Nonprofit 411: 5 IT Risks Every Organization Should Be Aware Of

Nonprofit 411 BerryDunn-minby Chris Ellingwood, BerryDunn

Technology: we all love it and we all immerse ourselves in it from every fashion of our daily lives. These emerging IT security risks are not overly technical in nature and are things you likely have heard before. Reflecting on a strong economy and a changing business environment, knowing these risks will help empower nonprofits to consider the controls needed to enhance their controls while they implement new, high demand technology and software to allow their organizations to thrive and grow.

1. Third-party Risk Management – It’s Still Your Fault

Daily, we rely on our business partners and vendors to make the work we do happen. Third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. At the end of the day, though a data breach may have been the fault of a third-party, you are still responsible for it. It is paramount that all organizations (no matter their size) have a comprehensive vendor management program in place to defend themselves against third-party risk.

2. Regulation and Privacy Laws – They are Coming

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization who possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies. All organizations must be aware of and understand current laws and proposed legislation. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls.

3. Data Management – Time to Cut Through the Jungle

We all work with people who have thousands of emails in their inbox (that date back several years in some cases). Those users’ biggest fears may start to come to fruition – that their organizational approach of not deleting anything may come to an end with a simple email and data retention policy. Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how that data is stored. Next, organizations should develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems.

4. Doing the Basics Right – Sometimes the Simple Things Work

Across industries and organization size, the one common factor we see is that basic controls for IT security are not in place. Every organization, no matter their size, should work to ensure that they have controls in place. These include:

  • Established IT Security policies
  • Anti-virus/malware on all servers and workstations
  • System logging and monitoring
  • Employee security training

5. Employee Retention and Training

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. A culture of security needs to be created and fostered from the top down. Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure in the process.

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security-minded employees. Our team of security and control experts can help your organization create and implement controls needed to consider emerging IT risks. You may contact me at cellingwood@berrydunn.com for more information.