Responsibility for Information Technology Controls (IT controls) may seem to fall squarely on the shoulders of the CIO or IT Department, but, in reality, all employees of your organization, from the C-Suite to the interns, are responsible for safeguarding your nonprofit from risks and vulnerabilities.
Similar to financial controls that help prevent fraud or operational controls that ensure compliance, IT controls play a major role in strengthening your organization and ensuring that your donors, volunteers and community members have confidence in your brand.
As the threat of cyberattacks has mounted over the past year, there has been a shift in where the blame for such attacks are placed. Society tends to require a visible target for blame. Even though cybercriminals are not always known or visible, organizations are. In such circumstances, the victim becomes the target.
Protecting your organization’s data and brand are imperative. Below are some major areas of concern for IT controls and Warren Averett’s suggestions for how to improve your controls in each area.
Software Application List
Maintaining a comprehensive list of critical software applications will ensure that your organization is aware of what software is being used and what potential vulnerabilities exist from outside parties or vendors. If your entity does not track approved software, or if you allow employees to install software without approval, the environment is at risk to be compromised quickly. Maintaining this list of applications will also serve as an operational safeguard in situations in which turnover or unforeseen employee issues require others to step in and pick up job responsibilities with little transfer time.
Departmental Vendor Management Programs
Responsibility for IT security is not something that sits on leadership’s shoulders alone. Everyone at your organization plays a part in keeping your networks safe. It should be a top priority for your organization to create a solid vendor management program that performs due diligence on all outside vendors who may have access to your organization or your donors’ information. All nonprofits should apply risk assessments consistently to all individuals and third-party vendors who have access to your servers, applications and databases. Reviewing the IT controls of others will help in identifying which vendors have your nonprofit’s best interest at heart.
Consistent Monitoring of Activity
Organizations should monitor activity that involves potential vulnerabilities and implement policies to avoid such vulnerabilities, such as preventing generic account access or providing users with passwords that do not expire.
One of the most basic, yet often overlooked, rules of cybersecurity is to set password parameters for your organization. You should put policies in place that ensure your employees, and any volunteers who may have accounts for applications or software, are required to set complex passwords and change them regularly. Multi-factor authentication (MFA) is quickly becoming a “complexity” you can add to the parameters to help with an additional layer of security. According to recent FBI reports, employing MFA for remote users should become the best practice; with some organizations taking that a step further and adding it as a complexity for all password-protected assets and applications.
User Accounts of Terminated Employees
The easiest self-examination of IT controls for any organization is a review of whether former employees retain access (even if only for a short time period) to computers, email accounts or software accounts. No one is more upset than a recently terminated employee, and if there is no policy for quick removal of such an employee’s access to the appropriate systems, your entity could be at serious risk. Some controls to guard against might include procedures such as timely notification and documentation of the access change request and periodic reviews with sign-offs on user listings by the administrators of the applications or networks.
External Penetration Testing and Internal Vulnerability Scanning
Organizations often do not perform penetration testing or internal vulnerability scanning regularly due to a lack of understanding or concern about cost. Performing regular penetration tests on firewalls and access points can prevent potential hackers from accessing systems and databases. Although regular scans can be expensive, the cost of data loss from a breach can be even worse.
The above issues are only a few of the IT control-related issues. Others include proper data backup, disaster recovery policies and procedures and mobile device encryption policies.
Sound IT controls start with governance of your organization. Policies set forth by management should be followed by everyone every day with no exceptions. If the top executives believe something is important, then employees will follow leadership’s suit.