Nonprofit 411: Best Practices for Data Security with a Remote Workforce

Nonprofit 411 KPM-minBy Dan Keleher, Executive Director, KPM Consulting

In response to the COVID-19 pandemic, many nonprofit organizations made significant changes to their operations, systems, controls and the way their employees were working.  Many employees were moved to a remote environment for the first time, and as things changed rapidly, data security may not have received the attention it deserved. Now that the initial rush is over, and many nonprofits continue to operate remotely on a part- or full-time basis, this is the time to revisit whether these changes may have compromised your data security.

Remote Employees

  1. Be aware of phishing and social engineering schemes. Employees should remember to always check the sender’s email address, look twice before clicking any attachments, and when in doubt call or email (starting a new thread) the person you think sent the email to confirm that the request is legitimate.
  2. Encourage employees to revisit their password security. Consider using passphrases instead of smaller passwords. A passphrase is a phrase that is easy for the user to remember and then you can add complexity by capitalizing letters or adding numbers. Remember to use a unique password for each system you use.
  3. Remote employees should never use public wi-fi connections when working with sensitive data. Ideally, employees should use a VPN to access company systems. Multi-factor authentication is also highly recommended for validating access to the VPN.
  4. Employees should only use company-provided devices for work purposes. They should also consider physical security of these devices and documents. When not using a device, make sure you lock the screen. Additionally, consider collecting work documents and moving them out of sight when not in use.

New Technology

  1. In the initial rush of moving to a remote work environment, many employees installed new applications or software in order to assist with completing their jobs. Organizations are now faced with the question of whether these applications have all been properly vetted by the IT department. It is critical to make sure that IT reviews security controls and configurations for any tools that employees continue to use.
  2. Organizations should also ensure that employees have received adequate training on new technology. Security settings are not always intuitive and employees should be trained on how to prevent introducing security risks to the nonprofit.
  3. Were new controls adopted to address operational changes? If so, management needs to ensure that documentation has been updated accordingly so the nonprofit remains in compliance with any regulatory requirements.

Although your organization may be operating partially or fully remotely, it’s important to remember that the same data security processes and policies should be in effect as if you were working normally from the office. Cybercriminals look to exploit any weakness, so nonprofits must remain vigilant no matter the work environment. Following the guidelines above will help to ensure the security of one of your most important assets – your data.