We don’t touch on cyber security too often on this blog as it is so not in our area of expertise. But we know it’s extremely important you are doing everything you can to maintain the safety of your donor information. We were glad that Merkle reached out to us to talk to you about keeping your data secure. ~Kristina
Guest Post by Bill Sayre, President of Merkle Response Management Group
From Target to Home Depot, security breaches are being discovered at an alarming rate. In fact, reports have cited a 48 percent increase in cyber attacks from 2013 to 2014. With charitable giving totaling more than $16 billion in 2014, nonprofits are becoming increasingly enticing targets for cyber criminals. As this happens, potential donors are becoming more concerned with the safety of their personal and financial information.
While the financial repercussions of a breach are damaging, with reports showing that the average breach costs around $720,000, the impact on donor relationships is of even greater concern. Trust, more than anything, is crucial to maintaining and nurturing donor relationships. Nonprofits and the organizations that support them must evaluate their security IQ and put the right security in place to protect donor information from being compromised.
A key area for many nonprofits is the processing of donations that are received via the mail. This function is often outsourced, but whether it is managed through a third-party vendor or in-house, it is important to know that those donations are being handled as securely as possible. So, what can nonprofits do to boost their security intelligence and ensure donor information remains secure throughout the entire donation processing lifecycle? Start by addressing these areas:
Physical security should be the first line of defense in protecting donor information and step #1 in improving a nonprofit’s security IQ. Complete 24/7/365 surveillance is critical for safeguarding donations and donor information. First, nonprofits and any organizations that handle their information should ensure access to the facility is carefully controlled and security cameras are in place. Additionally, the movement of the mail from the Post Office to the processing facility should be handled by at least two staff members that have had complete background checks and the movement of the vehicle should be tracked using GPS technology.
Other items to address include providing photo ID badges for all staff and restricting access to various departments in the facility based on job function. Many nonprofits receive cash in addition to check and credit card donations. With cash donations, a process known as tray seeding is recommended to confirm that cash is properly processed. Before trays of remittance envelopes are given to employees for processing, managers photocopy the contents of the envelopes including any cash. Once employees have completed their trays, the processed mail is cross-referenced with the original photocopies to make sure all cash is still intact. Trash bins should also be checked for any irregularities.
Dealing with data security issues may be challenging or even a bit intimidating for nonprofits that are already stretched thin, but a nonprofit doesn’t need to be a security genius to intelligently address data security. It is important to start with the basics.
Consider beginning with standard data security software. Data security software can include firewalls, antivirus software, spam and spyware software, activity monitoring software, data-loss prevention software and intrusion detection software. These solutions can track where a threat originated, making it easier to combat security issues if they do occur. Overall, security software is critical to protect against intrusions and provide valuable security feedback to your nonprofit.
Data encryption is also important to incorporate into your security strategy. Nonprofits and donation processors should provide end-to-end data encryption on all inbound and outbound data files. Once data is encrypted, it is wise to conduct random network penetration tests to ensure that the network remains secure. It is best to conduct these tests at least four times per year.
Payment Card Industry Data Security Standards and Compliance
Payment Card Industry Security Standards Council (PCI SSC) guidelines can help nonprofits and their donation processors ensure they are safely processing credit card gifts. PCI Data Security Standard (PCI DSS) compliance provides nonprofits a framework for developing a robust payment card data security process that includes prevention, detection and reaction to security incidents. This is an important area as the fines for non-compliance are significant.
When thinking about nonprofit security best practices, always remember what is being protected: valuable donor relationships. Donor trust – or lack thereof – directly impacts a nonprofit’s ability to fundraise successfully. Supporting key areas including physical security, data security and compliance, positions nonprofits to boost their security IQ and take the strongest stance against threats to the safety of donor information.
As a helpful resource, we encourage you to take our nonprofit security assessment to gauge your nonprofit security IQ.
Bill Sayre is the president of Merkle Response Management Group, a full-service direct response processing and fulfillment company that works with nonprofits including Operation Smile and the Heritage Foundation. Bill has over 20 years’ experience in remittance processing, and all of his operational facilities have received awards and recognition for world-class results and operational innovations.