Become a social impact investor for as little as $50.
If you pay attention to the news, you may have recently heard about a major Internet hacking of celebrity phones and devices, in which hundreds of photos were leaked to the wider Internet. There was no intentional sharing by the celebrities — they were hacked.
This may seem like just another Hollywood scandal, but it's really indicative of the new world order of living in an Internet-connected and cloud-based world. And it should serve as a stern wake-up call to all nonprofits and social change makers to shake the complacency off our security standards.
During the recent incident, now widely called Celebgate or (lewdly) The Fappening, more than 100 celebrities had their personal accounts hacked. Their iCloud online storage was targeted, and hackers stole personal data and photos from their mobile phones and iPads. Some of those images were released on sites like Reddit, Imgur, and 4chan in an attempt to sell them for bitcoin, the virtual currency, and then shared far and wide.
There those who say the perpetrator(s) didn't just hack one account at a time, but rather, hacked into one person's account that then gave access to anyone connected with that person via phone book, text, or email. No doubt that's a simplistic view of a complicated process, but what really concerns me is the perpetrators were able to access text messages, calendars, address books, phone call logs, real-time GPS of where people were at any given time, and any other data that was saved or backed up to the cloud.
Not only is it a major invasion of privacy for the individuals targeted, but it's another example in a string of security breaches in which private and supposedly secure data was leaked, stolen, or otherwise shared online.
Whether your organization uses iCloud (or some other hosted online service for email, file storage, photo sharing, or collaboration), has mobile phones or devices deployed for your staff, or has a local server-based network in your office, it's more and more likely that your staff are accessing email and network-connected data via their personal devices when outside of the office. That means that your organization's data is only as secure as your employees' device security settings and behavior.
Even if there aren't malicious hackers out there who want to target your organization's data for personal or political reasons, there are maliciously designed bots that troll the Internet looking for security vulnerabilities to exploit in order to gather data in the hopes of finding the juicy stuff — credit card numbers, Social Security numbers, bank account information, passwords — and the data needed to piece together using those things (name, address, birth date). And these things do it automatically and never sleep.
You may think your data isn't desirable, but if you hold fundraising events and have donor data in your files, provide direct services to your community and have client health records or domestic violence shelter rosters, and so on, then your data is desirable by someone. Not only that, but you're legally responsible for securing it and can be held liable if you don't do it well.
Now, despite scary examples of hackers exploiting the cloud, if you run a very small organization with no IT staff and no one to help maintain local servers with regular updates, security patches, and upgrades, then the cloud may be the safest place for your data. Data centers from big companies like Microsoft, Apple, Amazon, Google, and so on have redundant backup systems for emergencies, they have teams of people around the world ensuring updates and patches are done, and they're working hard to fight back against any vulnerabilities that hackers may try to exploit.
If all your data lives on a local server in your office, or the C: drive on your computer, and you have no other backup system, you're not in a good position to secure anything. If the office gets flooded because the sprinklers went off when a colleague burned popcorn in the office microwave, then you're out of luck.
In TechSoup's disaster planning and recovery guide, we recommend a 2x2x2 strategy for your mission-critical data, whether you're preparing for a hurricane or for a hacker. That means two copies of your data, in two different places (maybe one local and one in the cloud), and accessible by two different people. That doesn't mean 14 copies accessible by everyone in the organization, so even though you need a backup copy, think strategically about who should be able to access it and how. Learn how to develop a secure backup strategy for your organization.
Many organizations have acceptable use policies as standard language in their employee handbooks, defining in legal terms the appropriate behavior for using technology resources. That's a start, but it's not enough, and it isn't really a method to prevent malicious or negligent behavior. If you don't have an acceptable use policy, there are a lot of templates and samples of language online, but most of it is pretty dry, legal jargon defining liability and expectations. Don't rely on having a policy in a handbook that's only opened the first week on the job to ensure that your staff members are using technology appropriately — train them!
Just as you hold trainings for other policies every couple of years, do the same thing with security standards. There are a variety of free tools and resources out there to remind staff of how to create stronger passwords for their work access and their mobile devices and how to avoid malware and phishing scams, and to remind them that their access to the organization's data while offsite or from their mobile devices is a privilege, not a right.
Many mobile devices automatically sync with cloud storage so you can access your photos, contacts, and calendars from anywhere. Be selective about which of those things you really need and opt instead to sync things manually. Turn off auto-sync on anything that may give access to sensitive data. Many people aren't even aware that the Find My iPhone feature on iPhones and iPads is regularly syncing your data and your location with the cloud. That's great for finding a lost phone, but not always the best choice for securing the data on your devices.
If you don't want to disable that automatic syncing altogether, you can also manually delete photos or other data from the cloud, but they may still float around on some cloud servers for a while before they're really gone.
While disabling the auto-sync may work to keep some data off the Internet, you should also work to protect what's there and what's on your servers by ensuring your devices — whether desktop PCs, laptops, tablets, or mobile phones — are regularly updated with automated security updates.
You won't need to feel guilty for ignoring those little "update available" pop-ups on your screen if you simply set your security updates and patches to update automatically. Most operating systems, applications, and mobile apps will allow you to set updates to automatic, so with a little time spent on the settings on your devices or looking on search engines, you can automate a task that will help you stay more secure.
Do you have tips on staying safe online? Log in to share them in the comments.
Becky Wiegand is the Webinar Program Manager at TechSoup.org @bajeckabean on Twitter
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.
Close this window