Executive Data Security Wake-up Call: Don’t Become a Target
Executive directors, how often do you think about data security? Does it come up at board meetings? At staff meetings? Do you worry about it? Along with the digital revolution has come a new reality — we all are storing a lot of extremely valuable digital personal information (often referred to as PII, personally identifiable information) about your donors and ticket buyers.
If you store it, you accept the risk of protecting it. It’s as simple as that. Without getting too dramatic, I hope you agree that it doesn’t take much of a leap to see how this personal information could be valuable to a low-level hacker or a disgruntled employee.
Thus, in the wake of massive data breaches at Target and Sony this year, data security has taken its rightful place on the desk of every CEO — and it should be on yours, too. In learning about the aftermath of Target and Sony, I came across this podcast: “Getting Security Right Isn’t as Hard as You Think (But the Effort Never Ends).” What surprised me was that apparently these data breaches were largely based on incompetence rather than super-sophisticated hackers. The description of the podcast, which you can listen to here, reads:
The lack of foundational security hygiene is what makes companies vulnerable to relatively mundane attacks, which are far more likely to hit your company than some sophisticated nation-state mounted attack. “There’s this misconception that we can’t defend against these attacks because we can’t deal with the sophistication of the attackers,” says Tanium CTO Orion Hindawi. “In turns out, we should just be doing the good hygiene we’ve all been trying to do for the last 20 years.” In this segment of the a16z Podcast, Hindawi shares how to get your security hygiene right — not just from a technical perspective, but from a cultural one as well.
If you want to benchmark where your organization is, take this test and give yourself 1 point for each of these that your organization has or does:
- Data security policy: A written data security policy about what data is stored and where and how it gets saved, archived, and backed up.
- Cyber-security insurance: A separate cyber-security policy or rider that transfers some of the financial risk of a security breach from your organization to the insurer.
- Data security manager: An employee whose job (or part of the job) is to implement and ensure compliance of your data security policy and provide education, training, and advice to staff, management, and your board.
- Annual on-site data security audit: A third-party audit to assess your risk technology infrastructure and policies.
- Board committee oversight: A board committee focusing on data security.
- Hardware access control: All servers you manage (either on-site or remotely) as well as local workstations that store or can access PII should be protected by policy and passwords that are changed and monitored regularly.
- Remote worker policy: Do employees or volunteers have to access PII remotely — and if so, what data can they access?
- Ongoing education: Do you attend a workshop, take any courses, or read about data security?
- Confidentiality agreements: Do you have signed contracts with employees or vendors who have access to your PII?
If you did not score at least 8, I suggest that your organization may be at risk. Even if you did reach that score, you probably know as chief executive that data security is no less important to your job than is your annual financial audit. Although sophisticated hackers probably won’t target your non-profit today, this podcast suggests that when you leave the back door unlocked, you are increasing the odds of something bad happening.
Providing our clients with world-class data security is one of the primary reasons we built our PatronManager system within the Salesforce.com technology platform. Because companies such as Salesforce, and others that offer platforms (such as Amazon and Microsoft), spend many orders of magnitude more money on data security than any individual organization could spend, your data is greater protected in a cloud-based platform than it is when you host it yourself either on-site or in a remote facility.
If this is of interest to you, I recommend that you look at these pages, starting here: http://trust.salesforce.com/trust/learn/bestpractices.