By Jennifer Coleman, CPA, CFE
As technologies advance and not-for-profits (NFPs) become more sophisticated in using them, information security is becoming a significant business issue. Threats to information security may be internal, such as failure in the design or implementation of IT systems or misuse of data by employees, or external, such as viruses or data breaches.
Don’t fall into the false security trap of thinking just because your organization might be small or housing only limited volumes of data that it is immune to costly information security compromises. According to CSO Online, more than half of all organizations experience a security incident at some point. And it takes the average organization 191 days to identify data breaches.
To protect your organization, consider implementing the following internal controls:
Access and Security Controls
Network Security Controls
Back-up and Recovery Controls
Change Management Controls
Should an incident occur, nonprofits without a plan will waste valuable time trying to organize and determine how to respond. And the costs of dealing with the loss of data can be high. Proactive organizations with an established IT security response team and a formalized plan can quickly put that plan into action when needed. Such a plan typically details specific action items and individuals to promptly address issues such as loss of data, which can help to minimize costs.
Unfortunately, security breaches and malware are here to stay. While we hope that your organization never has to confront an issue with your information systems, the above checklist will help any conscientious nonprofit prepare and respond.
Jennifer Coleman, CPA, CFE is the assurance and quality control partner of Myers, Brettholtz & Company, PA. She is a member of the American Institute of Certified Public Accountants and the Florida Institute of Certified Public Accountants and is has received Certification in Fraud Examinations.