but many neglect it out of fear, intimidation, or simply exhaustion at the daunting and seemingly endless task.

The following are 10 tips to help your organization stay safe.

1. Just because you don’t look, it doesn’t mean everything is fine

In the age of heightened risks, fewer companies are looking into their systems, and those that do aren’t looking deeply enough. Disregarding what’s lurking in servers and software instills a false sense of security and minimizes the urgency to take action.

The first step to stronger security is working up the nerve to look. Chances are good that employees bring “anything and everything” to company systems, ranging from pet photos to Xbox games.

2. Eat the elephant one bite at a time.

There is room for improvement in every company, but where do you begin?

Start with assessing risk and determining your highest priority. Ask: “If something happens today, what’s my biggest exposure?” For example, consider the impact on your operations if your volunteer management system were to go offline.

Any movement in the right direction is moving. Remember that the effort could take years, and it will involve HR, risk management, and the CFO and CEO to stay on target to minimize risk.

3. Get to the why

Many people view security as a matter of checking compliance boxes, but regulations and standards are there for a reason. While an IT manager can restore disrupted systems and inaccessible documents, knowing why those systems need anti-virus protections and backup files can help prevent significant disruption when a disaster occurs.

4. Think before you click: Lessons from ILOVEYOU

The ILOVEYOU computer worm spread via email in May 2000, targeting company emails. It arrived as an attachment that, when opened, overwrote files and sent itself to all contacts in the email address book, resulting in widespread damage.

In one instance, it was discovered that an IT manager, intrigued by a message from a longstanding colleague, was among those responsible for opening an email that led to the company's vulnerability to hacking.

Make sure employees know to stop and think before clicking on a mysterious link. If you’re unsure, call the sender first to make sure it’s legitimate.

5. Just because you can, doesn’t mean you should

Effective risk management requires proper delegation and prioritization of tasks. For example, if an employee is promoted from IT staff to management but continues performing their old tasks, it hinders the organization’s security efforts because they neglect their new role. Proper delegation ensures that everyone focuses on their specific duties, which is essential for minimizing risks and enhancing security.

6. Nobody bares their britches in a Zoom meeting

Virtual meetings are utilitarian but not revelatory. Participants aren’t likely to openly disclose their challenges and mistakes. It’s essential to get into the field and talk to people directly.  If something has happened, it’s best to discover it sooner than later.

7. Someone always assumes the risk

Organizations have a choice to mitigate or transfer risk. Someone within the organization or board makes the decision that deems the level of risk acceptable.

Mitigation may involve diligent use of strong passwords, allowing the organization to focus on higher-level security measures. Transferring risk could entail moving non-personally identifiable data onto the cloud.

Nonprofits face risks particularly when handling sensitive donor information or financial data. It is essential to implement robust security measures, even with limited resources.

Documenting risk assumption ensures accountability, regulatory compliance, and protects a nonprofit's reputation. It promotes transparency and trust among stakeholders and donors.

8. There is no magic bullet

In internet and mobile security, every day is Zero Day. Today's policies, processes, documents, and standards won’t protect against tomorrow’s threats. Someone will click a link or install a piece of software that is openly accessible, creating risk. As a fundamental step, use password managers with “break glass” functions to create and safely save random passwords while retaining retrieval capabilities in case an emergency renders someone out of action.

9. Practice makes perfect

Have an incident response plan in place and test it with tabletop exercises. More importantly, document the plan for access when needed.

For example, test your response plan in this scenario: An IT manager spills coffee on the server, electrocuting himself and disabling the server. Can your team reference your response plan to identify the immediate steps to ensure safety, restore operations, and document the incident for future reference?

Tabletop exercises like this are valuable reminders that having a knowledgeable staff is good, but key information needs to be accessible and documented.

10. Take a logical, methodical approach

In business, a system crash is disruptive but – except for certain organizations -- not life-threatening. Take a logical approach to IT security and edit the worklist to a manageable level. Be proactive rather than reactive. Plan, document, and improve.

About the Author

Guest author, Allan Jacks is Virtual Chief Information Security Officer for Morefield Communications. He has worked in information technology and security for over 30 years and has a background in compliance. Allan can be reached at allan.jacks@morefield.com.