Cybercrime is Rising in the COVID-19 Era: How SaaS Solutions Keep Nonprofit Financial Data Safe
In response to the COVID-19 pandemic, millions of nonprofit organizations around the world have shifted to remote work to help keep their employees safe. Never in history have so many professionals worked from home―and business networks, communication platforms, and software solutions have been pushed to the maximum as a result.
More people working from home means nonprofit organizations’ networks have more points of potential access for hackers to target. Cybersecurity experts have been sounding the alarm about increasing numbers of cyberattacks related to COVID-19.
In a recent survey of security professionals, 71% of respondents reported an increase in security threats or attacks since the beginning of the Coronavirus outbreak. The leading threat cited was phishing attempts (cited by 55% of respondents), followed by malicious websites claiming to offer information or advice about the pandemic (32%), followed by increases in malware (28%) and ransomware (19%).1 Google also reports it has been blocking 18 million COVID-19 related phishing emails each day.2 If an unsuspecting employee clicks on a phish, it could unleash a ransomware attack that locks up your organization’s data or create a breach of sensitive donor or financial data.
As nonprofits increasingly rely on SaaS solutions, rather than on-premises software, it’s natural to ask, ‘just how safe is our data?’ Your organization’s financial management solution is a core system of record, and it’s imperative to have the strongest possible security protecting it.
Are SaaS solutions safer than on-premises software?
For most nonprofit organizations, SaaS solutions offer stronger security that on-premises software hosted on servers and other hardware that you have to maintain internally. To completely secure your data center within the four walls of your building, you must never allow any outside access to it—not even from employees logging on with organization-owned laptops.
Conversely, with SaaS solutions, you won’t need to spend capital to build a secure data center or worry about having an IT staff to maintain your servers. Your SaaS provider takes care of security and operates at scale to protect thousands of customers’ data, so they invest more in security than most smaller organizations could afford on their own.
How to gauge a SaaS provider’s strength of security
SaaS solutions usually include lots of good security features, but you will definitely want to evaluate the security protocols of any new SaaS vendor you consider. A secure SaaS vendor should approach nonprofit data security on multiple fronts, including physical and personnel security, network and infrastructure security, network security, and application security:
- Hardened data centers should offer good physical security measures. For example, Sage Intacct’s SOC 2 compliant data centers utilize badge access control, biometrics, mantraps, CCTV cameras, 24x7 security, and strong environmental controls.
- Data segmentation separates your information from other customers’ data.
- Network segmentation increases overall data security and helps slow down cyber attackers, should an incident occur.
- Reliable hardware and infrastructure, including firewalls and servers secured with good procedures for timely installs of updates, patches, and endpoints.
- Data encryption protects data that is transmitted and/or stored in the cloud.
- Monitoring keeps track of activity within both production and corporate systems to detect problems and attempted intrusions.
- Backup and Disaster Recovery (BDR) ensures your data survives if the worst occurs. Backups restore your data in the event that your data becomes corrupted. Disaster recovery restores application functionality quickly in the event of a failure.
Examine third-party certifications, service level agreements, and guarantees
External audits and third-party certifications ensure that a provider is delivering good data protection within a highly secure environment. At Sage Intacct, we maintain compliance with the following security standards:
- SSAE 18 SOC1 Type II—This opinion is delivered twice annually by a reputable, independent, third-party audit firm.
- SOC 2 Type II—This audit is conducted once each year, by a reputable, independent, third-party audit firm.
- ISAE 3402 and ISAE 3000—The International Standard on Assurance Engagements (ISAE)map to SSAE 18 and SOC 2, and require an opinion from a reputable, independent, third-party audit firm.
- PCI-DCC Level 1—Requires a full audit by a qualified security assessor (QSA)
- HIPAA—Certified to meet the requirements of the U.S. Health Insurance Portability and Accountability Act (HIPAA)
- Privacy Shield/GDPR—Our privacy practices get verified by TrustArc. Sage Intacct is Privacy Shield certified and meets the requirements of the General Data Protection Regulation (GDPR).
You need to know that your SaaS financial management solution is available to your organization 24 hours a day, 7 days a week, 365 days a year. Service levels should be part of your contract. Sage Intacct guarantees 99.8% system uptime. Should you ever decide to go in a different direction, you need to know that you own your data and can retrieve it easily. These are key points within Sage Intacct’s Buy with ConfidenceSM guarantee.
Good cybersecurity is a shared responsibility
Ultimately, your organization and your SaaS provider are partners over the security of your financial and operational data. The most secure SaaS solution in the world is no match for sloppy security practices by your workforce.
There’s a role for the nonprofit finance leader to play when it comes to ensuring financial data security. First, take advantage of all of the administrator-level security features available within your financial management solution. Second, provide leadership in the form of training, resources, and best practices for employees and contractors.
9 cybersecurity best practices for nonprofit organizations
Nonprofit organizations can do their part to secure SaaS financial and operational data by following these nonprofit data security best practices:
- Encourage good password hygiene. Current cybersecurity science says that the best passwords are random and long. As the administrator, be sure to set your financial management solution’s rules for how frequently passwords must be changed, password complexity, and blocking the ability to reuse prior passwords.
- Turn on multi-factor authentication. This adds another layer of access security on top of passwords, putting more obstacles between a would-be hacker and your financial data. After entering the required user name and password, two-factor authentication also sends a code via text or email that must be entered before access is granted.
- Carefully consider roles and permissions. A good SaaS financial system allows the administrator to create roles with varying levels of permission to see, create, change and delete financial data and perform financial tasks.
- Use Single Sign On (SSO). With a financial management solution that enables SSO, employees use a single credential that logs them onto multiple integrated business systems at once, saving time without sacrificing security.
- Set sign in lockouts. The system should lockout a user if they make repeated unsuccessful attempts to login and require administrator intervention to reset.
- Employ inactivity timeouts. Without session timeouts, an employee might remain logged on during lunch break or overnight, allowing anyone in the building to sit down and access your financial system.
- Restrict access through IP address filtering. You can allow a user to logon anywhere or allow only a specific IP address or addresses on an account. For example, you could limit access to the IP addresses for an employee’s office and home.
- Periodically review user accounts, audit logs, and security logs. If you see anything suspicious, drill down further and follow up. If anyone has left the organization, be sure to shut down their access.
- Conduct phishing training and drills. Studies show you can dramatically lower the odds a phishing attack will get past employees with training and unannounced drills. There are services you can use for the training if you don’t want to design the curriculum yourself. Deliver different kinds of phishing attacks, such as those that include links, attachments, those that include personal information, etc. Make everyone take part—including executives—and never use the results of the drills to shame anyone publicly.
In the new normal with COVID-19, nonprofit professionals will work from home more and rely more than ever on SaaS solutions. It’s important to know that SaaS can actually strengthen your cybersecurity strategy. Secure SaaS providers should demonstrate commitment to your data security through external audits, third-party certifications, service level agreements and even a guarantee. Nonprofit organizations share an important responsibility for cybersecurity in training employees, implementing best practices and making use of administrator security features available in SaaS solutions.
1CXOtoday.com. "Survey Points to Heightened Cyber Crime in Covid-19 Era," April 8, 2020.
2Health IT Security, “Google Blocks 18M Daily COVID-19-Related Phishing Emails,” April 20, 2020.
Nancy Master is a senior nonprofit industry marketing manager at Sage Intacct and is passionate about helping nonprofits achieve mission success. Nancy has more than 15 years of experience in software marketing and close to 20 years of experience working with a human services nonprofit organization.
- Thought leadership
- Customer Story
- Company News
- Product Focused
- CFO Focus
- Professional Services
- Technology Innovation
- #COVID-19 crisis
- Financial Services
- Industry Insight
- Workforce Experiences
- Wholesale Distribution
- Workforce experiences, workforce visibility
- Activity-Based Costing
- Construction & Real Estate
- HR Automation