October 1, 2019 |
Data security breaches that affect big corporations make the news from time to time, but many people don’t know that smaller data breaches occur every day. The Breach Level Index, which tracks publicly disclosed breaches, reports that over 6 million data records are lost or stolen on a daily basis. Nonprofits aren’t excluded from the threat of a data security breach; in fact, a 2016 study revealed that 63% of nonprofits reported their organization had a breach within the last year.
These statistics are certainly concerning, however, there are preventative measures that you can take to strengthen your defenses. Here are five best practices your organization can implement to protect its data, staff, and supporters:
1. Implement two-factor authentication for accessing accounts
Two-factor authentication adds an additional layer of security, which makes gaining access to an account more difficult for a potential hacker. The additional layer could either be a security token or a biometric factor on top of a password or pin entry. While it might seem commonplace at this point, two-factor authentication is still the essential first step in protecting your data.
2. Use a password manager
With many passwords used across multiple accounts, memorization becomes a difficult task. Many people create weak passwords as a result. Using the same password for each platform might be convenient and seem like a good idea, but the password is as secure as the least secure website it’s being used on. If a hacker obtains one password, for instance, the username and password can be virtually tested everywhere using automated systems. A password manager essentially does the memorization for you. It stores the different passwords and enters them in at the login page after typing the master password into the password manager.
3. Implement security awareness training
Security awareness training educates users about the threats that exist and demonstrates how to prevent them. It also provides end users with the support and necessary tools to be able to identify and report suspicious email activity. Security awareness training reassures users that emails can be returned if they are deemed not malicious. An important part of this process is ensuring that users feel comfortable enough to report suspicious emails even if they are not 100% sure that they are an attack - erring on the side of safety and protecting the organization from risk of a breach.
4. Implement phishing-specific training and prevention
Roughly 90% of security breaches begin with a phishing link, so defending against security breaches inevitably begins with phishing-specific training and prevention.
There are technical methods you can use to prevent this type of attack, such as "detonating links." With this software, Microsoft will detect suspicious links in emails and launch a private virtual machine to test them. An automated process will see where the link directs, and will flag the email as malicious if it goes to a fake login page. Then, when a user clicks the link, it will redirect to a page that lets you know the link was deactivated because it was determined to be malicious. This process is part of what’s called the Advanced Threat Protection (ATP).
Even without ATP, phishing can be prevented by simply providing training to users. This might look like sending out phishing exercises to the staff to test and determine their awarness of potential threats. If a staff member clicks on a phishing link multiple times, they may need extrashar training to ensure that they’re able to successfully identify phishing attempts and report them.
5. Practice good computer hygiene
Practicing good computer hygiene consists of making sure all of your systems are patched, making your mobile devices are patched, and updating the software on your website—even your router at home. Without constantly updating and patching, you fall susceptible to a breach that has already been fixed. In the same way we should all practice good personal hygiene to prevent being sick and unsanitary, we should also make sure to practice good computer hygiene to protect accounts and data from security breaches.
These practices aren’t difficult to implement, but they make all the difference. With digital threats becoming more common and falling victim to them becoming more common as well, taking preventive measures will ensure you, your organization, and your supports are safe.
For more information, download our complete Nonprofit's Guide to Data Security.