How the Parkinson’s Foundation Stays Secure With a Small IT Staff
At the Parkinson’s Foundation, we believe data security is a team sport, which is why we rely on everybody in our organization to follow best practices for protecting our content.
Like most organizations, we have several layers of sensitive content, including some of our accounting and marketing files. Where we differ from many organizations, however, is that we also have 2.6 million organizational records that include donor data, contact information for walk participants, volunteer details, personally identifiable information (PII), and protected health information (PHI) for constituents who call into our helpline.
Our user base includes employees and volunteers located across the U.S. And as more users have shifted from local offices to work-from-home setups, data security has become more challenging.
A Small IT Team Against the World
We view our data systems as a castle that we must protect. There are a lot of potential invaders out there trying to steal our data, so we’ve made it our mission to defend the castle at all costs.
But, our IT department is small—it’s just me, our outsourced CIO, an IT Director, and a few staffers. If your organization is like ours, you don’t have unlimited resources, either.
Over time, we’ve learned that to truly make data security a team effort for the larger organization, our IT department must combine technical leadership with cybersecurity coaching techniques that set the vision for the organization. Here are a few things we do to make it all work.
"We’ve moved most of our data from local file servers to the Egnyte cloud. In addition, we’re now scanning emails for sensitive content. Egnyte has proven to be one of our most important tools for defense. The platform serves as the walls, door, and moat that help us protect the castle."
Secure Data with Egnyte
We’ve moved most of our data from local file servers to the Egnyte cloud. In addition, we’re now scanning emails for sensitive content. Egnyte has proven to be one of our most important tools for defense. The platform serves as the walls, door, and moat that help us protect the castle.
First, Egnyte lets us set granular permissions down to the folder and file level to ensure that users can only access the data they need. Egnyte also makes it easy to run reports that show permission levels for every organizational user.
Second, the Egnyte platform includes a smart content governance solution that scans our files to identify unsecured sensitive content and moves anything it finds to secure folders. I jokingly refer to our CIO as our “Chief Sensitive Data Officer” because he’s done a terrific job using Egnyte to drive down our sensitive data risk.
Cybersecurity Education and Support
We rely on Egnyte to lock down our data, but we also believe that user education must accompany usage of our technical solutions.
Our users have different levels of technical knowledge, especially our volunteers, which adds a layer of complexity to securing our content. So we’ve implemented several procedures that empower them to do their part, including training to help them spot potential threats.
For example, we were the victims of a ransomware attack several years ago that originated with a phishing email. As a result, we decided to educate all of our users not to open phishing emails, not to click on suspicious links, and not to provide sensitive information without validating that the request was legitimate.
We developed a series of tests where we would send fictitious phishing emails to our users. The emails look authentic and track which recipients open them, who clicks on the links, and who provides sensitive information.
We take great care not to shame the people who take the cyberbait. Instead, we use it as a learning opportunity. Also, rather than penalizing people for failing the test, we give gold stars to those who pass.
Over time, we’ve seen dramatic improvements in our users’ ability to recognize phishing attempts. For example, the first test fooled roughly 40 users out of 150. But only one person clicked a link in our most recent test.
Incident Response
Another important thing we do is run mock drills of potential responses to different cyber-incidents, including modeling and reporting. We want to prepare for any scenario that could disrupt our systems, whether routine or significant.
So, we’ve laid out a process that helps gauge the severity of any incident. That helps us determine how to react, which team members to involve, and so forth.
We view these exercises as an important investment of our time, because we know we’ll be able to respond quickly if an actual incident occurs.
User Education Reinforcement
You may already be sensing a theme here, but we really value robust, repeatable user education. Every few months, we hold training programs for our users. First, we monitor our help desk tickets to identify areas where they might need help. Then we bring in an outside expert in that field to conduct training sessions.
Additionally, our IT Director sends a weekly “Tech Tip” email to the entire organization with recommendations that help make our users’ lives easier.
These education efforts help everybody on the team to stay updated on what’s new and to enable a feedback loop for users to say something when they see something.
Track Our Progress
Since we treat data security as a team sport, we also keep score. Egnyte analyzes our data and assigns a risk score based on the number of outstanding issues and the amount of sensitive data it detects. The lower the score, the more secure we are.
When we first deployed Egnyte, our score was 98—deep in the red zone, which isn’t a place you want to be. Egnyte helped us detect several vulnerabilities. After correcting them, our score dropped to 9, firmly in the green zone. Each week, our CIO and I receive a risk score update from Egnyte, and we celebrate when we’re still green.
Prepare for a Long Journey
Data security is a journey without a finite destination. New threats always come out of the woodwork, so we have to stay on our game. However, by consistently working on our detection and response skills, we’ve gotten good at it.
Over the years, we’ve expanded our footprint from a single building to multiple locations. And, as we’ve grown, Egnyte has grown with us.
The Egnyte team has been great to work with and has become more than just a vendor. They’ve become a trusted advisor and essential resource for protecting our content.
Learn more about how the Parkinson’s Foundation makes data security a priority.