How Safe Is Your Data?
By Annette Balgord
Access to critical member data enables association managers to craft more effective communication, deliver a better member experience, and provide easy-to-use portals for collecting dues and selling products. But what if this data were to fall into the wrong hands?
News of systems being hacked and critical personal data compromised is sadly frequent and gives cause for reasonable concern over the safety of member data.
Security around systems and access to data is something that should be discussed, documented and monitored in order to keep member data safe and member confidence in association management strong.
Threats to Security: External and Internal
With the rise and popularity of cloud computing, there has been much written about ensuring that data stored in the cloud is secure. But data stored in on-premise systems is every bit
as susceptible.
When thinking about threats to your data, the first image that may spring to mind is that of a hacker. But, while there are hackers who look to crack into systems for fun or criminal purposes, much of your security risk comes from lax internal practices and, to a lesser degree, from disgruntled employees.
Consider the implications (and the ease) of critical data downloaded onto a thumb drive and carried out of the offices. How many staff members transport laptops housing spreadsheets and downloads of sensitive data? A lost or stolen laptop, depending on the information stored on that laptop, can mean a security nightmare.
Whether your information is stored physically within your office or virtually via the cloud, keeping your data secure requires thought, planning and policies.
System Security: Policies, System Controls and Technology
Policies
First and foremost, it is important to identify and address security concerns as well as put procedures in place to create an organization environment that is committed to security and where each person is aware of his or her role in keeping data secure.
Other measures can include background checks as a condition of employment, reviewing liability insurance, and regularly reviewing and enforcing security procedures. Written procedures and regular review of procedures with employees can go a long way in ensuring your information remains safe.
No one likes to consider the worst-case scenario or to be suspicious of employees. However, proactive measures can protect your organization from embarrassment and liability. And, with everyone in the organization participating, it becomes a prudent organizational discipline rather than a matter of suspicion.
Here is a short checklist:
- Are system passwords required to be a minimum length as well as include numbers and special characters to make them more difficult to crack?
- Do you require passwords to be changed on a regular basis?
- Has your organization defined role-based access to information and is the access enforced?
- Do employees sign confidentiality statements?
- Is an adequate budget maintained for network security tools?
- Are those network security tools implemented and updated regularly?
- Can you audit data being accessed and who is accessing the data?
- When employees leave the organization, do you ensure that appropriate processes are changed and access closed down?
Documenting and enforcing your policies, even simple measures such as password design, can go a long way to keeping your information safe.
System Controls and Technology
The software applications used by your association, whether cloud-based or on premise, have built-in security functions.
These functions most likely include: log in/password protection; the administrative capability of assigning, on a user-by-user basis, degrees of access; audit trails; and other security functions that can be set up by the system administrator.
It is important to understand what functions are available to you and the best practices for deploying the functionality.
Here is a quick checklist:
- Do you use virus protection programs and update them regularly?
- Are firewalls used to protect personally identifiable information?
- Do you maintain and review audit logs for attempted intrusions?
- Have you created an incident recovery/back-up plan in case the worst happens and your data is corrupted?
Best Security may be in the Cloud
Established, reputable Software as a Service (SaaS) publishers provide excellent security for your cloud-based applications. Having said that, always perform your due diligence to ensure that they do have top-notch security.
SaaS publishers consider security a core competency and key competitive differentiator from on-premise software publishers. Because they serve hundreds of thousands of clients, through economies of scale they are able to provide security on a level that most organizations could not afford to do on their own. For example, SaaS publishers use world-class facilities for data centre infrastructure and back-up and disaster recovery.
Typically these data centres feature round-the-clock monitoring and operations. The data centre system professionals are constantly monitoring the system, proactively looking for anomalies so that they can intervene immediately and resolve any threat before they impact the client base.
Cloud computing and privacy: Canadian implications
When working with a SaaS provider and using a cloud-based solution, it is important to know where your data resides physically. Most Canadian organizations prefer, and some are required, to have their data reside in Canada. This is because if your data is stored in data centres located in the United States, the data is subject to the U.S. Patriot Act.
Here is a quick checklist:
- Will your organization’s data reside in Canada or in the
- United States?
- Does your cloud solution provider maintain a Tier 1 data centre?
- Does your cloud solution provider maintain SAS Type II audited and certified processes and controls?
- Is the data centre of your cloud solution provider monitored and managed 24/7/365?
- What is the frequency of local and remote backups?
While there is no guarantee against security compromises, you can best protect your association and dramatically minimize the risk with vigilance and sound policies and procedures. Encourage all in your organization to treat security with the attention it deserves by adhering to internal security procedures. Work with your software providers to ensure that you are taking advantage of all the security measures that are built into the software. Taking the time to be proactive about your organization’s security will help to ensure that you won’t fall victim to sensitive data falling into the wrong hands.