Six Considerations for Strengthening Information Security
Individuals in today’s workplace, whether nonprofit or for-profit, often make two common errors when thinking about privacy and information security.
First, people tend to think of information security as a technology problem — making it all about firewalls and encryption. Designing a truly secure information-handling system instead requires a holistic approach that uses technology components but that first must address business processes, policies and, most importantly, people. Many serious and successful hacking attempts begin with what hackers refer to as “social engineering” — they compromise the human components of the information system rather than the electronic ones.
Second, people often think of information security in absolute terms (e.g., “We must have this or that”). Information security is a risk-management problem, which is all about making sensible trade-offs. Security improvements require decisions involving money, time and efficiency, all of which must be evaluated against the risk it will reduce.
The key principles of good security design transcend time and have little to do with technology. Here are six things organizations should consider when evaluating their information security plans:
1. Education. People are the most important part of information security. Educate everyone in your organization on their role in maintaining security, how to think about security, how to evaluate risks and why information processes are designed a particular way.
2. Need to Know. The risk of information being compromised increases with every person who has access to data. This is not necessarily because certain individuals might be untrustworthy, but because everyone makes mistakes and anyone’s computer can get a virus. Only allow donor database access to people who actively work on it.
3. Avoiding Unnecessary Risk. There currently are more than 20 states that have passed laws requiring disclosure when Social Security numbers or credit card numbers are compromised. Organizations don’t need Social Security numbers to accept donations, and since these are high-risk data items, don’t ask for them. Instead, create your own membership numbers.
4. Defense in Depth. Processes, technology and people all are imperfect, and a system is only as secure as its weakest link. Don’t rely on a single layer of protection for important information. Your donor database server should be in a locked room, protected by an additional onboard firewall and password-controlled access.
5. Continuous Improvement. Threats and technologies constantly change, and so do business needs. You should regularly review systems and processes, as well as shut down old systems that no longer are being used. Also, keep software patches up to date — most software breaches exploit weaknesses for which a patch had already been released by a vendor.
6. Enable, Don’t Obstruct. If you make a habit of always saying “no” to requests for new information processes, people will resort to circumventing your security measures in order to do their jobs. Find ways to meet colleagues’ needs while still keeping data secure.
By taking a holistic approach, organizations can establish more effective information security to protect important data from getting into the wrong hands.
To contact David Crooke, founder and CTO of constituent relationship management service provider Convio, visit www.convio.com.