Six Considerations for Strengthening Information Security
Individuals in today’s workplace, whether nonprofit or for-profit, often make two common errors when thinking about privacy and information security.
First, people tend to think of information security as a technology problem — making it all about firewalls and encryption. Designing a truly secure information-handling system instead requires a holistic approach that uses technology components but that first must address business processes, policies and, most importantly, people. Many serious and successful hacking attempts begin with what hackers refer to as “social engineering” — they compromise the human components of the information system rather than the electronic ones.
Second, people often think of information security in absolute terms (e.g., “We must have this or that”). Information security is a risk-management problem, which is all about making sensible trade-offs. Security improvements require decisions involving money, time and efficiency, all of which must be evaluated against the risk it will reduce.
The key principles of good security design transcend time and have little to do with technology. Here are six things organizations should consider when evaluating their information security plans:
1. Education. People are the most important part of information security. Educate everyone in your organization on their role in maintaining security, how to think about security, how to evaluate risks and why information processes are designed a particular way.
2. Need to Know. The risk of information being compromised increases with every person who has access to data. This is not necessarily because certain individuals might be untrustworthy, but because everyone makes mistakes and anyone’s computer can get a virus. Only allow donor database access to people who actively work on it.
3. Avoiding Unnecessary Risk. There currently are more than 20 states that have passed laws requiring disclosure when Social Security numbers or credit card numbers are compromised. Organizations don’t need Social Security numbers to accept donations, and since these are high-risk data items, don’t ask for them. Instead, create your own membership numbers.