Data security is quickly becoming a priority for nonprofits across the country. However, the nonprofit industry has historically lagged behind in effective endpoint security solutions, placing the task of keeping data secure in the hands of employees and leaders within the organization that have not had formal data security training.
Here are 9 data security terms and phrases that nonprofits leaders should know before a data breach:
Data Loss Prevention
Data Loss Prevention, or "DLP" is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software that helps an organization control what data end users can transfer. The massive rise in data breaches in the past year clearly shows that IT leaders have little visibility into their employee’s security habits, making DLP a priority for many nonprofits.
We are more familiar with phishing in the form of “Nigerian Prince” emails. But hackers have evolved in their ability to impersonate a legitimate sender. These schemes have taken on many forms in the modern age. Common traits of phishing attacks include the sender impersonating something at your organization, the content will prompt action, and lack of personalization.
Spear-phishing is a customized attack on a specific employee. On the surface, it looks and sounds like phishing. But there are two key differences: phishing campaigns cast a very wide net and is relatively easy to execute. But spear-phishing campaigns are targeted at fewer people and with more personalized correspondence, requiring more thought and time to successfully execute.
Naturally, the most lucrative targets for attacks are executives, or the “big fish” of an organization. When a spear-phishing attack specifically goes to someone like a VP or CEO, it is known as “whaling”. Whaling attacks are designed to trick executives into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both the target and email defenses to catch.
Data brokering is already $200 billion industry - and this is only taking into account legal data brokering, not what is being sold on the dark web. For nonprofit organizations, this data can be anything from giving history to their social security number and the consequences of this data being leaked are tremendous and far-reaching. When data is leaked purposefully and without authorization regardless if the intent was malicious or well-meaning, that is called data exfiltration.
Sending an email to the wrong person can take many forms. One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for email@example.com might be sent to “firstname.lastname@example.org” or even “email@example.com”. Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking.
While cybersecurity policies, procedures, and solutions are often focused on cybercriminals outside of the organization, more and more often, it’s people inside the organization who are responsible for data breaches. The incentive can vary from a financial incentive, like selling private data on the dark web, or gaining a competitive edge by taking donor records to a new fundraising job. However, an unaware employee can also become an inside threat by sending a misdirected email, falling victim to a phishing or spear-phishing attack, or even losing their work device.
SOC 2 reports focus on service providers that host or store data, ensuring that they are following industry best practices and their operations are up to code. The SOC 2 report contains a description of the infrastructure, software, people, and procedures that the company has in place to protect and safeguard data. A SOC 2 report contains descriptions of what components the company has and what it does to make sure it successfully delivers on the five Trust Service Principles: Security, Availability, Processing integrity, Confidentiality, and Privacy.
Human Layer Security
Human layer security tools like Gravyty Guard uses artificial intelligence (AI) and the most advanced technologies to address data vulnerabilities that often arise as people interact with data. By understanding behaviors of employees at nonprofit organizations, Gravyty's AI allows development professionals to do their jobs efficiently, while limiting data security risks.
Are any of these phrases new to you? Chat with one of our data security experts to find out if your donor data is protected at no cost to you.