Establishing a Culture of Data Security at PoP

By: Ben Bromberg, Senior Manager of Data Systems

At Pencils of Promise (PoP), we strive to be best-in-class across every aspect of our work. When Adam Braun founded this organization a little over ten years ago, he challenged us to be defined by what we were, rather than what we weren’t. For-purpose, instead of non-profit. We were founded with a mentality that embraced the disruptive, rule-breaking spirit of the start-up tech world. Our 501c3 classification has never held us back from dreaming big, from building a best-in-class brand to supporting our programming with academic-level rigor in our evaluation and radical transparency in how we share our results externally.

In the face of this steadfast commitment to excellence, however, we often face challenges that feel insurmountable. When it comes to technology, the truth is that we occupy the same digital landscape and are at the same amount of risk as Fortune 500 companies like Facebook and Equifax and HSBC, who struggle to provide fundamental security protections with billion dollar budgets. At PoP, we grew up on cloud systems like G-Suite and Salesforce that we by-and-large trust to protect themselves, and had to reach a certain stage of growth before recognizing the need to further establish data security as an organization-wide priority. Without any clear resources available to us as a non-profit on what that shift was supposed to look like, or how to begin evaluating ourselves, our first challenge was where to begin.

Data security is a constant consideration in our work at PoP, so we are working to establish some essential policies, informed by experience and the guidance of mentors in the tech space, that add a meaningful boost to our security and emphasize how data security is a responsibility that must be shared across an organization.

First, a strong password policy!

• Everyone uses passwords, and most people know they should be using better ones. They’re the most common key to your data systems, and if you aren’t careful, cracking your least-savvy colleague’s account can be as easy as “password123”. The trouble is knowing what a good password really is, and to that end I refer to the incredible Troy Hunt. I would defer completely to this article, which is based on the latest recommendations from security experts like Microsoft and the NIST, and has been the basis of our policy at PoP.
• Definitely check out the full resource above, but here’s the most important thing to remember — a good password is one that is easy for humans to remember, but hard for computers to guess. The best way to outsmart a computer is by making your password very long. Random special characters and numbers interspersed throughout can make your password seem more difficult, but you may be surprised how quickly your cleverest tricks get thwarted by a sneaky hacker telling his password-guessing bot, “Sometimes the humans replace Es with 3s”. Worse, insert enough unusual things into your password and you’ll manage to forget it two days later. And the more often we reset our passwords because we’ve forgotten them, the easier we’ll make the next one.
• Summarizing the above, the best password policy is not one with the most restrictions or requirements. It is one that best educates your staff on what makes a good password, encourages length, and encourages the use of a Password Manager for employees who prefer them.

Second, a strict PII (Personally Identifiable Information) sharing policy!

• When it comes to educating your staff on data security threats, it’s vital for them to understand what data they need to protect. For many organizations, the most sensitive data is “PII” — Personally Identifiable Information. This is any combination of data points that can be used to accurately identify an individual (such as name and address, or IDs like a Social Security Number). This is the data that is most likely to be targeted in a breach, as it’s where the hackers can gain the most financially, either through identity-theft operations or blackmailing the organization.
• Of course, to your staff, PII can be something completely different. It can be the list of donors they need to print out for check-in at your event. It may be the donor info you forward to your boss in an email so they can send an acknowledgement. PII like this gets shared by employees on a daily basis, internally and externally, through a variety of communication methods. Setting policies on how PII can be shared and how long this data can be retained outside of secured data systems is an essential, no-cost data security measure every organization should be taking. Because if someone has downloaded a spreadsheet of donors onto their laptop and then leaves it unattended, an outside agent may not even need a password to obtain your most valuable data.
• Luckily, a good PII policy can be pretty simple as well, especially when coupled with a great password policy. First, encourage selective downloading — if you don’t need to include every column of a report when you download it, don’t! Regularly delete PII-containing files from your local machine when you’re done using them. And if you need to store them locally for more than the time it’ll take to complete your task, password-protect it locally. It’s easy to put passwords on file folders, and Excel files themselves can be password-locked. And as a final line of defense, make sure the devices themselves are locked with a PIN or password.

Finally, expect to get hacked.

• If it can happen to data security companies like OneLogin, it can happen to you. The most valuable advice I’ve gotten from speaking to data security experts is that the policies you implement should be designed to protect you not if you are hacked, but when.
• This means a few things. First, don’t expect any security measure to be impenetrable. Data security experts stress a “multi-layered” approach. As alluded to in the examples above, a password on your Excel file can protect your data in case your laptop passcode is cracked. Every layer of protection applied can be the one to prevent a breach, or at the very least slow down the threat. And that can be critical in how well you are able to respond once the threat is discovered.
• Second, and this is important — have a plan for how your organization will respond in the event of a data breach. This may include having a third-party incident response expert on call, just in case. The timeliness of response to a data breach can be the difference between a scary situation and a dire one. If you’re hacked, you don’t want to spend your first 24 hours Googling resources and negotiating contracts with the experts who can help. You want them to have access to everything they need as soon as you can possibly alert them. If you’re a large enough organization, you may even want to build this expertise internally. Don’t wait for the inevitable to make your plan — be ready for the breach when it comes.

I am in the final weeks of an Uptake.org Data Security Fellowship, and have had the opportunity to learn from their brilliant team of security experts. I’ve been learning a lot through that experience, and it has allowed me to confirm these best practices with some of the top minds in the field. With policies and procedures to ensure strong passwords, PII protection, and a response plan in the event of a breach, an organization will find themselves better equipped than most to protect themselves against the modern landscape of cybersecurity threats.

PoP remains engaged in navigating the digital security landscape and the organization will continue to develop secure and sustainable systems that protect our data. If there are any questions about PoP’s approach to data security, please reach out at impact@pencilsofpromise.org.