Every organization has a responsibility to protect the data of its users and patrons. We’ve gathered our top tips to improve data security in your nonprofit.
As the market leading database software solution for arts sector nonprofits, Spektrix is also the only ticketing and CRM provider to hold ISO 27001 certification - the internationally recognized gold standard in information security. In the last year, a series of cyber attacks and data breaches have impacted leading cultural organizations and their technology providers, eroding public trust and damaging hard-won loyalty. By auditing our practice against the ISO framework, we’re confident that we’ve done all we can to reduce the risk of similar incidents impacting our team, our users, or their patrons.
In this blog Sarah Lascelles, Compliance Lead, outlines the key themes covered by the framework, and shares her best practice advice for nonprofits - or indeed for any organization keen to tighten up database security.
Officially, Spektrix is certified under ISO27001:2022, also called IEC27001, the most recent standards for establishing, implementing, maintaining, and continually improving an information security management system. Managed and assessed by the International Organization for Standardization (ISO), conformity with ISO27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company
That may not mean a lot to busy managers in a typical nonprofit arts organization. Here’s how we prefer to explain it.
As a purpose driven organization, Spektrix is committed to the highest standards of information security. We see ourselves as a technology partner, not just a supplier; our approach to system improvements, internal processes, and ongoing improvements is centred on users’ needs. Naturally, the security of personal and financial information is high on the priority list for many system users and patrons, and so our focus for many years has been on minimizing risk through best practice data management.
In 2024, we attained the ISO 27001 standard for information security. This internationally recognized standard demonstrates that our risk management systems respect best practices and principles, and that we’re maintaining and continually improving those approaches.
Achieving this certification was less about changing our approach, as about auditing our practice across every aspect of the business, to ensure consistency and quality. The exploration went far beyond secure passwords, to consider risk assessment and processes in departments ranging from IT through to Engineering and Marketing. Not everything that we put in place is relevant to nonprofits - your database software provider should be putting many of these steps in place on your behalf.
But some of what we talked about is universal, and so we’ve formed a three-step approach to improving data security across your team.
The ISO27001 standards provide a comprehensive, international framework for internal and external audit of data security. At Spektrix, it’s always been our intention to take a best practice approach to information management. The framework provides a valuable tool for challenging and measuring how well we’re meeting that ambition, and driving us to continually improve.
These four simple steps should help you stay on top of fundamental database security - from password management through to user access and training.
Beyond the obvious rules like avoiding your dog’s name or your daughter’s date of birth, current advice suggests that passphrases are much more secure than passwords. Encourage team members to select three random words, rather than the typical ‘c0mP1ex Pa55wOrD’, which can be broken by AI. If your software systems require combinations like ‘one capital letter and one number’, see if those settings can be altered or share feedback next time you speak to their teams.
When people leave your organization, make sure there are steps in place to remove their accounts from key software tools. Allowing access to people who no longer work for you is risky, and may not comply with data protection laws. Work to a "principle of least privilege" - giving people the minimum required access, and updating it as they change roles. Your Head of Fundraising may require more database privileges than your CEO, so internal role changes could reduce access requirements, rather than automatically growing them.
It’s tempting, but not good practice, to use a single email address like boxoffice@yourtheatre.com to access software. There are fewer passwords to remember, and you may only have to pay for a single account. But it carries the risk that people who’ve left your account may retain access, or that you’re unable to audit activity in your account. While some software providers charge per user, choosing a contract with unlimited users and granular privileges will help you to avoid this temptation.
A lot of data security best practice feels like common sense, but it’s still worth sharing a timely reminder. Make sure people understand not only what should be avoided, but why it’s risky - from writing down passwords to sharing accounts or responding to spam. Phishing and hacks become more sophisticated all the time, so at minimum, offer refresher training once per year. This training resource from the UK’s National Centre for Cyber Security is free and good quality, and since this is a global challenge, it’s relevant to teams worldwide.
One of the great things about international standards like ISO is that you don’t need to understand every detail to make an informed choice between database software providers. No matter the rules in your legislation, when you see that a technology company carries certain logos, you’ll know that their ways of working have been comprehensively and expertly examined, and that they’re delivering best practice.
Generally, providers of true cloud-based software can more easily maintain a high standard of security than companies whose systems run in-house from users’ own servers. That's because technology companies running cloud-based (Software as a Service, SaaS or Platform as a Service, PaaS) platforms retain full accountability for the security of their systems, no matter where they’re accessed from. Other software still runs from local servers within your own organization, meaning some of that accountability falls on your in-house team. That’s one of many reasons why cloud-based platforms are generally considered preferable to the older, in-house approach.
Look for:
Your system and data live on servers hosted by the software provider, so you don't need to worry about maintenance or uptime.
Your system and data live on servers hosted by a cloud computing platform such as Microsoft Azure, creating space to grow capacity as needed and freeing up your software provider to focus on new features and improvements.
Certain international standards can help you instantly assess a company’s commitment to security and compliance. Without any further investigation, these symbols or certificates can reassure stakeholders and that your data’s in good hands.
Look for:
The current gold standard for information security.
This standard is slightly older, but remains current and still reflects excellent security standards.
For payment providers, PCI DSS compliance is expected - be wary of any payment gateway which lacks this accreditation.
Risk management is often overlooked when it comes to information security, but it’s just as important to risk assess your systems as it is a complex stage maneuver or elementary school workshop.
At Spektrix, we’ve reviewed and assessed risk across every aspect of our operations. You may not need quite the same level of detail, but it’s definitely worth investing time in reviewing your policies and processes for any business critical or compliance related changes to your nonprofit database software.
Last week a leaky pipe closed down our London office for several days. We can all be impacted by floods, fire, or even transport issues preventing us from getting onsite. Most organizations got pretty good at this during the pandemic - but make sure you’re prepared to access systems securely, wherever you need to work. Again, cloud-based systems are your friend - provided your computer software and browser are up to date, you should be safe to log in from any device.
Hopefully you’ll never need to implement these processes. But it’s still worth being prepared. If a business critical system’s unavailable, or you find your own organization affected by a breach, do you know what you’d do? Make sure you know who’s accountable within your own team, how to contact senior leaders or board members out of hours if necessary, which legal bodies may need to be informed, and how you’d communicate with patrons - especially if your website or email tools are affected.
The tips we’ve shared here are just the beginning of the journey. Database security is as critical to your nonprofit as your locking up or evacuation procedures. If you’re already using Spektrix, you can be confident that everything’s being done on your behalf to minimize risk - though we’d still encourage good practices within your own team. If you’re using a different database system, and you’re less sure of their approach to information security, call them up - they should be happy to talk you through the steps they have in place.
Sarah Lascelles (she/her) is Compliance Lead at Spektrix