The Next Frontier

April 15, 2009       David Lawson      

More than a decade ago, there was a very small bandwagon, in fact more of a quartet, which began advocating for online fundraising. A common refrain the quartet heard was: “We can’t do that; it’s not secure.” When the Software-as-a-Service model appeared the response was: “We can’t do that; it’s not secure.”

Those days now come to mind when one witnesses nonprofit leaders asserting: “We can’t keep constituent data on-site; it’s not secure.” After all of the talk of features, performance, and cost savings, the movement to having your data off-site is driven by one word — risk.

Risk is driving the adoption of off-site technology centers, now known as cloud computing. There are many advantages, and, admittedly, a few disadvantages, to cloud computing but you will ultimately embrace the concept for two reasons:

  • Security
  • Compliance

Many more reasons exist to adopt cloud computing, but the reason to do it now and not at some time in the future is the financial risk of inadequate security and non-compliance. Let’s look at examples that might be affecting you right now. Do you have an older version of a vendor’s donor management system? Have you ever stored credit card numbers in that system? If so, there is a good chance that data is not PCI compliant because the fields containing the credit card data are not encrypted. If your system is ever hacked, you face hundreds of thousands, if not millions of dollars, in potential liability.

Has your organization installed all of the upgrades and security patches sent by your vendors? Which version of your vendors’ software are you on?

If your system was in the clouds, the vendor would not rely on you and your available time to upgrade or run a patch. It would just be done. If they did not upgrade your system, then you could sue them when you get sued by your donors and other constituents. An interesting side-note is that vendors are realizing their potential liability for having sold organizations unsecured and non-compliant software, and this is one of the drivers for pushing organizations to the Software-as-a-Service model.

As for identity theft, you should visit the Privacy Rights Clearinghouse Web site to read the chronological listing of security breaches (http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP) involving personal information, such as Social Security numbers. You will immediately be struck by how many breaches have occurred at colleges and universities. You then look at the major corporations and you realize that the idea that somehow your organization can make the investments necessary to secure your data is simply not possible.

Since it became law in 2002, Sarbanes-Oxley has dramatically changed the way public companies manage and report their financial activities. The transparency that it brought to the public markets is coming to public charities and with it will come a key provision of the law — that organizations will have to warrant that their financial systems are secure. In the case of a public company, this means that the CEO and CFO have to sign-off that the systems are secure. Imagine for a moment that your president and CFO have to sign such a document, and that there are both financial and criminal penalties for false claims of compliance.

Keep in mind that just securing your primary donor management system is not enough. You have to identify all points of access across your organization. A study by the Ponemon Institute, whose mission is to advance responsible information management, revealed that 49 percent of data breaches involved a stolen laptop or other device.

The Ponemon Institute also studied the security of “unstructured data,” which includes documents and spreadsheets. This study showed that 91 percent of organizations lack a process for identifying data ownership which means that organizations need to start figuring how who has what, and then ask why they have it and how secure is it.

This means that you can’t put all of your risk in the clouds, but when you put the majority of your technological assets off-site you can focus on the areas of vulnerability that cannot be outsourced, such as laptops and make the investments in encryption and other security measures to make them as safe as possible.

If you are considering cloud computing it is critical that you evaluate the vendor to ensure that they are in fact fully in compliance themselves. In the same Ponemon Institute survey that pointed out the vulnerability of laptops, it was also showed that 16 percent of breaches involved a third party. This means that when evaluating a vendor there are two critical questions:

  • Is the vendor SAS 70 (Statement of Auditing Standards No. 70) compliant? This means that the vendor has gone through an extensive assessment of the integrity and security of their systems including operational controls. Be sure that the vendor has Level II compliance.
  • Is the vendor PCI DSS (Payment Card Industry Data Security Standard) compliant? To receive this designation the vendor has to have all of the access, encryption, data storage, and operational controls in place to provide the highest level of security to protect credit card information.

If you are still insistent that your organization has the capability and resources to keep all data secure and be in full compliance, think green, as in cash.

Colleges and universities in the University System of Ohio Virtualization Program can virtualizing approximately 3,500 IT servers and 75,000 desktop computers. The University System of Ohio estimates that power and cooling savings alone could amount to more than $10 million. NPT

David Lawson is the co-Founder of WorkingPhilanthropy.com, a company providing eLearning and expertise to the philanthropic community. His email is: dlawson@WorkingPhilanthropy.com