NGOs and Data Security: Do You Know Where Your Data Is?

By Brian Cute, CEO, Public Interest Registry

This post is part of a Public Interest Registry series called “NGOs and Data Security” and is aimed at providing educational insight to noncommercial internet users around different data and information security themes.    

It’s no secret that non-governmental organizations (NGOs) work very hard to make a difference in the world – and sometimes with very scarce resources. On top of delivering programs and services to your communities, you are pulled in many directions while trying to cultivate donations, manage staff, and communicate with stakeholders. What’s more, the financial and physical security of your organization and of your team and constituents are, most likely, top-of-mind. Is data security a top priority for your NGO?

What do we mean by “data”? Data is most commonly thought of in its quantitative form of figures, like a personal bank account, telephone or social security number, or even more complicated strings like a computer Internet Protocol address (IP address) or International Mobile Equipment Identification number (IMEI). Data can also be descriptive words, text or images, including sets of information such as passwords, photos and video files.

In a world where the internet and technology tools make our lives easier, we tend to share a lot of information – or data – freely. Many organizations exhibit the basics of data security: protecting your organization through secure internet connections, safe internet use, and having strong passwords. These actions help protect you from external threats looking to gain access to your data. (For more on DDoS attacks, phishing and government surveillance see my September post, Not-for-profits and online security – How can we help?) But do you really know what happens behind the scenes of your day-to-day online activity and engagements with your service providers – even if you think you’re acting cautiously?

In other words, do you really know where all your data is?

Just as Public Interest Registry has a commitment to provide you, the not-for-profit community around the world, a safe and secure experience on the .org domain, it is your responsibility to protect the banks of staff, donor and supporter data entrusted with you.

Where Your Data Can End Up, Even if You Think It’s Protected

Are you aware that when you engage with an internet and online service provider – even one you trust to provide a high-quality service – your data could still be used in unforeseen ways? That’s why when you commit to a contract with a service provider, it’s important to understand what you’re agreeing to. Otherwise, simply put, you may be unknowingly breeching your own security walls and inadvertently handing over access to your data.

For example, if you’re using an email program to distribute invitations to an event or a monthly newsletter, you’ll need to upload your customer or donor database. Does your list include full names of contacts directly connected to their email address and phone number? What happens to the data set once uploaded? Armed with this information, digital programs could then identify pieces, such as email addresses, and track user activity throughout the internet. Your complete data set – or even these activity trends – could also be sold to third parties, some of which are in the business of combing large, disparate data sources to identify patterns that can be used to solve unrelated issues. Data is big business!

A common misconception occurs around social media and mobile apps. While you and your staff are in the field and connect to your organization’s networks, social channels or app-based services through a mobile device, there is a potential for data about your activity to be collected. Location-based GPS tracking through active social media channels or open apps on your mobile phone can create a record of your history, which could also be tied to your NGO. Tracking can occur not only about where you are and what you’re doing, but who you’re with and your habits by connecting the dots. Additionally, using your mobile phone to connect to the internet via unsecure connections could also leave you venerable to hackers and identity thieves trolling for data to steal.

Another consideration should be protecting your internal data when you initiate a relationship with a vendor. Take registering a domain for example. Do you remember what data you provided to obtain your domain name? For .org domains, Public Interest Registry collects information about your organization, where you operate and who the owner of the domain name is. We then post this information in a public database under the Internet Corporation for Assigned Names and Numbers (ICANN) “WHOIS” policy to identify open domain names and provide access to the contact and technical information for domains in case issues arise. While this data sharing requirement is designed to ensure effective functioning of the internet experience (and registrants can opt for privacy to keep their date from appearing on the public WHOIS list), it also serves as a good reminder to be cautious when initiating relationships with third parties.

Here are things you should know and questions you should ask your internet and online service providers before you accept service from them:

  • What type of security practices do they have in place?
  • Do they test their security measures often and have employee background checks?
  • How secure is their network or brick-and-mortar facility where data storage infrastructure is located?
  • Are audit trails conducted on databases or files? Are you able to make a request for them?
  • Are they insured, licensed and bonded should there be an issue?
  • What partners do they work with and if data is shared, ask what kind, when, how – and how you’ll be alerted.

When it comes to data security, knowing where your organization’s data and donor information can end up is of utmost importance. It’s common practice in today’s world, especially for the non-commercial community that relies on the good will of others to be successful. Protecting your donor, constituent and even employee information is your responsibility and a crucial step in building trust that can convert into long-term relationships.

Stay tuned for our next post on this topic, which will provide information on how to prevent a data breech/hack of your organization.