Before we dive into the connection between Occam’s Razor and Secure Digital Technology for your nonprofit—a quick story.
Our business development team is obviously on the front lines of hearing why fundraisers are looking for a new CRM. In the past year, “security” has consistently been in the top 3 of why they are speaking with us. So, when I was recently asked to provide some volunteer consulting for a local nonprofit to help with some technology needs, I was not surprised to hear that one of the subjects was security. (Kudos to them for making it important!). Someone asked about bad actors infiltrating their network, and wreaking havoc on both their operations and their member data.
It began a back and forth about investment in available technology products and services for security. Could they lock down their environment so staff couldn’t access certain websites or receive certain documents? With multiple locations, could they lock down some areas but not others?
This nonprofit (relatively mid-sized) was talking big ideas and complex security solutions. I appreciated the conversation. After all, we live and breathe it every day. I understand the investment. But I stopped the conversation and just asked: “Have you ever done Security Awareness Training?”
The answer was no. I said “The behind the scenes security solutions you are talking about are expensive and require serious management. You should definitely plan on them. But…can you also just start with a simple solution—training the staff?”
Occam’s Razor is the theory that the simplest of competing solutions is preferred to the more complex. It’s often overlooked in digital management.
Our PCI and SOC II compliance programs mandate rigorous standards. (Btw, this is PCI-Certification, not the more simple PCI-Compliant – but that’s for another article). One requirement is that we conduct annual Security Awareness Training (SAT) for our entire staff. You may not have that mandate to meet, but if you are concerned with security (and you should be), start with the simplest and most direct path to improving security.
If you aren’t familiar with SAT, here’s what they typically cover:
Awareness for Email Scams and Phishing Attacks
This is when criminals send emails or texts that appear to be from reputable companies, but instead direct you to malicious websites with the goal of tricking you into divulging sensitive information (e.g. bank account passwords or credit card numbers).
How to look out for, and respond to, social engineering in person or over the phone
This is when criminals exploit human error (or politeness) to access sensitive information.
How to respond to, and report, security threats
How should people take action if they have concerns about exposure to a scam of some sort?
Your dog’s name. Your kid’s birthdays. Your college mascot. Easy to remember, but also easy to figure out. Teaching staff about password strategy is important.
This is software intentionally designed to cause damage to a computer, server, client, or computer network, whether to hurt you or force you to pay a ransom. Either way, avoid it.
Understanding the role of removable media in security. E.g. Don’t leave a USB drive with sensitive information out in public, and don’t plug one into your computer if you don’t know where it’s from and what it contains.
These are just a few examples–and seem so obvious–but they still need to be taught.
Again, don’t get me wrong. Employing the best digital technology tools for securing your data and operations is essential. Fundraising CRMs can use technology solutions like two-factor authentication, strong encryption, advanced fraud protection, and SOC II and PCI certification that help protect our clients and their data.
But most breaches of security happen because of human error. We get fooled by a phishing link or click an email that seems authentic. We use easy passwords in multiple places, so if they crack one, they crack many. We let somebody in the front door of our building out of politeness, instead of confirming who they are and ensuring they are connected to the right person.
Security awareness training curriculums usually take 1-3 hours in total and are easy to administer – they are simplified to account for employees who aren’t as technologically savvy. But as a preventative security measure, they can make up for days, weeks and even months of agonizing repair. And most important, they help everyone participate in the obligation of protecting our organizations and our donors.
If you’re looking for some recommended vendors or solutions, you can do lots of research, but as Occam might tell you, the easiest thing is to just find me at charityengine.net. I’m happy to share.
This article was originally published on Marketing AdVents, a publication for members of the DMAW