NPOs and Information Security

An analysis of the factors that contribute to the vulnerability of NPOs and best practices in combating criminal activity.

Miranda R. Dalton511C10.18.11

Agenda

The Interest in Nonprofits

Vulnerability of NPOs

Responsible Factors

Securing Information

Recommendations

• Articles disseminated over a three year period (2007-

2010)

• Similarities and discrepancies among articles explored

• Nonprofit Organizations will be referenced as NPOs

Research Approach

Nonprofit SectorA growing sector in our nation’s economy

1.5 Million NPOs in 2008

A Target For Cyber Criminals

Why the Interest in Nonprofits?Cyber Criminals see tremendous financial gain

• Nonprofit budgets are growing

• If successful, cyber criminals can gain access to organization’s financial accounts and personal/financial information of donors

• Cyber Criminals are finding new and innovative malware to penetrate networks

• New malware is not easily stopped

• Development of new malware has morphed into a multi-billion dollar global enterprise

The Vulnerability of NPOsResponsible Factors

Human Carelessness Financial Constraints Underestimating the Risk

• Accidentally posting information online

• Discarding information in an unsecured dumpster

• Stolen hardware & information by temporary employees

• Anti-virus software costly and quickly become out of date

• Majority of funding is for program services and delivery

• Difficult to allot money to purchase current security software and employ IT staff

• NPOs have versatile payments options for donors

• In the process, information security is lost

• Larger NPOs more security measures, but greater financial transactions -TARGET

Securing Information

Install latest antivirus software and employ IT staff

Undergo cultural change related to information

security

Back up and redundant systems

• McAfee

• Norton

• Latest security versions should be installed in computers

• Expensive

• Budgetary Issues – organization can’t afford IT staff or to contract out to third partyies

• Securing information is the responsibility of all

• Security Awareness Programs - training in information security

• Adoption of proper protocols/procedures in securing information

• Buy in needed of all key stakeholders

• The issue – reactive in nature

• Only relevant once networks have been compromised

• Should not become the prevailing IT strategy

A comparison of strategic approaches

Recommendations to Nonprofits

• Information security must become a key component of strategic planning

* Will assist in changing the culture of an organization

* NPOs will begin to dialogue concerning matters of information security and the adoption of security initiatives• Training must occur on an ongoing basis

* Argument: NPOs are already stressed and further training would add to the frustration of NPOs

* Counter Argument: If IT and security matters are not a priority, it could harm contributions if donors feel that their information has been compromised

Five Steps in Creating an Information Security Plan

1. Develop information security policies

2. Communicate the information security policies

3. Indentify critical information assets and risks

4. Test and reevaluate risks

5. Obtain stakeholder support

Recommendations to Nonprofits

Five Steps in Creating an Information Security Plan

 Security and the Internet - Fighting Malware. (2008, July). OECD Observer, 10-11.

Six ID Theft Trends for 2010. (2010, February). Credit Union Magazine, 42.

Baltzan, Phillips, & Haag. (2009). Information Technology and Management. (third, Ed.) McGraw- Hill.

Dinerman, B. (2009, July 21). Security Threats: A guide for small and mid-size nonprofits. Retrieved October 10, 2011, from TechSoup: http://www.techsoup.org/learningcenter/techplan/page11904.cfm

Meron, J. (2009, January 26). NP Tech News. Retrieved October 10, 2011, from http://www.nptechnews.com/management-features/increasing-data-security-in-an-increasingly-insecure-world.html

Popa, C. (2007, February). Information Security for Nonprofits. CMA Management, 19-21.

Sherstobitoff, R. (2008, April 21). How to Make Sure You Aren't the "Low-Hanging Fruit" for Fraud. 8.