Data and security breaches are only becoming more common. In the past few years, Equifax admitted that 147 million of its accounts had been exposed, and Marriott reported that the data of roughly 500 million guests had been compromised — and that’s only to name a few. Philanthropy is not immune to these attacks. After all, grantmaking organizations regularly distribute large sums of capital and manage valuable data.
As funders continue to adopt SaaS solutions in order to better collaborate, expand impact investing methodologies and streamline grants management processes, organizations across the philanthropic sector are wrestling with the need to secure themselves against the risk of threat actors. Even more concerning, many smaller foundations and nonprofits do not have dedicated IT staffs, CIOs or CTOs to manage their network infrastructure.
The industry is experiencing a textbook case of growing pains. The world needs effective and impactful philanthropy now. But as philanthropy adopts new solutions and works faster — and as more young billionaires and tech titans enter the space, bringing with them fresh perspectives — this progress will need to be met with prudent protections.
With that in mind, I wanted to share some key best practices and tips for securing any organization. These processes will help you protect your teams, funds and data.
Train And Test Your End Users
As we’ve seen time and time again, your weakest link is often the individual user. That’s why it’s imperative that every member of your staff understands the ramifications of a security breach. Make sure that anybody who can connect to your network is educated in identifying phishing and spear-phishing scams, as well as other types of cyber fraud. They should also know how to notice threats.
I recommend that your organization invest in having either your security or IT team (or an outside agent) spontaneously test employees to spot human weakness. It’s important to ensure that these tests are random and unexpected in order to ensure that employee reactions are as natural as possible. I’ve found that these tests, in combination with an annual required training course for all employees, are the best way to protect against your organization’s weakest link — the individual user.
Require Multifactor Authentication
Two-factor authentication (2FA) or multifactor authentication (MFA) is the process of requiring a second step for anyone logging into your site. If you’ve ever had to enter a code that was texted to your mobile device in order to finish logging into a site, then you’ve encountered MFA.
The main challenge you may experience when adopting MFA is initial employee resistance. Users may express frustration over the new process. However, once you’ve taken the time to explain the value of MFA to your team, that resistance should soon ideally turn into an appreciation for the process.
If Possible, Invest In Penetration Testing
Penetration testing (pen testing) is the process of testing your system through “white hat” hacking and phishing attempts in the hopes of discovering vulnerabilities for yourself before other, more nefarious, actors do. An ethical actor can perform these tests manually, or it can be done with automated software. Either way, pen tests should be performed annually in order for your organization to learn about potential weaknesses.
Pen tests can be costly and are likely more of a viable option for large organizations. It’s also important to note that your SaaS platform may be conducting its own pen tests and may not allow you to conduct your own. Reach out to your tech provider to learn more about its pen test practices.
Invest In A Firewall Or Intrusion Detection System
Firewalls and intrusion detection systems (IDS) are not the same. Firewalls are designed to act as a defense wall to filter outside sources and are meant to keep threat actors from getting inside your network. Intrusion detection systems monitor for unwelcome activity both inside and outside your organization.
I predict that in the coming years, more organizations will invest in both firewalls and intrusion detection systems in order to keep their networks secure. These practices are especially important for philanthropy, an industry made up of individuals who wish to help others and provide good to the world. These people are at high risk of accidentally allowing a threat actor into a system if they ask for help.
Set Up A VPN
Due to COVID-19, more employees are working from home than ever before, meaning a virtual private network (VPN) has quickly become one of the most effective ways to maintain your organization’s online privacy.
A VPN extends your network and connects all remote devices to your organization’s private network. It spares you the risk of having your work exposed across public Wi-Fi networks if, for example, an employee decides to use the free Wi-Fi in a public space. Tom’s Guide has a roundup of the best business VPN software available, and each of the organizations listed provides helpful tutorials on how to set up your VPN.
Be Prepared To Wipe
Lastly, in the event that an employee’s device is lost or stolen, you should be prepared to protect, manage and remotely wipe the device. If your team uses Apple devices, Jamf is one good solution for this.
Talk To Your Tech Providers
If you don’t ask, you won’t know. It’s important to reach out to your tech provider and learn about its security requirements. Ask whether your provider offers IP whitelisting, conducts pen tests, provides IDS, has set up a VPN, uses encryption at rest and offers MFA.
It’s critical that you understand your security options and that you know what steps you can take to protect yourself and your team. Don’t wait until you experience a breach to act. Protect, educate and train your employees — you will be glad you did.