As cybersecurity attacks continue to rise, IT departments are becoming increasingly aware of the threats that their organizations face. IT security is often highly effective at monitoring networks for abnormal traffic. However, we can’t say the same about tracking human behavior. Since 85% of data breaches are a result of inadvertent actions from well-intentioned employees, today’s cybercriminals design attacks intended to trick people into making mistakes, rather than hacking into networks and devices.
These are vulnerabilities that IT doesn’t have visibility into. For advancement professionals and fundraisers, who handle sensitive donor data every single day, making a mistake that exposes data could be as simple as a workaround that helps them do their job better. An action that seems harmless on the surface could bypass security policy and put highly sensitive data at risk.
Here are 3 examples of times that frontline fundraisers did something that put their donor data at risk:
Downloading a donor report to a personal computer
The ability to move throughout our day from one digital device to another is incredible for productivity, but can be harmful when we cross the wrong wires. Gravyty was recently told of a fundraiser who received a donor research report while working remotely. Because the fundraiser was already working on her personal laptop, that’s where she opened and downloaded the report, which contained financial information about a donor.
Donor and prospect reports hold sensitive information and should always be stored, encrypted, in the cloud. When staff members download these files directly onto their hard drives, a potential data security gap forms -- as now anyone who has access to that hard drive also has access to the files within it.
Autocorrect filling in the wrong email address
Sometimes, software can be too helpful. By suggesting who to send an email to, it’s easy to go on autopilot and hit send before confirming that the email was addressed to “Alex G” instead of “Alex H”.
56% of development professionals admit that they've sent a work email to the wrong recipient because of auto-complete. While some of those emails may be benign, if just one email contains sensitive donor data, personally identifiable information (PII), confidential business data, or otherwise -- those are security breaches.
Emailing a spreadsheet with sensitive donor data
How do you send sensitive donor data to your colleagues? Do you always use the secure link from the shared drive or database which requires a login? Most organizations have policies in place to limit this practice. How do we know that policies are always observed?
If you email spreadsheets, they could still go to the wrong person because email is not automatically encrypted and is susceptible to phishing attacks and other vulnerabilities. Even if the data does go to the right person, does it include more access than they should be privy to? Emails and attachments can always be forwarded, so when a fundraiser’s email is compromised, so too is everything they’ve ever shared.
These potential data breaches are not within the scope of an organization’s IT department. They are the results of human behavior and well-intentioned employees trying their best to get their job done. These mistakes are undetectable by traditional data security. Without insight into this potentially harmful activity, your donor’s data could be at risk every single day.
By focusing on the human behaviors of advancement professionals, Gravyty Guard protects against the vulnerabilities that will define the next decade in the nonprofit sector.
Is your organization protected by human layer security?
Take our free 15-minute risk assessment to find out potential threats to your donor’s data and trust.