npos and information security
TRANSCRIPT
NPOs and Information Security
An analysis of the factors that contribute to the vulnerability of NPOs and best practices in combating criminal activity.
Miranda R. Dalton511C10.18.11
Agenda
The Interest in Nonprofits
Vulnerability of NPOs
Responsible Factors
Securing Information
Recommendations
• Articles disseminated over a three year period (2007-
2010)
• Similarities and discrepancies among articles explored
• Nonprofit Organizations will be referenced as NPOs
Research Approach
Nonprofit SectorA growing sector in our nation’s economy
1.5 Million NPOs in 2008
A Target For Cyber Criminals
Why the Interest in Nonprofits?Cyber Criminals see tremendous financial gain
• Nonprofit budgets are growing
• If successful, cyber criminals can gain access to organization’s financial accounts and personal/financial information of donors
• Cyber Criminals are finding new and innovative malware to penetrate networks
• New malware is not easily stopped
• Development of new malware has morphed into a multi-billion dollar global enterprise
The Vulnerability of NPOsResponsible Factors
Human Carelessness Financial Constraints Underestimating the Risk
• Accidentally posting information online
• Discarding information in an unsecured dumpster
• Stolen hardware & information by temporary employees
• Anti-virus software costly and quickly become out of date
• Majority of funding is for program services and delivery
• Difficult to allot money to purchase current security software and employ IT staff
• NPOs have versatile payments options for donors
• In the process, information security is lost
• Larger NPOs more security measures, but greater financial transactions -TARGET
Securing Information
Install latest antivirus software and employ IT staff
Undergo cultural change related to information
security
Back up and redundant systems
• McAfee
• Norton
• Latest security versions should be installed in computers
• Expensive
• Budgetary Issues – organization can’t afford IT staff or to contract out to third partyies
• Securing information is the responsibility of all
• Security Awareness Programs - training in information security
• Adoption of proper protocols/procedures in securing information
• Buy in needed of all key stakeholders
• The issue – reactive in nature
• Only relevant once networks have been compromised
• Should not become the prevailing IT strategy
A comparison of strategic approaches
Recommendations to Nonprofits
• Information security must become a key component of strategic planning
* Will assist in changing the culture of an organization
* NPOs will begin to dialogue concerning matters of information security and the adoption of security initiatives• Training must occur on an ongoing basis
* Argument: NPOs are already stressed and further training would add to the frustration of NPOs
* Counter Argument: If IT and security matters are not a priority, it could harm contributions if donors feel that their information has been compromised
Five Steps in Creating an Information Security Plan
1. Develop information security policies
2. Communicate the information security policies
3. Indentify critical information assets and risks
4. Test and reevaluate risks
5. Obtain stakeholder support
Recommendations to Nonprofits
Five Steps in Creating an Information Security Plan
Security and the Internet - Fighting Malware. (2008, July). OECD Observer, 10-11.
Six ID Theft Trends for 2010. (2010, February). Credit Union Magazine, 42.
Baltzan, Phillips, & Haag. (2009). Information Technology and Management. (third, Ed.) McGraw- Hill.
Dinerman, B. (2009, July 21). Security Threats: A guide for small and mid-size nonprofits. Retrieved October 10, 2011, from TechSoup: http://www.techsoup.org/learningcenter/techplan/page11904.cfm
Meron, J. (2009, January 26). NP Tech News. Retrieved October 10, 2011, from http://www.nptechnews.com/management-features/increasing-data-security-in-an-increasingly-insecure-world.html
Popa, C. (2007, February). Information Security for Nonprofits. CMA Management, 19-21.
Sherstobitoff, R. (2008, April 21). How to Make Sure You Aren't the "Low-Hanging Fruit" for Fraud. 8.