5 Tips Corner - IT risk management for nonprofits: Securing your technology and data
For many nonprofit organizations, the effects of the pandemic have been amplified by a general decrease in availability of funding. Personal and corporate budgets alike have tightened, greatly reducing the amount of individual giving, spending and programmatic funding, which is the lifeblood for so many nonprofits. At the same time, information technology (IT) risks have never been greater and only continue to escalate, and organizations must keep pace with threats and emerging regulatory requirements.
Unfortunately, many nonprofits have been forced to do more with less due to reductions in their already limited internal resources, increasing the difficulty of maintaining operations and potentially decreasing visibility into potential technology risks. In this challenging environment, your organization must understand how to implement strategies to protect your technology and information assets, allowing you to better accomplish your mission.
The IT concerns within many organizations center on three key areas: IT risk, IT strategy and IT security. In many cases, nonprofits do not have a defined IT risk universe or strategy, leading to unidentified risk exposures, activities and applications not aligned to mission-critical objectives, and not being able to efficiently access data when needed. In addition, many organizations do not establish key performance indicators (KPIs) that help drive better decisions or have systems that can scale with growth or automate manual processes.
While IT strategic and risk-based challenges can hinder operations, IT security issues can present significant threats to your IT environment, which may result in a loss of data, reputational damage, or even fines and penalties related to exposure of sensitive information. With outdated or ineffective technology in place, many nonprofits have vulnerable systems and weak controls, potentially exposing key donor, employee and volunteer information to unauthorized users and external threats.
In addition, data privacy regulations continue to evolve, yet many organizations are not aware of them, or don’t think they apply when, in reality, they do. For example, your IT systems may need to comply with myriad privacy regulations, such as the European Union’s (EU) General Data Protection Regulation (GDPR) which provides for protection of data for EU residents, no matter whether that data resides within the EU or not.
Similarly, the California Consumer Privacy Act (CCPA) was adopted in 2018 to protect California citizens’ personal data. While the act is generally not applicable to nonprofits, there are certain instances in which it is. Therefore, both GDPR and CCPA could be applicable to organizations that collect or process EU and California resident data, no matter whether they are based within those specific geographic bounds. Several additional individual states have enacted or are planning similar data privacy legislation, further complicating the landscape.
Your organization can implement multiple processes to secure the critical applications, supporting systems and databases to ensure the confidentiality of your key information assets. These include:
In addition, the gap assessment can focus on regulatory privacy expectations and general data protection expectations.
As threats continue to evolve, the IT controls environment for nonprofits becomes more challenging to monitor and threatening to operations. To help identity and manage the most critical IT risks and achieve compliance with regulatory guidelines, organizations must implement an effective IT risk, security and privacy posture that considers both current needs and future demands. After all, an ounce of prevention is worth a pound of cure.
By Mike Tryon, Partner, RSM US LLP