5 Tips for Protecting Employee Data

Originally published by Techsoup at https://blog.techsoup.org on August 5, 2020.

In today’s digital world, one of the most valuable assets a nonprofit has is data. But the trouble is, this data is also valuable to bad actors who may harm your stakeholders or tarnish your reputation. Where do data breaches come from? They may originate from anywhere at any time. In the 2019 IAPP-EY Annual Governance Report, 38 percent of organizations that must comply with GDPR reported a data breach last year, a 42 percent increase from 2018.

TechSoup can help you kick-start a scalable solution to secure your data. Below are five tips to help get you started.

1. Define Your Core Privacy and Security Needs

Functional

Standardized

Optimized

Now that you’ve measured your nonprofit’s level of data privacy and security readiness, it’s time to develop clear goals across your organization.

2. Unify Your File Management System

You may also consider creating an organizational chart to help you visualize your data management gaps. These can include

  • Discrepancies between individual departments or program areas — such as duplicate or inaccurate information
  • Insecure or unencrypted storage areas
  • Lack of knowledge about best practices for physical access and cybersecurity

Whether you are securing emails and documents or devices, having a centralized core repository of employee-related data with real-time alerts can provide your nonprofit peace of mind. Depending on your budget and organizational needs, you may mix features with your existing human resources information system or build out a custom solution. You can further streamline operations via multi-factor authentication, client-side encryption, time stamps, session recordings, and read receipts.

Curious about implementing these tools today? TechSoup has partnered with Okta to offer nonprofits a suite of identity management solutions. Learn how you may qualify for 25 free licenses and 50 percent off public training courses and more.

Whatever vendor you choose to unify your file management system, the beauty of these solutions is that you can more easily hold personnel accountable for data breaches and rapidly track down possible leaks.

3. Implement Role-Based Access Controls

As you begin investing in role-based access controls, check in with legal experts or in-house counsel to ensure that the technologies fulfill all compliance and regulatory requirements for your organization. And once these legal guidelines are in place, make sure you are taking steps to maintain a culture of data privacy and security.

Create accessible resource guides for volunteers, employees, program partners, and vendors — anyone who may need to access data at any time. Depending on the nature of information accessed, it may also be helpful to implement real-time alerts and reports about improper usage outside of work hours or a specific environment and geographic location.

In general, the use of personal devices or sharing passwords and other credentials isn’t recommended by experts. And the use of public Wi-Fi or compromised networks is frowned upon. Additionally, any personnel accessing critical data should store company-related passwords on a secure password manager, work on encrypted computers and devices, and log in to their email only in secure environments. You can refer to the Electronic Frontier Foundation or this handy guide from TechSoup for basic cybersecurity tips.

Finally, empowering employees and volunteers to maintain secure access to sensitive information should be coupled with a clear protocol for your vendors. A service agreement simply isn’t enough to ensure a third party’s proper use and management of your data. Check-in regularly, especially when switching providers to ensure that data is securely transferred or disposed of when a contract ends. This way, you avoid exposing your data to disgruntled individuals or criminals.

4. Secure Personnel Turnover

While these handoff processes are seen as the purview of human resources, failing to secure them may put your data at risk of falling into the wrong hands. Start with building out basic documentation for onboarding and offboarding. Depending on the requirements defined by the department director or manager, you may want to transfer information to a designated individual or hold it in a secure location. With tools like Microsoft Active Directory Federation Service (ADFS) or Okta, you can greatly reduce the administration of these processes.

Layer technology solutions and training with periodic testing across all departments and personnel types. For example, you may send out a test phishing email to gauge which employees are best equipped to respond proactively to potential threats or create a monthly quiz on basic cybersecurity terms.

As your organization grows, you may find that your needs evolve. Today, there are a variety of solutions for threat management, including automated software and security experts who operate 24/7 — also known as endpoint and intrusion detection and response.

In addition to educating your team, take measures to safeguard your most important information source — your donor database. You may be well aware that servers should be PCI compliant, but they may also operate at a scale where oversight is better managed by a third party. Whatever solution you choose, limited access to financial and personally identifiable information is critical.

While it may be a bit overwhelming to document a clear process for each data use case within your organization, the risk of not implementing endpoint and intrusion detection and response protocols far outweighs the effort. In addition, there are a variety of resources available at TechSoup to help you develop consistent standards for protecting your data.

5. Create a Crisis Management Plan

To ensure that you protect the data of the communities you serve, invest in a system that provides vulnerability scanning with real-time alerts to notify individuals if their devices or data may have been compromised or accessed without their knowledge.

Once alerts have been sent out, it’s time to craft restorative messaging to address the core needs of your stakeholders.

What types of information leaks and breaches is your organization liable for? With honest, accurate, and clear information, law enforcement and legal investigators will be better equipped to address your needs. And you may prevent the untimely disclosure of sensitive information to the press, within your organization, or to the greater public.

Second, delineate a chain of command for communicating the breach to key personnel. You’ll also want to brief and train public-facing executives and spokespersons to maintain a consistent narrative and uphold your nonprofit’s reputation.

Finally, depending on the nature of your liabilities and responsibilities, it may be necessary to seek legal counsel, liability insurance, and other safeguards.

Never Trust, Always Verify

The rule of thumb in today’s highly distributed workforce is to trust no one — and always verify. Many nonprofits collect data on individuals including clients, donors, volunteers, and staff members. The integrity of these connections depends on how well you protect their information.

From facilitating charitable transactions to engineering solutions for the greater good, a solid data privacy and security program can ensure that your organization continues to safeguard the public trust and carries out its mission for years to come.

Additional Resources

Originally published at https://blog.techsoup.org on August 5, 2020.

60+ organizations with kindred missions working together to get critical tech know-how and resources to changemakers around the world. meet.techsoup.org