How Nonprofits Can Protect Their Donor Data in the Cloud

Understand Your Nonprofit’s Compliance Needs

Depending on their mission, audience and goals, nonprofits are on the hook for a variety of data compliance regulations. Typically, these include the European Union’s General Data Protection Regulation (GDPR), which impacts data storage and end-user privacy; and the Payment Card Industry Data Security Standard (PCI DSS), which affects processes for managing consumer payments.

Additionally, most nonprofits need to closely track their expenses and revenue, and file regular Form 990 reports through the IRS. These filings are publicly accessible through reporting sites such as GuideStar. (In some cases, donor information is also revealed.) That creates a significant data collection need for many nonprofits — one they must balance with data protection considerations.

From a practical standpoint, it’s worth considering how much data you need to constantly manage and how you can minimize data collection. The Nonprofit Technology Enterprise Network recommends keeping an inventory of the data you use and setting policies for how you collect and share it. NTEN also offers tips on how and when to retain and delete data.

Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, notes that her organization, which focuses on messaging, tends to approach data retention judiciously when building out lists to reach its audiences.

“We don’t hang on to that any longer than we need to,” she says. “And we don’t collect anything more than what we absolutely need to correspond with those folks.”

Another point of consideration is website compliance; particularly, how forms on your site comply with GDPR, PCI DSS or other data management standards. Periodic security assessments can help you understand how your data collection strategies might expose you to risk.

Click the banner below to explore a range of security services for small businesses.

When considering data collection, it’s also worth asking who has access to specific information and how it’s handled, both internally and externally.

“What that really means is, the focus is on the people and the process,” Plaggemier says. “So make sure, for example, that you have a thorough, robust third-party risk process so that you’re really vetting your vendors.”

This is an area where nonprofits have traditionally struggled. One recent data point highlighted by Amazon Web Services found that 76 percent of nonprofits lack a data strategy.

A failure to think strategically about data could lead to poor internal data handling, raising the risk of insider threats.

“It’s that sort of obvious stuff,” Plaggemier says, “like making sure you know who’s got access to what applications, and that you restrict access to only what’s absolutely needed for people to do their jobs.”

The not-so-obvious stuff may need attention too. For example, public-facing employee directories may expose employee email to external threats, making them more susceptible to phishing attacks.

Keep external vendors in mind as well. Plaggemier notes, for example, that nonprofits often work with marketing vendors that need to be on top of data management issues.

“Make sure that you have marketing vendors that understand and are on top of all those changes and can advise you, and get legal counsel to make sure that you’re complying with those regulations,” she says.

By limiting the scope of who has access to sensitive data, you can limit the potential scope of attack.

LEARN MORE: How to stave off cybersecurity threats in the cloud.

Avoid Misconfigurations in Your Nonprofit's Cloud Infrastructure

Many nonprofits have found comfort in using cloud platforms such as AWS, Google Cloud and Microsoft Azure to manage their technology needs, in part because they may not have the resources to manage a complex technology stack on their own.

But that doesn’t get them off the hook for managing their infrastructure. On the contrary, as data becomes more complex and is used in more places, cloud use can create unanticipated security issues over time, requiring periodic reassessment — a concept called cloud security posture management (CSPM).

Misconfiguration is a common issue that plagues cloud infrastructure, especially with a multicloud approach, where security has to be maintained across multiple cloud environments. As cloud infrastructure tends to grow quickly, the need for CSPM becomes more important.

Plaggemier recommends working closely with potential vendors to understand their offerings and ensure that basic features such as multifactor authentication are a part of their feature list.

“Cloud services are so prevalent right now, and for organizations that are small, like a lot of nonprofits, that’s what we’re all using,” she says. “So you just have to know what questions to ask and go from there.”

For organizations looking to manage their data safely in the cloud, using a service such as CDW’s Cloud Security Posture Assessment can make sense of what’s working and what’s not — and where the gaps might be in the infrastructure.

Bookmark this page for more stories during Cybersecurity Awareness Month.