Nonprofit data protection is essential. Here is a list of simple steps everyone can take at your nonprofit to protect the data in your possession.
With GDPR coming into effect in the European Union and privacy scandals making headlines, many nonprofit professionals are concerned about data protection. The process can be intimidating! If you don’t have a technology or legal background, where do you start?
While the exact details of your organization’s security policy may differ based on your line of work and IT resources, there are some things that everyone can do to protect confidential information. These guidelines can also inform the development of your nonprofit’s security policy, if you do not have one already.
Here is a collection of tips to make nonprofit data protection easier:
2. Only access or knowingly attempt to access data that you are authorized to use as a part of your role and job responsibilities.
3. Safeguard all passwords, codes, badges, and physical keys assigned to you. Don’t share them or write them down. (See Tip #11)
4. Protect confidential information by encrypting it, limiting access to it, minimizing the number of copies of it, and deleting the data when it is no longer needed. This goes for laptops as well as any servers or databases. If your organization limits the amount of data it retains by deleting it after a defined period, there’s less data that can be exposed in a data breach or security incident.
5. Always use systems in a professional manner and with good judgment.
6. Make sure that your laptop’s hard drive is encrypted, and use encrypted devices whenever possible to minimize the risk of a data breach. If you aren’t sure, work with your IT provider to review your encryption settings. Mozilla has instructions on how to encrypt your hard drive.
7. Report security incidents, loss, or theft as soon as reasonably possible to the appropriate personnel in your organization.
8. Understand if you need to get permission from your manager or IT team to install new software on devices. Make sure any software you install will not compromise the security of your data.
9. Use antivirus software and keep it up to date. ClamAV is a popular open-source option. However, check with your IT provider first as you generally do not want to use two antivirus solutions since they can conflict with each other.
10. Lock your computer when you are not using it. This may mean turning on the screensaver with password lock if you’re in the office but away from your desk, or physically locking your computer using a secure cable if you are leaving for an extended period.
11. Use a password manager (like LastPass or 1Password) to create complex, dedicated passwords for each website or application that you use.
12. Change your password periodically in accordance with your policy. Many professionals recommend changing passwords every 90 days, or more frequently for systems with sensitive data.
13. Always use two-factor authentication whenever possible. Use security keys, RSA keys, or apps like Google Authenticator when available. Using SMS or text messaging for two-factor authentication is also possible, but is less secure than other means.
14. Use dedicated logins for each person whenever possible. Don’t use shared logins.
15. Backup critical data using whatever method is approved for your organization. Systems like Google Drive, Box, or DropBox provide convenient, secure solutions for backup and file sharing.
16. Be aware of social engineering risks and train staff on how to avoid them. Social engineering is the art of manipulating people so they give up confidential information.
17. Ensure that you are properly disposing of used computers and IT equipment. Make sure that all data is securely wiped from devices before they are sold, donated, or recycled. DBAN is one popular open-source option to assist with this.
Featured Photo: A Ray Of Light For The Women In Plight by The Layton Rahmatulla Benevolent Trust