By Lindsay Nash
Managing a nonprofit organization requires a healthy dose of careful coordination, and nonprofit leaders increasingly rely on software to help manage the large bulk of daily operations.
From CRMs and productivity tools to accounting software and grant management systems, software is wielded to streamline workflows, save time, and drive a greater impact.
Nonprofits looking to adopt new software or update their current systems must wade through more choices than ever before. And while price typically comes in as a top consideration, security and data privacy have increasingly become one of, if not the most important points of deliberation.
According to Gartner Digital Markets’ 2024 Software Buying Behavior Survey, a massive 46% of buyers say that security certification, reputation, and data privacy practices are the top reasons they choose a software vendor.
Why is data security important for nonprofits?
Nonprofit organizations can be synonymous with goodwill and public service, but that does not mean they are exempt from a growing threat landscape where cyber-criminals look to exploit vulnerabilities for financial gain.
As more nonprofits depend on software for their diverse operations, it’s mission-critical to choose software that is verifiably secure. That “verifiably” part is crucial. Insecure software is often a case of a vendor not knowing their products are insecure or not following established security practices.
“By choosing a provider with strong security bona fides, buyers seek to reduce risk to their business, avoid financial impact, and prevent downtime or disruption,” Gartner explains in their survey.
Not sure what to look for when assessing software security features? Here are some questions you can ask when procuring new software for your nonprofit organization.
7 Questions to ask your software vendors about security
- Ask: Can you provide proof of security credentials?
Built-in security features are central to protecting your nonprofit organization, your data, and your users’ data. Due to varying laws and industry standards designed to ensure privacy and protect consumer data, organizations have a legal responsibility to comply with regional and industry-specific security standards.
A few important examples of these laws include:
- The General Data Protection Regulation
- Health Insurance Portability and Accountability Act
- Payment Card Industry Data Security Standard
- California Consumer Privacy Act
When shopping for software or checking your own, start by checking the vendor’s website, which should clearly list their security credentials. If proof of security is not provided publicly, it’s a good idea to contact the vendor directly to request the information. Don’t take this step for granted and don’t take it at face value either. If something happens to your data or there is a breach in your system— you will ultimately be responsible.
At Good Grants, for example, which provides grant management software for small to medium-sized grantmakers across the globe, we provide a detailed security profile, along with a security trust center where updated security compliances and documents are readily available for public download.
It’s critical to follow due diligence and request copies of any certifications or audits that have been awarded to a software vendor. No vendor is certified unless they can provide the proof.
- Ask: Are you ISO/IEC 27001 and/or SOC2 certified?
One of the easiest ways to determine if a software is secure is to see if the vendor is ISO/IEC 27001 or SOC2 certified. These have become the de facto standard for software vendors internationally and in the United States, respectively.
The ISO/IEC 27001 certification defines requirements that any information security management system (ISMS) must meet and provides guidance for establishing, implementing, maintaining, and continually improving an information security management system. It’s similar to SOC2, (System and Organization Controls 2) which is a type of audit report that attests to the trustworthiness of services provided by a service organization.
Conformity with ISO/IEC 27001 and SOC2 helps organizations become risk-aware and proactively identify and address weaknesses. They are powerful tools in risk management, cybersecurity and operational excellence, and ones you should require of all your software solutions.
- Ask: How secure are your servers and how do you physically protect access?
All SaaS software is physically run somewhere—whether in the cloud or from a server at the vendor premises. It’s important to check how this infrastructure is protected.
How is the data in this infrastructure accessed? For example, FTP is an easy method for server access but can be vulnerable to unauthorized access and is best avoided. Confirm that only authorized staff of the vendor are allowed access to the application and that proper security protocols are followed with that access.
If data is stored within AWS (Amazon Web Services) you can generally regard the underlying infrastructure as secure. AWS data centers and network architectures are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls.
- Ask: Do you offer role- and permission-based controls?
Software with effective role- and permission-based access controls can limit the types of information a user can access, which ensures that sensitive data can only be seen by those with explicit authorization.
Keep an eye out for granular role and permission functionality. SaaS with strong permission-based access control are far more secure than seat-pricing pricing models that tempt organizations into sharing passwords to keep costs down. User permissions allow you to provide access to specific views and functionality, allowing you to decide who sees what and what they can do.
For example, you may need to give your accountants access to your fundraising system for accounting purposes. You’ll want to provide them with the role of “accountant” and permit them to view funding amounts. But funding may not be something others should see, so you can hide this data from other users as you see fit.
- Ask: What are your password requirements, and do you offer multi-factor authentication?
Encouraging strong passwords is, of course, important. But in today’s risk environment, it’s critical to do much more to prevent unauthorized access to your software.
You’ll want all software you use to provide multi-factor authentication (MFA) options, which help protect access with one or more additional steps to verify a user’s identity.
Stolen passwords remain one of the most popular tactics in hacking, and by offering additional verification requirements, you can protect access to your systems if a password is compromised.
- Ask: Is your data encrypted?
Encryption is an important part of data security. It is the practice of encoding data so that it is no longer in its original form and cannot be read. This means that if an unauthorized person ever manages to intercept your digital program data it would be unreadable.
Nonprofits often collect personally identifiable information (PII), and it’s critical to protect that data. A secure software will encrypt both data being transmitted and data in storage. Or in security terms, data “at rest” and data “in motion,” respectively.
Keep an eye out for these terms. There are varying standards of encryption available but one of the best is Advanced Encryption Standard (AES)-256. Sometimes vendors don’t encrypt data “in motion” or your data “at rest”, and this is a significant security shortcoming.
- Ask: Speaking of data, where do you store it?
Many organizations are compelled to store data in a specific region in order to comply with data residency legislation and internal policies.
Software vendors should offer a choice in data residency to make sure your data is stored where your nonprofit operates to keep you compliant with local regulations.
Be sure to check with your software vendors about data residency options.
Compare software solutions to find the most secure
Protecting your nonprofit organization from vulnerabilities and cyber-criminals has become more important than ever before. Your organization can’t afford to ignore the importance of good, secure software.
By taking the time to compare software solutions and their security features, you will minimize risk in your nonprofit operations, avoid devastating financial impact, and prevent downtime and disruption—all so you can better focus on the good work at hand.
BIO
Lindsay Nash is the content marketing manager at Good Grants, an internationalised grantmaking platform that helps small to medium-sized grantmakers around the world affordably and securely accept, manage and fund good grant applications, their way.
Learn more about Good Grants or watch the demo at NonprofitLibrary.