Download - Assessing Your security
What We’ll Cover Today• Imperfect Security• Assessing Your Risk• Common Risky Practices• What Do You Do if You
Experience a Data Breach?• Establishing Policies for Your
Organization
A False Sense of SecuritySome are overwhelmed. Others are just gambling that their number won’t come up.
Survey link:
Neither Will Your Nonprofit Status
Survey link:
Data thieves are usually pros—they don’t care who their target is. If they can steal valuable information, they will.
Small Nonprofits Are Attractive Targets
• Fewer resources
• Limited IT security
• Not likely to notice an attack until much later
It’s a Process
To understand the risks and your comfort with them, you need to carry out a thorough assessment of your data.
Inventory Your Data
Make a list on sticky notes and group them by where the data is stored (e.g., case management system).
Classify Your Information
• Confidentiality: Data that can’t be exposed.
• Integrity: Data you can’t lose.
• Availability: Data you can’t lose access to for any period of time.
If you have data that’s not very high in any of these categories, then it’s likely not essential to your organization.
Consider the Risks
Think through:
• What could happen to your data?
• How likely is it to happen?• How bad would it be if
something happened?
Photo Credit: Women of Color in Tech Chat
You Can’t Control Access
• A personal device may have additional users.
• Terminated employees are likely to still have organizational information after leaving.
What Can You Do?
• Provide virus and malware software.
• Establish software licensing policies.
• Provide devices for work, if possible.
• Mobile Device Management exists, but is expensive.
Bad Habits
• Sharing passwords. • Reusing Passwords
• Not changing default passwords.• Writing passwords on post-it notes.
• Trying to keep it too simple.
What Can You Do?
• Implement password management software such as OneLogin.
• Dual-factor authentication.
• Establish password creation policies.
• Provide training.
What Can You Do?
• Use business-grade Cloud storage and set controls that limit access to your data.
• Add-on services such as BetterCloud can also give you deeper audit and policy controls.
Data Needs to Be in a Safe Place
If you have to store it physically, take your backup off site.
The Cloud is a great option for backup.
Think Beyond Backup
It’s just one of many business continuity challenges. What will you do if the data is unavailable for a period of time or you experience a data breach?
What Can You Do?
• Regularly schedule backups.
• Create incident response, business continuity, and disaster recovery plans—and test them!
DIY Downloads Don’t Happen
It’s inconvenient, so people are likely to skip downloading patches and updates.
Out of Date Software
Hackers keep up to date on security holes and are always looking for opportunities to exploit them.
What Can You Do?
• Establish patch management procedures.
• Manage software installations.
• Perform regular tune-ups.
What Can You Do?
• Take basic office security measures.
• Lock computers to desks.
• Institute a check out policy for shared devices and keep them locked away.
What Can You Do?
• Make sure your network is protected by a firewall and a password.
• Avoid working in unsecure environments.
Awareness Can Prevent Many Incidents
People want to do the right thing, but they often don’t know what that is or why it’s important.
What Can You Do?
• Regularly provide short training sessions.
• Incorporate security issues/discussions in existing meetings.
Form a Committee
A diverse committee can help you see risk from multiple angles and come up with smart ways to deal with those risks.
What Will Prevent a Breach?
Think of all the ways a breach might occur. Write rules that govern activities such as how to create and handle passwords or how files can be stored and shared.
How Will You Respond if a Breach Occurs?
Map out a response plan that includes steps and roles for data recovery, business continuity, and communications.
BYOD?
Write clear usage guidelines for things such as what security software needs to be installed and whether your organization provides IT support.
Policy Making Is Iterative
You’ll need to review your rules and update them periodically to make sure they’re addressing your needs.
Policy ExamplesGo to http://bit.ly/SecurityPolicyExamples to find examples and
templates that you can use as your starting point.
Additional ResourcesIdealware and RoundTable technology have many resources that can help you better secure your technology and data.
• What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk (Idealware)
• Incident Report Form (RoundTable)• Backup, Data Recovery, and Business Continuity Primer
(RoundTable)• Information Identification and Classification Template
(RoundTable)