Nov/Dec 2008

Security: An Investment Your Nonprofit Can't Afford Not to Make

by Holly Ross, Executive Director, NTEN

For many years, nonprofits have approached data security like insurance: You know you should have it, but if you can't afford the monthly payment, you do without. After all, data security won't help you serve more people. It won't help you grow your email list. It won't raise more money for your organization. Security is a luxury that cash- and time-strapped nonprofits can rarely afford.

The idea that you can forgo data security because it's unlikely that anything will happen to your data has two flaws. The first flaw is the notion that it's your data. It's not your data any more than the money you put into a savings account belongs to your bank. The data belongs to your stakeholders, who have trusted you to keep it safe. Forgetting, for the moment, that it's in your best business interest to secure it, you have a moral obligation to protect it. 

Which brings me to the second flaw: Increasingly, you have a legal obligation to protect it. Those of you who remember HIPAA know it's only the tip of the iceberg when it comes to data security mandates. Nevada recently passed a law requiring the encryption of all personally identifiable information transmitted electronically, the latest addition to a patchwork of existing state laws pertaining to data security. You may not be a Nevada nonprofit, but if you have any donors in Nevada, you will be held accountable for any transactions with them.

As the kinds of transactions we used to do face-to-face (and then on the phone) move online, regulations for how the transactions are conducted, and what happens to the data, will multiply. In response to these changes, nonprofit organizations can do one of two things: We can continue to pretend it's our data, and ignore it; or, we can recognize the opportunity to reinvent how we think about and implement data security in our organizations.

For those of us ready to embrace security, we need to prioritize a few things:

Automate what you can

There is a lot we can do to secure data through automation. Workstations need virus protection software. Networks need to be secured. Any application that stores data needs good password processes. These are the fundamentals of data security, and there are dozens of resources, including TechSoup Global's Healthy and Secure Computing initiative, that can help you map out exactly what you need to do. This important first step in security should keep bad guys from gaining access to your data.

Protect yourself from... yourself

While evil doers do pose some threat, it's often those with the best intentions who cause the biggest problems for nonprofits. The most likely source of a security breach is a member of your own staff. It's the stack of printed emails with credit card information left on the development intern's desk, or the laptop left in a cab, that poses the real threat.

We collect sensitive information about our clients and donors in a variety of situations. We need to understand all the ways in which we receive data — online and offline — and create standards for how we handle it. As Peter Campbell, IT Director of Earthjustice told me, "More encryption and firewalls are not the problem. That stuff is meaningless if your employees' habits are sloppy."

Transparency in crisis

Someday, the worst may happen: Your server will be hacked, or that Excel file of client information will be lost. If it does happen, then it's your responsibility to let the affected people know. You must communicate immediately with those people through every channel you have at your disposal. You need to make your staff available to answer any questions, deal with frustrations, or address fears. While a security breach will certainly upset your stakeholders, it's how you react to a security breach that will determine the course of your relationship in the future.

What do you have to protect by investing in data security? Certainly, your clients' privacy, your donors' finances. But ultimately, your investment in security protects your relationship with your stakeholders. It's an investment in the trust they place in you. And that's an investment you can't afford not to make.

Holly Ross has spent more than five years at NTEN, combing through all the technology fads and listening to the NTEN community to line up the webinars, conferences, and research that will help members use technology to make the world a better place. From ubiquitous access to technology leadership to social media trends, Holly brings the wisdom of the NTEN crowd to the nonprofit sector.