Nine best practices to steer nonprofit technology
By Robert Ramsay, CPA, CISA, CITP, CCSFP, Barnes Dennig
Working with nonprofit leaders on a regular basis, the questions I get from the executive directors and C-suite personnel typically revolve around, “How deep in the details do I need to be for my organization?”
While the answer to this question varies greatly, there are a few tips I provide to help leaders sort this out. The following is a brief overview of current key topics, and offers guidelines for steering technology dealing with security, staffing, outsourcing, strategic planning, cloud computing, online banking and finding board members from the technology sector.
Barnes Dennig is offering a free educational seminar covering these topics and more on Sept.13th.
Ford Salon at Robertson Hall, Butler University (4600 Sunset Ave.). Registration and breakfast at 7:30 a.m. , presentation and discussion at 8 to 10 a.m.
Let us know if you are interested in attending and we’ll send you more information.
Data security may be the most difficult and fastest changing element of technology to keep up with today (There are many interesting discussions about the “singularity,” and when robots will take over, but practically speaking, data security is the issue of the day). The most common data security risk is Ransomware, the malware that encrypts your information and demands a ransom to return your data.
By the end of 2017, ransomware is projected to exceed $1 billion per year according the FBI. Executives must make sure that everything (and I mean everything of significance) is backed up and easily retrieved. They also must ensure that all employees are trained to “think before they click.” As backup and retrieval improves and employees reduce the number of times they accidentally click on malware, Ransomware as we know it will diminish in volume and severity.
Online banking is a convenient way to move money. Unfortunately, this applies to the nefarious as well as the well-intentioned. Executives should challenge their finance teams and their bankers to demonstrate that segregation of duties exist to such an extent, that if one person’s account were hacked, this would still not allow the hacker to misdirect (and steal) electronic funds.
Network penetration testing:
Also called “white-hat hacking,” network penetration testing can help you know “What do we look like to a hacker?” This is becoming more and more routine, especially for entities that accept credit cards. Almost like an annual financial statement audit, having an annual data security audit can help make sure your controls are evolving as fast as the threats.
One set of standards that is growing rapidly in the nonprofit sector is HIPAA security requirements. These are a result of U.S. Federal laws that govern personal healthcare information (PHI). Originally just for healthcare providers, these laws have expanded to include all parties in the healthcare system that touch PHI. Because nonprofits want to improve client outcomes, tracking health information is becoming more ubiquitous. Many organizations are choosing to comply with HIPAA as a risk management decision, even if they may not be legally obligated to do so. This is often wise for marketing, as well as security purposes.
Similar to HIPAA, PCI is another set of data security standards becoming generally accepted in the nonprofit sector. These Payment Card Industry (PCI) Data Security Standards are more widely required and more precisely defined than the HIPAA requirements. They also offer a clear tier of difficulty that corresponds with the agency’s volume and complexity of processing. Leaders should insist that their finance and information systems teams are coordinating to meet and exceed these requirements on an ongoing basis.
Outsourcing is a fact of life in technology, but very few internal technology teams know enough to provide 100 percent of the security knowledge needed to keep you safe. However, every nonprofit needs to have someone in-house that fully understands your mission, your strategic plan and your current use of technology. If that person is good, then you can task them with deciding activities that are best performed in-house, and those best outsourced.
Strategic technology planning:
Starting at the board level, almost all nonprofits are familiar with strategic planning. These efforts provide guidance to management, and ensure priorities are clearly communicated. Similarly, strategic technology planning helps steer the technology team. When properly aligned, technology is most efficiently assisting the entire organization to meet its goals. The board should provide clear objectives, and allow management to decide how to meet them.
Internet-provided computing can save costs and provide flexibility to IT operations. It presents opportunities, and risks that must continuously be weighed against the opportunities and risks of NOT using the cloud. Because the environment changes rapidly and risk management can be very difficult, having a board member (or committee) from the technology sector can be very important. Ongoing communications between the board and management are a great way to navigate these challenges.
Finding board members from the technology sector:
This is typically not an easy task for the board chair or the personnel committee. When the benefits of diversity are mentioned, technology experience should be included on the list of needed skills. Fortunately, several organizations are earnestly working to assist boards wishing to connect with technology leaders. In your community, you may have any number of networking groups. The following are some of the largest with a national footprint: United Way’s BoardBank, VolunteerMatch.org, NTEN, and the NPower network. Regionally, there is a large variety of organizations that offer board member training and matching. They can range from your local YWCA to an arts consortium. The bottom line for these efforts is to be intentional about recruiting to fill this niche requirement on the board.
Robert J. Ramsay, CPA, CISA, CITP, CCSFP has performed consulting services for more than 20 years, helping organizations make more mission and strengthen their processes, with a particular focus on data security. He is a member of the firm’s nonprofit client service team and has worked with organizations across the sector. Prior to joining Barnes Dennig, he worked for PwC and TechBridge, a 501c3 consulting firm in Atlanta.
Barnes Dennig’s website provides additional information on these topics. Click here to learn more about our technology practice and the services for nonprofits like yours.
Wednesday, September 13th, 2017
Ford Salon at Robertson Hall, Butler University
4600 Sunset Avenue, Indianapolis, Indiana 46208
7:30 am – Registration and Breakfast
8:00 -10:00 am – Presentation & Discussion
You don’t have to look far to see the news stories: technology threats, security breaches and fraud are on the rise. Don’t miss this opportunity to learn about the current situation not-for-profit organizations are facing as we discuss the big picture on technology, cybersecurity and risks that impact not-for-profits every day.
Join Barnes Dennig Director and technology expert, Robert Ramsay, CPA, CISA (Certified Information Systems Auditor), CITP (Certified Information Technology Professional), as he leads an interactive discussion on what nonprofit leaders need to know about technology and cybersecurity. Attendees will gain useful knowledge on the following topics, and more:
- How to protect your operations while doing business online, and where to look for risks
- Cybersecurity threats that not-for-profits commonly face and what to do about them
- How to fight technology fraud with HIPAA/PCI compliance
- Email vulnerabilities and how they can impact online banking
- Best practices for online treasury management
This event is presented free-of-charge, and attendees will be awarded 1.5 hours of CPE credit. Register Here>>