By Dan Yurman
For many nonprofits the need to secure the computer systems they use presents both a conceptual barrier as well as a technical one. Groups think they may need an expensive specialist and often feel that "it can't happen to them."
Both of these assumptions are wrong. Most steps that organizations need to take in order to protect their online assets do not require a lot of technical skill. What is needed is management attention, persistence, and attention to detail. Here's a list of some of the more common sense moves even a small group can make that have good payoffs in terms of protecting digital assets.
A lot of these actions can be taken relatively quickly and without special expertise. This isn't a complete list, but there is a resource at the end with more tips.
Location – Do not put key organizational information, including personnel, financial, and client or member records, on the same computer system as the web site.
Have a contractor host the website separately so that the public face of the organization on the Internet isn't a doorway to that organization’s internal operations. Your website is the first thing that will be attacked, so make sure who ever hosts it has a verifiable track record of protecting their clients from efforts to upend your online presence.
Check with your accountant about the firm's security measures since tax information will include things like social security numbers, payroll, checking accounts, investments, and health care benefits.
Passwords – Don't use proper names, place names, or birthday dates for passwords. Use strong passwords that combine upper and lower case, numbers, and special characters. Do not allow staff to use the same password for all systems. Do not store passwords online.
Protection - Use a firewall and virus checker for all computers. Set them to automatically update and budget to renew subscriptions for security software. You cannot allow it to get out of date.
Permission - Define who is authorized to access what data. For instance, how many employees need access beyond email, calendar, and timecards in addition to personal productivity software like word processing and spreadsheets? Keep a list of who has access to sensitive information such as payroll, taxes, personnel, and other information that needs to remain private.
Many groups rely on volunteers to get work done. Do you know which ones have access, or had access at one time, to your most important data? Do they still need it?
When an employee leaves the organization, delete their passwords as part of the checkout process. Immediately revoke all passwords for any employee who is fired for cause or for any employee or volunteer who quits as part of a dispute.
Backup – Hire a service to backup software and data on a daily basis and store it in encrypted form offsite. This can be done over the Internet with a subscription service for desktops and laptops, and with a commercial service for larger systems like finance, personnel, membership, etc.
Travel - Do not allow sensitive electronic information to leave the premises on laptops or USB sticks. Instead, use commercial VPN software to support telecommuting. If employees use laptops on travel, buy a whole disk encryption software license to install it on all of them.
WiFi – have two networks at your facility. The first is open, and insecure, for visitors. The second is secure and only for use by employees, contractors, consultants, etc. Make sure the security features of the WiFi equipment are fully implemented and get help if you need it. Do not use the public WiFi for the organization's business operations.
Public WiFi in coffee shops, airports, and hotels are not secure and should not be used to access important sites like online banking, credit cards, etc. Hackers haunt these networks with sophisticated electronic "sniffing" tools to snatch online IDs and passwords for the purpose of identity theft. This means your online time should be used cautiously in these places.
If you are traveling alone, do not walk away from your laptop for even a few seconds as that's all it takes for a thief to grab it and disappear into the crowd. When going through airport security, keep an eye on your laptop at all times.
Phones – All cell phones need to have "lock" features and an "app" (application) that allows them to be tracked down if lost, and wiped remotely if stolen. Most cell carriers offer a free backup service for contacts and there are plenty of "apps" to backup other data.
Social media – If your group has a Facebook page, do not wander away from managing it to play with links, even from "friends," that pique your curiosity but have nothing to do with the business of running the site. Don't click on links in Twitter messages sent to you from people you do not know. Educate your employees how to recognize online scams that seek to get someone to send them login information.
Get physical – Employ a reputable security firm to install intrusion, fire, and water alarms connected to a monitoring center. Physical theft of computers is also a threat. Water or fire damage can destroy your organizations ability to conduct business which is why you need backups.
Insurance – Cyber risks are not covered by standard liability, property, or casualty insurance. You can buy coverage that deals with privacy violations, business interruption, and other forms of cyber threats. Make sure you are covered.
For more information check the United States government Computer Emergency Readiness Team http://www.us-cert.gov/cas/tips/ for comprehensive guidance.
Dan Yurman is a consultant to energy industry firms for online information services. https://sites.google.com/site/djysrv/