[BreachExchange] Nonprofit Data Breaches, Security Policies You Can’t Overlook

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 22 20:02:16 EST 2017


http://www.thenonprofittimes.com/management-tips/nonprofit-
data-breaches-security-policies-cant-overlook/

You’ve seen the headlines. Equifax had 143 million records hacked. Anthem
healthcare had 80 million records stolen. Utah Food Bank’s breach might
have exposed the financial records of more than 10,000 donors.

Sophisticated, high-profile hacks make the headlines, but for most
nonprofits, it’s the small stuff that leads to lost or stolen data. If
you’re writing or reviewing acceptable use or data security policies, there
are five things you absolutely need to do.

Password Guidelines: Every year “123456,” “qwerty,” and “password” rank
among the most commonly-used passwords. Your organization can’t afford to
let such weak passwords be the gateway to important donor or financial
data. Specifying a minimum length, special characters, and capitalization
are a good start. Many organizations are now using password management
software that can generate random passwords and store them in a system that
users can access using just one very strong password. Most of these
services also allow you to audit passwords and force users to change them
when necessary.

For people who chronically forget their passwords, like to reuse passwords
frequently, or too easily fall into the trap of using simple passwords,
password management can be incredibly helpful.

Bring Your Own Device (BYOD): Do you let staff members use their personal
phones or laptops for work? Be clear about which devices are appropriate,
when they should and shouldn’t use these devices, and the minimum security
standards you expect for each device. It can also be helpful to install
mobile device management software to ensure that sensitive data can be
scrubbed from the device if a staffer leaves or is terminated.

Hardware and Software Standards: Every nonprofit should have minimum
security standards in place that include firewalls, device encryption,
malware protection, processes for updating or patching software, and a data
backup schedule. Mapping your environment and following the standards
you’ve established will give hackers fewer ways into your data.

Social Engineering Training: Sometimes low-tech approaches are used get at
an organization’s data. For example, someone might call the front desk
saying that a report was supposed to be sent and now the meeting’s about to
start. Amid the hurry and confusion, a staffer is likely to send off the
data without even stopping to think whether the caller should have had
access to the data.

Other scenarios include someone dropping into the office for a meeting and
being allowed to wander the halls or someone asking to use a password
because theirs isn’t working. Mapping out these scenarios and providing
clear guidelines for what to do can help reduce the risk that well-meaning
people will release data to the wrong people.

Incident Response and Disaster Recovery: What will you do if data gets lost
or stolen? Who will be on the response team and what roles will each person
take? How will you investigate the breach and recover the data? Spelling
out roles, responsibilities, and procedures will make a chaotic situation
more manageable and get you back to regular operations more quickly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171122/1fc5c470/attachment.html>


More information about the BreachExchange mailing list