Not-for-profits have numerous opportunities to leverage information technology (IT), from social media to cloud computing and beyond. For instance, Twitter provides a platform for a not-for-profit to live-tweet its annual general meeting. Cloud computing makes technology more scalable, accessible, affordable, and perhaps more secure if the not-for-profit lacks the required skills in-house. However, with these opportunities come the exposure to malware, privacy breaches and other risks.
Not-for-profits should implement essential IT controls, including the following, to mitigate IT risks:
- Governance: Boards are not expected to be IT experts but need to understand the organization’s IT environment and ensure that management implements the required internal controls. Fundamental questions include: what are the technologies in use; what are the risks; what is the IT budget and is it adequate in light of the risks? If the board lacks the expertise it must access the required skills through external consultants or other means.
- Employee training and awareness: The best technology is no match for employees who are not vigilant or who do not understand the risks of clicking on a malicious link, being conned into revealing confidential information to a scammer posing as the CEO (that is, through phishing or social engineering schemes), or using easily-guessed or default passwords.
- Backups: Backup critical data and systems frequently and store a copy offsite, unconnected to the network and inaccessible to users. Adequate backups help to ensure speedy recovery of systems and data in the event of a system crash or malware attack. Using cloud services for backups may be an option but ensure that this does not contravene any privacy laws and contract terms which mandate that the organization must store data in Canada; service providers may store data overseas.
- Anti-virus, anti-malware and firewalls: Install or activate anti-malware or anti-virus software and firewalls, including Domain Name System (DNS) firewall solutions to prevent connections to malicious web domains.
- Access controls and strong passwords: Assign each user unique login credentials and forbid credential sharing. But, grant each user only the minimum access to data and systems that they need to perform their jobs. Access restrictions and the resulting ability to track user activity will potentially limit the harm in the event of a security breach. Complement the assignment of unique login credentials with a password policy that sets out the requirements for passwords. Password policies may require passphrases instead of passwords and two-factor authentication. Two-factor authentication requires a combination of two things that users know (for example a password or passphrase), are (for example a retina scan, fingerprint, or other biometric information) or have (for instance a token that generates a constantly changing code or a swipe card).
- Mobile device security: Do not overlook the security of mobile devices. Implement asset management policies to maintain control over mobile devices. Update apps and software and implement access controls and other security measures. An enterprise mobility management (EMM) solution may make it easier to administer mobile devices, for instance through audit and remote wiping functions.
Numerous other controls may be necessary, depending on the IT environment. For instance, entities with point-of-sales (POS) systems should follow the Payment Card Industry Data Security Standard (PCI DSS) for POS systems. Particularly if the organization uses social media, it needs a social media policy covering the appropriate use of social media, including standards for monitoring posts and controlling access to the entity’s official social media accounts. Entities cannot abdicate accountability for the safety and security of data which cloud service providers control. Due diligence can include requesting the cloud service provider’s audit report, for example, the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements (SSAE) 18 SOC 3 report, stating that the provider has achieved Trust Service Principles compliance.
Leverage IT safely. Protect systems and data by implementing controls, which in many cases, are relatively inexpensive. For example, backup data regularly and offsite. Anti-virus software and firewalls are essentials. Training is the sine qua non—the best technology cannot perfectly compensate for employees who are poorly trained or have no cybersecurity awareness.
Boards may mandate participation in the federal government’s voluntary certification program, known as CyberSecure Canada (see www.ic.gc.ca/eic/site/137.nsf/eng/h_00000.html). Innovation, Science and Economic Development Canada offers the program, designed for small and medium-sized entities. Certification requires the implementation of thirteen baseline security controls and is a powerful signal to stakeholders that the organization and its board are committed to cybersecurity.