Data Breaches: 6 Steps To A Nonprofit Being Less Vulnerable

The computer, tablet, or phone that you are reading this on might already be obsolete, as the old joke goes. Seemingly every week tech companies come out with new devices that are smaller and faster with new bells and whistles. If the adage about the rapid development of technology is true, then so must the evolving threats facing that technology.

During their presentation at Venable LLP’s “The Top Privacy and Data Security Trends and Issues for Nonprofits in 2018” in Washington, D.C., Robert L. Waldman, partner and co-chair of Venable’s nonprofit organization practice; Kelly DeMarchis Bastide, partner in Venable’s eCommerce, privacy, and cybersecurity practice, and Joel Urbanowicz, director of information security and ICT process governance at Catholic Relief Services (CRS), discussed areas in which nonprofit leaders should be particularly cautious.

Here are six of the considerations of which the panelists suggested to be aware:

  • Know where threats are coming from. Three-quarters of breaches come from outside the organization while 25 percent are internal. Slightly more than half (51 percent) of breaches involve malware while 62 percent have a hacking component and 81 percent feature a stolen or weak password;
  • Don’t have a goldfish’s memory. About one in 14 users were tricked into opening a phishing email, according to the Verizon Data Breach Investigation Report. One-quarter of those who have fallen for a phishing scam had been duped before;
  • Keep an eye on third-party vendors. Request a review of vendors’ security practices. If you learn that your network, or third-party software installed on the network, is vulnerable to a new threat, seek expert advice to correct the issue;
  • Come clean. A total of 48 states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, require organizations to provide notice to individuals whose personally identifiable information was involved in a data breach;
  • Follow best practices. Require strong passwords, control internal and external access, practice data minimization, and establish security protocol; and,
  • Think things through. Identify and locate sensitive information in your organization’s possession, securely store physical documents and devices, train employees in the basics, and keep evaluating security practices and threats.