Every 39 seconds, a cyberattack is launched somewhere on the web — and your nonprofit could be next.
More than half of all nonprofits and non-governmental organizations (NGOs) were targeted by cyberattackers in 2021, research shows. In fact, experts contend nonprofits are particularly vulnerable to cyberattacks, not only because they’ve often implemented fewer cybersecurity measures than other business types, but because they collect so much priceless data on their donors and volunteers, including phone numbers, addresses, and credit card account information.
While media coverage of nonprofit data breaches is scarce, some organizations that were compromised paid a steep price. Consider the example of Philabundance: a mid-2020 cyberattack cost the Philadelphia-based hunger relief group close to $1 million.
Many nonprofits trust Civis Analytics to serve as scientific and technological stewards of their data, and this trust begins and ends with a profound responsibility to securing and protecting the data entrusted to us. Read on to discover how we designed Civis Platform, our cloud-based data science workbench, specifically to protect data in compliance with industry-leading confidentiality, integrity, and availability standards.
The Cybersecurity Measure Everyone Should Implement
In mid-2020, Google assembled more than 40 thought leaders and technology experts to select one top piece of advice that organizations could promote to boost chances of cybersecurity adoption within their ranks — advice that would be relatively easy for workers to follow and understand, but still relevant to any digital attacks they may face.
Turning on the strongest form of Two-Factor Authentication (2FA) for professional and personal email, social media, and bank accounts — i.e., granting access to a website or application only after the user successfully presents two or more pieces of evidence to an authentication mechanism — is the first, most important thing for anyone working with sensitive data to do, Google says.
“2FA makes account hijacking more difficult,” Google explains. “It can help limit access to sensitive data in accounts, and since email accounts can be leveraged to access other types of accounts (through password reset links sent via email), it helps to prevent that, too. Securing email accounts also serves as another line of defense — they’re where notifications about suspicious password reset or other account change notifications are sent for a wide variety of accounts.”
Two-Factor Authentication is core to Civis Platform, which enables teams to collaborate in a secure, centralized environment, complete with network, application, and database-level risk and compliance tools that protect your most critical data assets. Platform is secure by default: Civis introduced 2FA as a requirement for Platform accounts in 2014.
Civis Platform also supports Security Assertion Markup Language (SAML) along with single sign-on (SSO), which enables users to log in via accounts they already have (as opposed to managing another username and password), providing access to much stronger forms of 2FA than Platform natively supports.
Moreover, Platform is an all-in-one tool: data storage, automation, and reporting all reside in one place, also accessible through SSO (i.e., an account you already have), meaning users can put to rest concerns about accidental misconfiguration making their reports or data publicly accessible. In addition, Platform offers features optimized exclusively for organization- and team-level admins, allowing them to block or unblock users as well as manage access to data storage, automation, and reporting tools.
More Ways Civis Platform Keeps Your Data Safe
Civis Platform directly addresses other expert security recommendations, including:
Developing policies for data handling (e.g., where and how to store which types of data). All data stored in Civis Platform is encrypted both at-rest and in-transit, and protected behind multiple layers of security measures. A general-purpose computing environment offers the flexibility to maximize the work done in this safe space: you can run code in any programming language, use Jupyter notebooks and web services, and schedule work to run at any time. In addition, Platform is tightly integrated with GitHub, where you can version control your code in private repositories.
Having a policy/knowing best practices for what to do when someone leaves your organization.Protecting multi-tenant user accounts in environments where staffers routinely come and go poses unique challenges. Because account ownership must be transferred as people join and leave your team, use of shared accounts is widespread, which makes 2FA implementation impossible.
Instead of juggling multiple accounts to do work on your own machines, you can automate this work in Platform, storing credentials via our secure Credentials feature. Workflows can be set up to run under special “robot” accounts, so work can continue as new staffers join the organization and others exit. These robot accounts don’t have passwords — you can’t log in directly as a robot — so you don’t have to worry about shared passwords or sharing phones for 2FA. You can assign access to the robot account exclusively to personnel that need it, and breathe easier knowing that users lose access to everything in Platform (including robot accounts) as soon as their account is deactivated. (For more information, click here.)
Threat and vulnerability management. Civis undergoes annual application penetration testing using industry recognized third-party consulting firms, performing continuous vulnerability scans and identifying critical vulnerabilities with remedial actions.
Incident response management. Civis has established a comprehensive incident response plan, assigning staff members a clear definition of their roles and responsibilities for each phase of the incident lifecycle. The plan provides a set of instructions to respond to security events, and per legal and contractual requirements, customers are notified without undue delay of any security incident involving their customer data. A post-incident meeting would follow immediately to prevent similar incidents, and to apply lessons learned to improve the handling of future incidents.
Compliance. Civis Platform is built on a set of AWS services that are under FedRAMP Moderate Authorization. Platform has successfully completed SOC2 Type II examination and is aligned with applicable HIPAA security controls; the SOC2 report provides assurance that Platform service commitments and system requirements were achieved based on the trust services criteria relevant to security and confidentiality set forth by the American Institute of Certified Public Accountants (AICPA).
Laying the groundwork for a stronger security culture moving forward. Beyond Platform’s signature technology and features, Civis delivers white-glove consultation and support. We employ dedicated security and DevOps teams to protect both the data and the system, giving all clients the same level of protection; our security team works with security experts from Amazon Web Services, Google, and other top firms to manage Platform according to industry standards, and our client success and solution architect teams help set up organizations to follow these best practices. Moreover, Civis conducts an annual SOC2 Type II audit that includes security and confidentiality trust services criteria, guaranteeing we’re held accountable for keeping clients as secure as possible according to the latest guidelines.
We constantly test and evaluate our systems, and never stop seeking to improve our security measures. Moreover, Civis is committed to transparency around processing personal data: we provide clear, easy-to-read explanations about our information practices — commitments that guide our decisions regarding how, where, and when to collect and share personal data.
Conclusion
The effects of data breaches reverberate far and wide. Nonprofits who fall victim to cyberattacks face not only data loss but also revenue loss, disruptions to day-to-day operations, and even reputational damage — after all, supporters share information with organizations like yours on the assumption you’ve implemented the necessary measures to keep their data safe from harm. In other words, Civis Platform doesn’t just secure your nonprofit’s data; it secures the organization’s future, too.
