Small organizations, and particularly nonprofits, typically run lean operations out of necessity due to limited funding. When resources are available, they are typically deployed to other areas vital to the entity’s main service or product, as opposed to administrative expenses such as information technology (IT). With increasing complexity and scrutiny over IT and related internal controls, it is difficult for smaller organizations with limited staff to determine when and where to spend time and funds to help improve the overall IT environment.
Below are some areas to address that can help improve your general IT controls — without expending a significant amount of resources.
1. Write a Policy
With all of the hacking and data breaches you hear about in the news, a popular (or unpopular) buzz word these days is cybersecurity. Everyone has data to protect. Think credit cards, banking information or medical information to which your organization has access. How can your organization better protect donor, employee and participant information?
The beginning building blocks for cybersecurity start with awareness, and, a security policy. There are plenty of articles you can find online about why security is a concern no matter the size of your organization, and sharing these with management and the board are a great way to build awareness. The next step of developing a policy is writing one. Don’t be overwhelmed. There are sample policies online that you can adjust to your organization or off-the-shelf policies you can purchase.
For the policy to be effective, be sure that management and the board agree on the importance of the policy and that the policy contains key elements, including user and administrator accountability, employee behavior and physical security measures. Then make sure you clearly communicate the approved policy to everyone in your organization.
2. Go Beyond Backups
We live in a digital age, and the thought of losing data has forced most organizations to perform routine backups of information. While performing these backups regularly is a good step to ensure that you don’t lose any information, there are simple ways to enhance your backups to provide even more peace of mind and ensure continuity of the organization.
One way to ensure your backups are working as intended is to test a full backup restore on an annual basis. Also consider developing a disaster recovery plan, these plans lay out how the organization operates if your office were to catch fire and covers things like where employees would go, what hardware is used, and necessary communication with third parties. These plans are often best developed with the help of outside service providers, but sample policies are also available online.
3. Leverage Your Board
In a smaller organization there may not be a dedicated IT employee, yet someone must step up to manage this critical area. One potential resource is your board of directors or advisory board. If you don’t have a board member with an IT skill set, consider recruiting one. If you haven’t found one yet, consider putting IT-related issues, such as IT priorities, software changes and risk assessments, to the board for resolution. It’s a great way to solicit feedback regularly from those with different business backgrounds who can help gauge the best course of action.
IT is a critical part of today’s world. Size shouldn’t be a factor when it comes to protecting the critical privacy of your employees, donors and those benefitting from your programs and services. Start making progress today to help your organization be more technologically secure in the future.
Cohen & Company is not rendering legal, accounting or other professional advice. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts and circumstances.