Protecting Your Nonprofit from Cyber Attacks
Last week, Forum One hosted a panel discussion in Washington, DC focused on nonprofit data security. Data security is a critical issue for nonprofits. In 2015 alone, hackers gained access to more than one hundred million personal records stored by organizations from Anthem Health Insurance to the U.S. Office of Personnel Management. With cyber criminals relentlessly targeting organizations of all sizes in the private and public sectors, it is clear that nonprofits are also not safe from the threat of data breaches.
My own personal and professional interest in this topic of data security stems from a few perspectives. In my role at Forum One, I’m often encouraging our clients to better collect data, use it to inform decision making, and responsibly share it so others can be educated and inspired. We offer an ongoing support practice for clients, and a critical part of our offering is security patching of client websites and hosting environments. And while the issue of data security becomes more and more important for nonprofits, it can be a challenge to get decision makers to allocate budget for this work.
Recently, I’ve had conversations with nonprofit staff who know data security policies and practices are important and are increasingly being demanded by large funders, but they don’t really know where to begin. This is where the idea for our panel discussion first came about, and from it we were able to sift through some of the major buckets, and how they fit into a nonprofit’s data security strategy.
Our panelists for the discussion – Alix Dunn of The Engine Room, Jamie Tomasello of Access Now, and Seamus Tuohy of Internews – gave some excellent insight into the topic, and based on the event and subsequent conversations, we came away with the following tips on why and how nonprofits should start thinking about data security.
Tip 1: If you don’t think you are a “data” organization, surprise, you are!
Numerous organizations don’t recognize that they work with data on a daily basis, and many consumers agree that people have lost control of when and how data is collected. In reality, most organizations’ basic functions involve the handling of data. Whether you are a human rights defender who uses an app to alert your contacts when you get arrested, a network of investigative reporters that uses the cloud to report on political scandal, or an organization matching data sets to effectively report on the number of deaths occurring in a refugee crises, you use data, and responsible data should matter to you.
Tip 2: Being careless with your data collection and security practices can harm your organization’s reputation and potentially put people at risk
Defined at the 2014 Budapest Forum, “responsible data” is the duty to ensure people’s consent, privacy, security and ownership around the information processes of collection, analysis, storage, presentation and reuse of data, while respecting the values of transparency and openness. It is often assumed that we agree on what harms are associated with irresponsible data, but this isn’t always the case. It is important to recognize what are considered risks. Some obvious forms of harm include:
- instances when an individual’s identity and personal information is released in an intentional manner, thus becoming vulnerable to cyber attacks;
- data collection occurring in a discriminatory or disempowering way; or,
- instances when information is unintentionally released but the same harms occur as a result.
Not only are responsible data practices beneficial to the communities that organizations serve, they also protect and promote the mission and reputation of these organizations. Being irresponsible with data can undermine your organization’s reputation and effectiveness. An organization’s reputation can also be damaged simply if it is perceived to misrepresent or mishandle the data and private information of the communities they represent. As Alix mentioned, “Data is people,” and it’s important to keep in mind that data represents the communities for which your organizations are advocating.
Tip 3: Consider your data policies by looking at the entire lifecycle of a project
When determining your organization’s data management habits and practices, it is important to outline the steps of each project’s lifecycle. The lifecycle starts with project planning and considering all the questions you want to answer before starting data collection, such as why you are collecting data in the first place and the types of data that are the focus of your search. Listing out the types of questions you need to consider before collecting data is often overlooked.
Next, think about the type of data that your organization needs to avoid arbitrarily collecting data, ultimately wasting time and resources. Figure out the dynamics of informed consent that are at play, including consent to collect data and the future intended uses for this data. As part of consent, it’s vital to determine how data will be stored and how the data will be shared with other organizations.
Finally, it is important to consider the data “afterlife,” or what your organization will do with the information after the end of a project and when it is no longer needed, i.e., how will it be destroyed, stored, etc.
Tip 4: Don’t start your focus with threats – start with implementing best practices
In the news, you often hear about nonprofits getting hit by run-of-the-mill cyber crimes. In many of these instances, banks or insurance companies do not cover some nonprofits for losses occurring as a result of nonprofits not following specific protocols. As a result, organizations tend to focus the threats on themselves rather than an overall approach to target them. When determining your nonprofit’s strategy to combat cyber attacks, the most effective approach is implementing best practices in house. Your organization should never start by focusing on defining specific cyber harms and how to tackle each on an individual basis, but rather should establish a cybersecurity model based on what practices are already working.
Tip 5: Ask for funding
Effective practices and training to protect project data can potentially come at an extra cost, so it is important to ask about cybersecurity funding when applying for grants. Know what your funder wants and how to budget and include for this in your project outline. Think about how to approach your funders with questions about data protection funding while keeping in mind the key points that resonate with these decision makers that may not necessarily resonate with your organization.
For example, from a business perspective, your organization may obtain more funding by conveying how training for data handling will protect the clients you are serving and ensure programmatic outcomes. As cybersecurity practices are becoming more standardized, more discussions are occurring to develop funding principles and policies regarding data security.
The tips above are intended to get you started on a path to understanding data security and how to plan for it within your organization or program. It’s important to note that even as nonprofits become more savvy with respect to responsible data policies and practices, cyber criminals and others who seek to do harm to your organization and/or your constituents will also adapt in their search for holes to exploit. The sooner you can begin to implement data security best practices, the better prepared you’ll be to counter these threats.