Imagine everything you think and say may one day be known. I don't remember the modern day philosopher who wrote what I'm paraphrasing, but I read something along those lines almost 30 years ago. It's truer than ever before. Everything you write, share, and say is more accessible, or findable, than ever before. On the personal side of things, we all know the stories of lives crushed, careers and relationships ended, stock prices plummeting, etc.
On the organizational side, you work with your clients' personal identifiable information. You know that it should be kept under lock and key in your office, but what does that mean online? On the organizational side, you work with your clients' personal identifiable information. You know that it should be kept under lock and key in your office, but what does that mean online? On the organizational side, you work with your clients' personal identifiable information. You know that it should be kept under lock and key in your office, but what does that mean online?
Too many organizations are not quite sure. It's time you need to be. You need to know it at the infrastructure/administrative, service and client information level, as well as how to ensure that your clients understand it as well.
Here's some reading to get you literate and aware, from TechSoup Canada:
Protect Yourself: Preparing Your Nonprofit’s Workplace For Cybersecurity
Nonprofits are coming to realize the importance of cybersecurity. But not quickly enough. In 2016, the number of nonprofits with a cybersecurity breach response plan was 31%. By 2017, the number had risen to 52%. This is still only just over half of nonprofits. That’s not enough.
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy
This is a two-part webinar series (yeah, it's big enough and important enough of an issue for 2 webinars!) on cybersecurity and nonprofits. In this webinar, Imran Ahmad of Miller Thomson, LLP provides an overview of how to create your own cybersecurity plan and implement best practices. Ahmad also explains the upcoming mandatory breach notification requirements in case of a breach.
Investing in privacy and security
"Good companies talk about privacy and security; great ones back their words up with third-party audits. At the most basic level, audits establish trust. Submitting to a privacy and security audit is not something that should be done lightly. It involves countless hours of work and resources, not to mention a significant capital investment to execute. Note that I describe it as an investment, not an expense."
This reading and viewing will keep you busy, and will give you practical steps to take in your organization.
There's more. In 2017, Microsoft, in partnership with TechSoup, published Nonprofit Guidelines for Cybersecurity and Privacy: "It describes areas where nonprofits are struggling and solutions in the cloud that every charity can use." You should definitely download it.
And, here are 5 Ways to Protect Your Nonprofit’s Data: "Odds are your nonprofit has amassed valuable data as a result of regular day-to-day activities like processing online donations; managing virtual staff or volunteers; or capturing details of those who subscribe to your nonprofit’s newsletter.
"This type of data is both an asset and a risk for nonprofits. It seems cyberattacks, ransomware and hackers make the headlines on a regular basis. As nonprofit professionals, we understand the importance of protecting our organizational data and the privacy of those in our community. But what are we doing to prepare, and what is stopping us from a higher level of protection?"
For your workers, here's a great starting point to all things digital, from the Scottish Social Services Council: 23 Digital capabilities to support practice and learning in social and health services. "Thing 6" focuses on digital security: "Completing this thing will give you the opportunity to consider digital security which is relevant for both your personal and professional life." Useful.
Workers should also become very familiar with the 2017 NASW, ASWB, CSWE ,& CSWA Standards for Technology in Social Work Practice (PDF): "The following standards are divided into four main sections and address social workers’ use of electronic technology to(1) provide information to the public; (2) design and deliver services; (3) gather, manage, store,and access information about clients; and (4)educate and supervise social workers. These standards are designed to guide social workers’use of technology; enhance social workers’awareness of their ethical responsibilities when using technology; and inform social workers, employers, and the public about practice standards pertaining to social workers’ use of technology."
You communicate sensitive information with clients, partners, consultants, and other stakeholders (heck, just the other day I was emailed a form to fill out that included asking me to add my SIN and email it back. No, No, NO...). It's time to learn about encryption. Here's a primer: End-to-End Encryption and Confidentiality in Social Work Communication: "'Encryption' is a broad term that’s often applied liberally to describe processes or steps to protect electronic communication. I’ve seen the term used to describe the scrambling of data shared between specific users, or the simple use of passwords to log in and out of private email. Usually, if passwords are used in the process of encryption, that action of logging in with a password involves converting the protected information into an unreadable code. This scrambling of data prevents unwitting or nefarious outsiders from interpreting what they’re seeing, should they access the information."
Back to TechSoup Canada for some useful starting points, and a reality check. Think encryption is some new fad you should learn about? No. This article is from 2011: Working Safely Online (Anytime, Anyplace, Anywhere).
This article is also useful Online Security Measures For Nonprofit Organizations and leads to this useful site - Be Encrypted's Ultimate Encryption Guide.
Then, spend some time with Tactical Tech's Security in-a-box project. "Security In-a-box is a guide to digital security for activists and human rights defenders. The toolkit ranges from the basic principles of digital security, including advice on how to use social media and mobile phones more safely, to more specific regional advice for activists working in higher risk environments." You don't work in a high-risk region, you say? Sure, OK, maybe. But you work with highly private information on vulnerable clients, some of whom do come from higher risk environments (or are in one today, via domestic violence, etc.) and continue to have risks associated with their source countries. Isn't it better to be more secure than less? Yes, yes it is.
There's so, so much more you could read and start doing. I think these are some useful starting points. Let me know if you find them useful in your work.