As more nonprofits move their organizations to the cloud by using G Suite, Office 365, and Salesforce, they’re finding expected benefits, and some unexpected threats to data security. Users and administrators alike can accidentally delete data needed for compliance, or overwrite good with bad — and unlike the days of on-premises backup, data that’s in the cloud might be permanently lost. (Learn what Forrester Research says about the importance of SaaS backup here.)
Compounding those risks, the integration of key cloud applications such as Gmail or Office 365 Mail with applications like Salesforce (used for donor management or student lifecycle management) leaves an organization further exposed. In the age of cloud and SaaS, such threats include sync errors destroying donor or student data at compute speed, or ransomware locking up the files a nonprofit needs to drive its mission forward.
Nonprofit sysadmins and business analysts have an important role in managing their organizations’ data, and the time spent recovering from SaaS data loss is a drain on limited resources. When I recently traveled to Boston (to present at the Salesforce World Tour Boston and participate in a New England Higher Ed Summit) and San Francisco (to present at a Salesforce Nonprofit User Group meeting) I heard stories such as these:
- “Adjunct staff changes every semester mean onboarding and offboarding users from G Suite accurately is critical – and yes, we’ve accidentally deleted critical data while offboarding.”
- “I worked with an admin who accidentally deleted hundreds of thousands of records from their donor management Salesforce instance. It took them weeks to recover completely.”
- “We were migrating from Exchange on-premises to Office 365, and made a mistake in our retention policy configuration – we lost hundreds of email messages, some from donors, before we caught and fixed the error.”
- “It’s not uncommon for staff to make changes to Salesforce reports and click ‘Save’ instead of ‘Save As’ and permanently lose their original reports.”
Common Scenarios for Cloud-Based Data Loss
There are some common data loss scenarios for email, cloud-based collaboration applications, and CRM (donor / student management) applications.
- Admin errors. Admin errors in data loads or mass onboarding / offboarding can overwrite critical data at compute speed – and when overwritten data syncs with other apps, errors spread exponentially.
- Employee errors. An employee may accidentally cause data loss by:
- Emptying a recycle bin full of “master” data, which cascade deletes “detail” data.
- Deleting what they think are unused shared folders and files, deleting data still in use by others.
- Clicking on an email that launches ransomware, whose resulting lock-out or destruction proliferates at compute speed through cloud-based shared documents and files.
- Malicious actors. A cybercriminal or rogue admin gains access to an organization’s email, collaboration apps, and / or CRM apps – where data is connected via application sync or other integrations – and deliberately overwrites or deletes vital data, leading to cascades of data loss as noted above.
- Sync errors between apps. If a bad sync occurs, important data such as donor outreach records can be corrupted. For example, a bad sync between Gmail and Salesforce can corrupt Contact Activity records, leading to a donor getting too many emails and feeling “spammed” – and stopping their donation.
And, in one use case, there’s a further “risk triangle” of data loss that can threaten a nonprofit’s mission.
In this edge case, email-delivered malware is activated, spreads through an organization, and encrypts a file in a collaboration drive, like OneDrive for Business or Google Drive. If there’s a message or document saved in a CRM system like Salesforce containing a link which points to the encrypted doc in Google Drive or OneDrive for Business, downloading and saving that document locally can start the ransomware cycle all over again. While this is an edge case, it illustrates how the integration of email, collaboration applications, and CRM (donor / student management) applications can amplify the threat of data loss.
Three Pillars of Data Protection for Nonprofits
Threats to SaaS data harm a nonprofit’s mission. Here are the three pillars of data protection that can reduce the threat of accidental or malicious data loss.
By aligning with the three pillars of SaaS data protection, nonprofits can neutralize the “risk triangle” of the threat of data loss.
Nonprofits should seek integrated solutions that are:
- Automated (“set it and forget it”, and in restore automation not manual intervention)
- Secure (SOC 2 Type II, multiple layers of security)
- Reliable (positive marketplace ratings, customer references)
Automating SaaS data backup and restoration cuts the number of manual steps needed to protect data, reducing the ways human error and inconsistent execution can add audit and governance risk. Ensuring the SaaS vendors you use are SOC 2 Type II compliant, and have additional multiple layers of security, is also vital to protecting your mission — a SOC 2 report describes the controls that a SaaS provider has in place to deliver on security, availability (uptime), data integrity, confidentiality, and the privacy of personal data. Reliability as indicated in customer reference calls and reviews goes beyond simple service uptime and accuracy — it helps ensure you’re selecting vendors you can trust.
By further taking an integrated approach to SaaS data threats, those nonprofits using a collaboration platform like G Suite or Office 365 along with a donor management or student lifecycle management application like Salesforce for Nonprofits can maximize time saved and resources saved. Having a single source, one that provides automated, secure and reliable SaaS data protection for those apps you rely upon, will simplify administration and reduce operational overhead.
*** This is a Security Bloggers Network syndicated blog from Spanning authored by Lori Witzel. Read the original post at: https://spanning.com/blog/what-every-nonprofit-needs-to-know-about-threats-to-saas-data/