November 3, 2017

For smaller or start-up nonprofits, infrastructure elements like information technology (IT) are often small and uncomplicated allowing the greatest flexibility and economy. The bad news is that while the organization is saving money, aging IT systems lack critical security features as well as the strategic and  functional advantages enjoyed by peers who have prioritized IT investments. What should you do if your organization has fallen behind the curve? Like any other large capital expense, the investment you make in IT should play a significant role in helping your organization achieve its mission. To ensure the alignment of investment with mission as well as current needs, small nonprofits should consider the following factors before upgrading or replacing current IT systems, or considering the cloud.

IT security will continue to be a significant focus for nonprofit organizations, businesses and individuals

Start by considering your donors. The large number of recent security breaches in the news has the threat of stolen personally identifying information (PII) on everyone’s minds. Donors expect a secure environment for their transaction and want to feel confident that your organization has the proper security features in place to protect their financial information and PII from breaches. It is not a question of IF your organization will be attacked; it is WHEN the attack will occur and whether you are prepared. A loss of donor data linked to your organization could have devastating effects on future donations. Any new IT systems you consider should include the latest security features used in the for-profit world and they must be upgraded and tested regularly to guard your organization against new threats as they emerge. To reinforce the technology, train your staff on the latest security threats so they will serve as an additional line of defense.

Consider the Cloud

To minimize costs and increase overall efficiency, nonprofits in growing numbers are upgrading their IT systems to the cloud. After an initial investment and with the appropriate solution, these organizations have been able to reduce IT expenses through cloud-based systems. In an era of nonprofit transparency, many organizations are sensitive to public perception of the budget spent on overhead versus programmatic activities. However, as the availability of cloud technology increases, the more affordable your options become. There are a vast amount of free products currently on the market that can increase security, storage, availability and provide an increasingly convenient alternative. As nonprofits grow, some have also taken advantage of the opportunity the cloud offers employees to work virtually with the residual benefit of reducing the need for new or additional office space. If your organization is considering a move to the cloud, consider which business functions make sense to transition, where to stick to your current technology or plan an upgrade, the potential impact on vendors and affiliates, and your organization’s commitment to security. If you are an international organization, the cloud should top the list of possible solutions for your organization’s needs.

Complete an IT Risk Management Framework

Mitigating significant internal and external risks can keep your organization on track. Cloud systems, while efficient and reasonably priced, contain many of the same IT risks as their non-cloud-based counterparts. Due to the continued presence of these risks, having an IT Risk Management Framework set up can help you easily find and establish counter measures against cyberattacks. If you know certain data is only accessible to two employees, you know exactly where to start looking to prevent further damage. If you know your passwords are protected in one program or one location, you can immediately understand what information is at risk and how to protect that data quickly and effectively. Having an IT Risk Management Framework laid out will help you and your organization be better prepared and will provide a detailed guide for anyone investigating an attack after the fact.

An IT audit doesn’t need to be complicated. In 2017, every organization should be taking a close look at the technological methods they have in place, and updating every couple of years accordingly. A thorough analysis of your IT controls will save you time and trouble in the long run.

Employee Education

The most important element in your organization’s IT framework is employee education, particularly with relatively new cloud-based technology. Over 90% of all cyberattacks use information stolen from employees who unwittingly give away their login information to hackers. Securing your network from external attacks is worthwhile – but the call is coming from inside the house in the majority of these information breaches. By coaching your employees on common tricks or best practices for data protection, you eliminate the vast majority of hackers’ entryways.

Start with an IT Audit

Wherever your organization falls on the spectrum of IT sophistication, if your organization is considering replacement or upgrade, an IT audit is a great place to start. An IT audit can help your organization ensure your use of IT is effective, that systems and processes operate as intended, and that IT assets and other resources are efficiently allocated and appropriately protected. IT audits help organizations understand, assess and improve their use of controls to safeguard PII, measure and correct performance and achieve objectives and intended outcomes. For more information on conducting an IT audit, contact Ricardo Trujillo, CPA, CITP, CISA at 301-951-9090 or rtrujillo@grfcpa.com.

Ricardo Trujillo, CPA, CITP, CISA

Partner, Audit and Assurance