Have you ever exported donor data into a spreadsheet? Perhaps onto a laptop or other mobile device? In 2014, laptops were stolen which contained the health information of over 600,000 Albertans. Unencrypted. How easily could this have been your organization?
As a fundraiser, with access to mounds of donor data, you are the front line for data security.
There is risk to your organization’s reputation, especially given evolving requirements for public disclosures of breaches. However, perhaps more poignant, is the risk to the trust that you have built with your donors. Charities are particularly interesting targets; There’s lots of data, but little investment into IT and training.
To understand the problem you face, you should understand a bit about hacking and its methodology. Movies like to depict hackers madly typing away, running some scripts, and navigating some weird user interface to gain access. It is rarely that geeky.
DEF CON is a hacking conference held every year. During the 2012 conference, a live competition saw one hacker, in a soundproof booth, call and convince a retail store manager to give him all sorts of details, including operational shift schedules and computer hardware and software specifications – the kinds of things someone may use to breach security. Imagine a simple phone call to your donor relations from a “donor” asking for information. Is your guard down because they’re a donor? Are you willing to give away transactional data, address data, emails, just because the person on the phone claims to be the donor?
At a Black Hat conference, details about a test at the University of Illinois were presented where researchers left USB drives lying around, waiting for people to pick them up and plug them in. That act could be enough to install keylogging scripts or other malicious software onto systems.
Both attacks are known as “social engineering,” and the reason they work is because they specifically go after the weakest link in computer security – the users.
A breach of data can also be simple opportunity. Have you ever printed off a donor profile and given it to someone for a donor meeting? Do you know what happened to the printed document after the meeting? Was it returned, signed back in, and shredded? Was it left in a vehicle, the seat of a bus, or on the curb in the recycle bin? While maybe not the technical version of a digital data breach, the loss of a document like that could very well impact the trust you have with your donors.
So, what can you do? The first thing is to be aware. Start thinking about where data is when it’s not sitting in the donor database. Start building policy to control what happens to exported or printed donor data. Consider cybersecurity training – some companies specialize in training employees on what they can do, day to day, to help protect against breaches.
Data security is not just for IT. Donors trust every one of us to keep their information safe.