You’ve put firewalls in place and installed antivirus software on every computer in your office, but none of it matters if your staffers are engaging in risky habits—your organization is not protected. Written policies and regular training are critical for every nonprofit because they empower staffers to take action to protect your data against malicious software. Here are the five data security policies that you need to write this year.

  1. Acceptable Use. This is a big catchall category where you can establish the basics—who can access what information where and when. It’s also a chance to outline the various devices and systems your organization uses and how to stay safe while using them. Under this category might also want to explain some of the ways well-meaning people can accidentally expose the organization to risk, such as social engineering scams where staffers are tricked into releasing data or providing access to a system.
  2. Email. Email is a common way malicious software gets into a system. You can help your staffers detect suspicious emails and train them in what to do when a risky email appears in their inbox.
  3. Mobile Devices and Working Remotely. Are staff members working from home? Do they use their personal computers, tablets, or phones to carry out your nonprofit’s business? Outline how much of the acceptable use policy applies to personal devices and provide additional guidance for how they can stay safe when they’re outside the office. This policy might also include requirements such as the use of a VPN or specific antivirus software. If you require software to be used, you’ll need to provide it for free and detail how to install and maintain these tools.
  4. Password Protection. An alarming number of people still use weak passwords such as “123456.” This policy should provide guidance on the length of passwords, how frequently to change them, and a warning not to share or reuse them. Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.
  5. Security Response. What will you do if a breach occurs? Use this policy to outline the steps needed to shut down the attack, preserve or recover data, clean up systems, manage the potential PR issues, and get operations back up and running.

For more information about how to protect your organization, download Idealware’s free report, What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk.