In our current digital age, data risk is the new normal.

This was the foundation of yesterday’s Nonprofit Technology Conference (NTC16) session titled, “Seven Highly Risky Habits of Small to Medium-Sized Nonprofits.”

The presenters – Dan Rivas, Managing Writer at Idealware and Leon Wilson, Chief Technology and Information Officer at Cleveland Foundation – emphasized over and over: Nonprofits are vulnerable to data breaches. Your nonprofit status won’t protect you, and you should be concerned. You maintain financial information and sensitive personal donor data. And, you probably don’t have a big data security budget. Hackers know this.

The risks of not securing your data are many, and include:

  • Loss of trust
  • Reputational damage
  • Negative impact on donor, member, and volunteer retention
  • Financial liability
  • Fines from banks and regulators

Here are Rivas’ and Wilson’s seven risky habits, why nonprofits practice them, what the risks are, and how to mitigate these risks:

Habit #1: Using personal computers for work

Why do we do it?

  • Convenience
  • Cost savings
  • Staff preference (“I love my Mac. I don’t want a Windows-based machine.”)

What are the risks?

  • Outdated software – Unsupported operating systems, applications, and plug-ins are easier to infiltrate.
  • You can’t control who has access to your information.
  • Virus/malware risk – How do you know personal computers and devices have basic protections?
  • Software ownership.

How can we reduce risk?

  • Require minimum software standards.
  • Establish a strong password policy.
  • Provide employees with virus/malware protection software.
  • Establish software licensing policies.

Habit #2: Unmanaged personal mobile devices at work

Why do we do it?

  • Convenience
  • Anytime, anywhere information
  • Cost savings
  • Staff preference

What are risks?

  • Data travels – Fifty-six percent of employees frequently store sensitive data on their personal devices.
  • Mobile devices can get stolen “Apple picking” happens frequently in bars and restaurants. These phones cost hundreds of dollars and get stolen regularly. And, 37 percent of iPhone users don’t password protect their phones.
  • Terminated employees – It’s difficult to immediately remove data from mobile devices.
  • Devices are often shared.
  • More tech issues – IT staff members have to be more nimble and keep up with how mobile changes affect nonprofits.
  • Malicious apps and other attacks.

How can we reduce risk?

  • Have a strong password policy.
  • Encourage the use of anti-virus software.
  • Establish employee termination policies.
  • Establish and enforce a BYOD (bring your own device) policy.
  • Install mobile device management (MDM) software.

Habit #3: A lack of password management

Why do we do it?

  • Convenience – too many passwords to remember
  • Unaware of what makes a good password
  • Management of it feels like a lot of work

What are the risks?

  • Two-thirds of data breaches involve weak passwords (most popular passwords: 123456, ABC123).
  • No password policies.
  • Default passwords in place.
  • Bad habits like sharing passwords with coworkers, writing down passwords on unsecured notepads and post-it notes, and trying to keep it too simple.

How can we reduce risk?

  • Strong password management policies – use complex passwords and change them frequently.
  • Change the passwords that come with hardware and software products.
  • Change passwords after you have outside contractors do hardware, software, or POS system installations/upgrades.
  • Check with your tech provider that your wireless router is password protected.
  • Make sure default passwords are changed.
  • Provide training – Your staff needs education on the difference between good and bad passwords.

Habit #4: Using consumer-oriented cloud storage

Why do we do it?

  • Convenience
  • Ease of use
  • Don’t have to involve IT support
  • It’s free!
  • Can be synced among multiple devices

What are the risks?

  • Your data now doesn’t belong to you anymore. It’s out in the ecosystem.
  • Personal accounts – If work is being stored on personal cloud accounts, it’s the same as if it’s on their computers at home.
  • No way to retrieve data and files post-employment.
  • Data instantaneously replicated to multiple devices.
  • No way to control who has access and is viewing your data.

How can we reduce risk?

  • Provide business grade versions of these cloud offerings (for example, Dropbox Business).
  • Establish information policies – Set policy standards for file management.
  • Block unauthorized synching.

Habit #5: Poor backup and disaster recovery infrastructure

Why do we do it?

  • Shortsightedness
  • Not putting a price on data and key systems
  • Lack of adequate IT support
  • Blind faith

What are the risks?

  • Consider the “what if” scenarios – What would you do if you lost all of your data due to a virus, an accidental deletion, or a natural disaster?
  • Major costs – productivity, revenue, damaged reputation, financial performance, and other expenses.

How can we reduce risk?

  • Schedule regular, routine backups … and make sure they work.
  • Any work you can’t easily replace should be backed up and stored off site in a cloud.
  • Create a disaster recovery plan.
  • Test your plans.

Habit #6: A lack of network security

Why do we do it?

  • Shortsightedness
  • Lack of adequate IT support to lead effort
  • Too complicated
  • Assume that it’s not necessary … until it is

What are the risks?

  • Unauthorized access to critical information.
  • Disruption of work.
  • Malicious software – It can not only infect a single machine, malicious code can spread throughout your whole network.

How can we reduce risk?

  • Firewall protection – Make sure your computer have a basic firewall.
  • Tightly control downloads, software installations, the use of thumb drives and public Wifi connections on computers used for payment card processing.
  • Mandate anti-virus/malware software – and keep it updated.
  • Have multiple layers of protection.
  • Remove former employees from your network – make it part of HR employee off-boarding process.

Habit #7: Poor software management

Why do we do it?

  • Convenience
  • Shortsightedness
  • Lack of adequate IT support
  • Blind faith

What are the risks?

  • Potentially unwanted applications (PUAs).
  • Security vulnerabilities – Hackers keep up-to-date on security holes and are always looking for opportunities to exploit them.
  • Poor hardware performance.

How can we reduce risk?

  • Establish a patch management schedule – A policy that governs how, when, and by what means software is updated helps everyone do their best.
  • Manage software installs – Consider only allowing authorized IT personnel to perform installs.
  • Perform routine PC tune-ups – A PC is like your attic; it collects a lot of junk over time.

You can download the full presentation deck and materials here: http://www.nten.org/session/seven-highly-risky-habits-of-small-to-medium-sized-nonprofits-it-security-pitfalls/.