Nonprofits and Their Approach to Security and Access

Apptega’s recent nonprofit cybersecurity expert panel discussed their approaches towards keeping nonprofits secure and how much access should be allotted to their employees/volunteers. We wanted to share some of the highlights.

In regards to security, should nonprofits operate from a risk-based approach or a compliance-based approach?

The Boys & Girls Club of America runs primarily from a risk-based approach but only because there’s not a lot of regulatory or compliance requirements for them. The American Cancer Society also runs a risk-based approach but is informed by certain compliance requirements tied to meeting the NIST Cybersecurity Framework.

“We’ve adapted the NIST framework into our already existing CSF environment. So my philosophy is adapt don’t adopt. We’ve adapted it to a program that fits our needs.”
James Baird, VP IT of Security and Compliance at American Cancer Society

James then advised those nonprofits who may have more focus on a compliance perspective, to use compliance as a means to figure your security management system, but always look at things from a risk perspective.

Lessons learned in short:

– Being compliant does not equal being secure

– Adapt your security to your specific needs

The panel also discussed the security of the Cloud, the effect volunteers have on a nonprofit’s security, and how these experts are managing those issues. A big proponent of education as key pillar to enhancing security.

“We educate our stakeholders and users (volunteers included) that going into the cloud doesn’t equal information security. We have engaging conversations with our stakeholders and users in general about how to protect the information of our staff, volunteers, benefactors, and especially the young people that we serve.”
Mat Mathews, Senior Director of IT and Security at Boys & Girls Clubs of America

One thing about being a nonprofit is that volunteers play a critical role in the mission, but they also pose a security risk such as bringing their own devices into the field, logging in from lots of different places with lots of various devices. Our expert panel’s primary solution is to segregate your networks. By creating a separate Wi-Fi for your contractors and volunteers, you will limit the type of access your volunteers can have to sensitive resources and information.

“In short, ask yourself: what is it they need access to, how long, why do they need it? Then do you have something set in place to shut off that access once they leave”
Mat Mathews, Senior Director of IT and Security at Boys & Girls Clubs of America

To listen to the entire webinar on cybersecurity for nonprofits, click here. To learn more about how Apptega could help, check out this quick video.