Five Ways Every Nonprofit Can Protect Sensitive Employee Information

Text message on smart phone Call me, dont write! (for concepts of privacy, discretion, and security)

Cyber criminals see nonprofits as prime targets for malicious attacks and they’re great at accessing data—including sensitive employee information. Nonprofits spend much of their time, energy, and resources addressing the needs of the communities they serve—but they must also make sure they are protecting employees. Here are five tips on how your nonprofit can safely store and share sensitive employee information. Bonus: the tips will also help you protect constituent data!

  1. Get Verbal Confirmation. Have a firm rule that no sensitive data can be transmitted, financial transaction conducted, or account change made without direct verbal communication between the person making the request and the person(s) who have the power/info to execute it.
  2. Implement Multi-Factor Authentication. Protect all HR, time tracking, benefits management, and core productivity platforms with mandatory Multi-Factor Authentication (MFA). This is one of the best ways you can protect your nonprofit from cyber-attacks.
  3. Conduct Training and Testing. Conduct regular security training and phishing tests.  The best defense against either targeted or opportunistic data theft is staff vigilance.
  4. Classify Data. Create a data classification and access control table. List out all the types of sensitive and valuable information handles, what job roles need to have access to each type, and for what purpose. While you are creating this list, the goal should be to reduce the number of people who have access to each type of data—make sure no one has more access than they absolutely need to do their job. Then, ensure that the data is stored in a manner that respects and enforces the data classification you developed.
  5. Encrypt Everything. Ensure that all sensitive information remains encrypted at all times, both “at rest” (where it is stored) and “in transit” (as it is being processed, submitted, updated, etc.) by way of full-device encryption and secure messaging services such as Zix and Office 365 email. If you must transmit sensitive information via an unencrypted channel, try to communicate the highly sensitive information (e.g. Social Security numbers, passwords, etc.) by voice to someone who is can enter that info directly into an encrypted system.

Download our Data Privacy Assessment to find out the approximate level of risk your nonprofit faces based on the types of data you collect and store.

Leave a Comment