Three Best Practices For Protecting Your Nonprofit’s Critical Data
Modern organizations are deeply dependent on their critical data and purpose-driven organizations are certainly no exception. Imagine if your donor database, accounting and financial data, or email disappeared one day. How well could your organization adapt? How long would it take for your organization to get back to business as usual?
In this post, we’ll guide you through three best practices to help keep your nonprofit’s critical data safe from cyber attacks.
Step 1: Take An Inventory
The first step to bolstering your cyber security is often overlooked: taking stock of your IT assets and critical data. You can't protect what you don't know exists. To make this process smoother, download our free inventory template in Microsoft Excel format, consisting of two tabs:
Software-as-a-Service (SaaS) Tab: List tools like Slack, Google Workspace, Microsoft 365, and Zoom, which your organization relies on for communication and productivity.
Hardware Tab: Record all desktops, laptops, and mobile devices used by your staff for business purposes.
To simplify the inventory, consider crowd-sourcing:
Share the template in a shared folder accessible to everyone in your organization.
Collaborate with IT-savvy colleagues and your IT service provider to complete the SaaS Service Inventory tab.
Pay extra attention to the "Critical?" column to identify resources housing your organization's crucial data. These should be those services that business could not continue without, at least with not significant disruption.
Ensure there's at least one entry for each staff member in the Hardware Inventory tab, considering company-issued devices.
Dedicate a brief staff meeting to explain the inventory document and what information needs to be added by the remainder of the staff
You can learn more about establishing an asset inventory in our dedicated blog post on the topic.
Step 2: Establish Backups
Ransomware attacks are an extremely common scenario where having good backups is your best recovery strategy. All too often, we hear of an organization who has their critical data held ransom by an attacker. The attacker encrypts the critical data with a key that only the attackers know and waits for the victim organization to pay the ransom before unlocking the data.
We’ve responded to many ransomware incidents in our career and there’s a definite trend; organizations that have solid backup strategies are able to quickly and fully recover from a ransomware attack. Organizations without a solid, verified backup strategy often don’t recover from the attacks at all due to loss of data, the cost of the ransom, or follow-on attacks.
If implemented correctly, a backup strategy means you can quickly recover from attacks or inadvertent mistakes that pose a threat to your organization. Here’s how to get started:
Go back to your inventory spreadsheet and review the list of critical services
For each critical service, do some online research to understand if that service is already performing backups of your data to a level that makes you comfortable. Keep in mind that many services perform their own service-level backups that protects their own organization against catastrophic failure but don’t provide customer-level backups.
For the services that you’ll need to find backup services for, do a bit of research. Use websites like G2 to look for reviews on services (check out this G2 search for SalesForce backup solutions or this search for Reddit posts for the same topic).
Make a short list of top-rated and well-liked backup services for each of your critical services. Read their documentation or talk to their sales representative to ensure that you can meet the recommendations we laid out in the backup best practices section.
Purchase a solution and work with the vendor to implement it. Many of these backup capabilities require little-to-no security know-how - some are as simple as logging in and authorizing access into your environment!
Step 3: Implement A Secure Configuration
The unfortunate reality is that the vast majority of devices, software, and online services are not configured securely by default. This means that as soon as you open the box and turn on a new device or service, it may already have vulnerabilities that could be exploited by an attacker. Luckily, there are plenty of virtual buttons you can push and dials you can twist to improve the security configuration of your devices and software.
Time to put your IT Inventory to further use! Only a few SaaS services that we’ve come across have strong security default settings. The vast majority need a bit of tweaking to make them more secure. Luckily, most services publish documentation on how to do this. Here are some examples to get you started:
Google Workspace: “Security Checklist for Small Business (1-100 Users)”
Microsoft 365: “Top 10 Ways To Secure Your Data - Best Practices for Small and Medium-Sized businesses”
Salesforce: “Security Health Check”
For other services that host your organization's critical data that aren’t mentioned above, try searching in that vendor’s online documentation or do a Google search for the name of the service and “security”. Most vendors make these secure configuration guides publicly accessible.
Read through these articles carefully before you start making changes. Some changes will be largely invisible to users, but others will require users to take some action. For example, before you make a configuration change to mandate multi-factor authentication (MFA), you’ll need to communicate with your staff about how they should set up MFA. If you skip this step, you risk disrupting business operations and damaging the trust in your security improvement efforts. You don’t want to leave your staff confused and unable to log in at the beginning of the workday!
Conclusion
We hope you found these best practices useful as you work to protect your organization's critical data. For more guidance on establishing cyber security best practices for your nonprofit, consider participating in RipRap Security’s free Cyber Security For Good training program.
