Nik Stephens
Chief Technology Officer
Has your fundraising platform put your data at risk? If you aren’t asking this question of your technology partners, you could be exposing your organization, your supporters, and your mission to potential threats. These days, it seems like hardly any time passes between headlines of the most recent data breach. Consider that a striking two-thirds of data breaches can be attributed to an organization’s third-party relationships.
The threat of cyberattacks looms large, affecting organizations of all sizes across industries. Cyberattacks are on the rise as approximately 1 in every 31 organizations worldwide experienced a ransomware attack weekly in the first quarter of 2023.
The nonprofit industry is no exception. Nonprofits are particularly vulnerable to cyberattacks due to sensitive donor information, often limited cybersecurity expertise, and dependence on third party vendors. The Federal Trade Commission (FTC) recently published an article about a 2020 breach that impacted thousands of nonprofits, foundations, educational institutions, and healthcare organizations and compromised the data of millions of donors. The company's lax security policies were directly cited as creating a window for the breach, and their delayed response only compounded the damage.
The FTC even wrote a haiku to summarize three principles of sound data security:
- Keep data secure.
- Safely dispose after use.
- Tell people the truth.
Let’s dig into these recommendations to help your team assess your technology partners’ data security practices and ensure the right safeguards are in place.
What practices do you have in place to mitigate risk?
Data security isn’t one-size fits all, but there are fundamental requirements that must not only be documented, but followed and verified by third-party risk management specialists. Data encryption, stringent password controls (including multi-factor authentication), clear policies based on the principle of least privilege, and continuous monitoring are all basics every technology company should have in place.
The DonorDrive Answer
Data security is an ingrained part of our DonorDrive culture. We’re committed to reducing vulnerabilities and risk of exposure, and we have made the investments to back it up. We don’t off-shore our security work, but employ in-house, security-trained development and support teams who make our clients security their priority.
Here are just a few of the steps we’ve taken to protect our clients’ data:
- Certified PCI DSS Level 1 compliant 7 years in a row from an industry-leading security auditor
- Real-time continuous security monitoring and alerts, with an in-house response team available 24x7
- Internal and external penetration testing performed routinely by external, CREST certified, cyber-security experts
- Continuously evolving security policies that exceed industry standards for user authentication, data encryption, and ongoing employee security education
What is your data destruction policy?
Think about the data you collect when a donor or fundraiser engages with your organization.
Names, birth dates, banking information, estimated wealth, donation history, and account credentials are all considered sensitive data. This data can only be collected for legitimate business purposes and must be disposed of securely when that business need passes.
The DonorDrive Answer
Our clients’ data first and foremost belongs to our clients. We do not use this data for any other purpose, and once a client is no longer contracted with our company, we dispose of their data. It’s that simple.
What happens when you experience a breach? How do you respond?
You might receive a quick response from your fundraising technology partner that they’ve never experienced a data breach. The bigger question is whether they have a tested incident response plan in place. There is no substitute for proper preparation when it comes to handling a security incident, as past performance is no guarantee of future security in the continuously evolving threat landscape. Much of this comes down to how much you trust your partner and believe that when push comes to shove, they’ll be transparent and accountable in handling security incidents.
The DonorDrive Answer
Our team proactively monitors and prepares for possible security threats 24/7/365. Whenever a potential threat is identified, our on-call team immediately conducts an investigation. In the unlikely event that DonorDrive were to experience a data breach, we are committed to notifying our customers within 72 hours. To date, we have not experienced a data breach, and we take great pride in the steps we have taken and investments made to continue keeping our clients’ data safe.