Is Information Security & Data Privacy on Your Risk Radar Screen?

Blog

March 03, 2016

Is Information Security & Data Privacy on Your Risk Radar Screen?

By Marie McNamee

Director, Program & Member Services Humentum

Technology has been a game changer for the non-profit sector, serving as a powerful development tool that has spurred capacity-building interventions, the provision of essential services, and advocacy work. Mobile technology now allows programs to more easily collect detailed beneficiary data in the moment; enterprise human resource information systems (HRIS) now provide organizations with global staff information; and non-profit discounts have made it affordable to store financial, donor, and program data on third party cloud systems.

The rising risks of cyber attacks

While strides in accessibility and innovation have made technology an indispensable tool for the masses, conversely NGOs are now faced with unprecedented information security and data privacy concerns. In the recently published Winter/Spring 2016 Clements Worldwide Survey of Risk Managers, cyberterrorism/data hacking was rated the highest/greatest risk concern by 62% of 420 respondents (30% were NGOs). Our NGO community should be concerned about security breaches as we are a target! Digital attacks are now pervasive. The US Federal Bureau of Investigation recently reported that a cyber scam in which criminals impersonate chief executives and request their colleagues wire them funds has cost businesses worldwide more than $2 billion. Threats also come from states and governments that seek to increase their control over information collected and published by human rights organizations and democracy agencies.

According to David Goodman, CIO-in-Residence for NetHope, “NGOs are now facing the perfect storm. With a growing dependence on technology and data to serve our beneficiaries and chronically underfunded where ease-of-use can trump security, the fact that bad actors are now using the tools of cyberterrorism against NGOs is a challenge.”

So where exactly do information security and data privacy appear on your risk radar screen? No longer are non-profit organizations secure through obscurity. Increased threats and the ever-changing regulatory environment are reason enough to pause and ask yourself: Where are you vulnerable to data breaches? Is data security a continued priority of senior leadership or is it a one-time project delegated to IT? What do you need to be doing to protect your organizations brand and its stakeholders?

Increased attention on data privacy

Recent changes in the regulatory environment for data privacy are also important to note as you assess your systems and policies. In January, the European Parliament, the Council and the Commission passed into law the European General Data Protection Regulation (GDPR). Michael Duggan, Chief Information Officer at Trócaire shared that, “While the regulation will only come into force in Spring 2018 the breadth and depth of the new regulation requires any organisation that holds or processes personally identifiable information (PII) of EU residents (which includes foreign national residents in the EU) to start planning now. Fundamentally it enshrines the right to privacy and right to protection of personal data of EU residents.” The GDPR includes severe civil and criminal penalties, fines up to 4% of global revenue, and a possible obligation to hire an independent Data Protection Officer. While it does not appear the US will be adopting this type of regulation, many other countries in sub-Saharan Africa and South America appear to be adopting an EU type framework. In regards to the regulatory environment for information security, a number of NGOs are noting the increase in requests to provide data management plans by US government donors.

Safeguarding your organization

Building an information security program within your existing compliance/risk management structure is a clear next step for NGOs, as this is not just an IT issue. Some key steps to include:

  • Decide who has information security oversight within your organization—someone needs to own it.
  • Integrate IT risk with governance and compliance.
  • Budget for information security.
  • Focus on end-user awareness, through training and education.
  • Review policies and shore up gaps.
  • Build out security systems and build in security to existing applications.
  • Ensure security is built into your IT and general business processes.

A great resource for initial steps to take can be found in the Connect the Information Dots (CTID) December webinar on Information Security & Data Privacy: Why NGOs Need to Pay Attention. CTID is a monthly series co-hosted by NPOKI, n-Village, and InsideNGO.

If you’re still not convinced that you need to elevate this to a priority now, consider these words from Joel Urbanowicz, manager of IT Deployment Services at Catholic Relief Services. “Plausible deniability and ignorance, unintentional or otherwise, are no longer acceptable arguments for NGOs to not address the domains of data protection and information security. The evolving global policy landscape, donor requirements, and threats against NGOs provide a compelling case for coordinated action,” Urbanowicz says. He adds, “The breadth and complexity of these domains may seem daunting, but do not lose hope. Where our individual organizations may find it difficult to make progress, consortiums working together can affect real change in this space.” A successful consortium example he cites is The Cash Learning Partnership (CaLP) which produced actionable guidance on protecting beneficiary privacy in e-transfer programs.

The overall message is that we are all faced with this issue and need to work together. Urbanowicz notes that NetHope members are currently working to determine baseline NGO data protection capability and establish a data protection minimum standard and that USAID Global Development Lab is beginning an effort to provide donor guidance on data protection. NetHope’s Goodman shares that NetHope will be using existing standards such as NIST 800-53 (an auditable standard) and ISO IEC 27001 to develop a set of best practices with clear guidance and implementation support; as well as a compendium of donor requirements related to data protection, privacy, and security.

## Comments

Login to join the discussion.