Limited budgets lead many charities to allow staff to bring their own devices to work unregulated.
Charities and not-for-profit (NFP) organisations are vulnerable to IT security risks and reputational damage without a formal BYOD policy in place.
This is according to a new white paper commissioned by accounting and business software provider, Advanced Exchequer.
Charitable organisations should educate key stakeholders about the safe use of mobile devices and investigate the technical measures they can take to safeguard their data and networks, the paper advises.
Charities and NFPs have been quick to exploit the potential of mobile technology as an effective fundraising solution to make their limited funds stretch further. This has led to an increasing number of organisations allowing their employees and volunteers to use their own portable devices such as smartphones, tablets and personal digital assistants (PDAs) for work purposes to connect with their supporters and target audiences.
However, research conducted by PricewaterhouseCoopers (PwC) for the 2014 Information Security Breaches Report has highlighted that the cost of information security breaches has almost doubled in the last year. For small organisations, the worst breaches cost on average between £65,000 and £115,000 and for large organisations between £600,000 and £1.15m.
PwC’s survey of 9,600 senior executives from organisations across 115 countries also revealed that just over half (51%) of the worst breaches were caused by human error (31%) and deliberate misuse of systems by staff (20%).
Greg Ford, MD of Advanced Exchequer, said: "Protecting corporate data from intrusion, misuse or abuse is a high priority for any organisation. For charities and not-for-profits storing highly confidential donor and beneficiary data, security is absolutely imperative.
"While it is tempting for charitable organisations to allow staff and volunteers to use their personal devices to save costs and drive donations without a formal and explicit policy on BYOD, they run the risk of encountering a damaging security breach."
To avoid being exposed, organisations should create a BYOD policy which is communicated regularly to staff, trustees, volunteers and partners describing the data that may be processed on personal devices and best practice security procedures. The BYOD policy should also explain clearly what measures will be taken if a personal device is compromised or lost, such as automatically wiping data and/or denying access to network systems, to prevent sensitive information from falling into the wrong hands.
In addition, charities should further reinforce their IT infrastructure to safeguard the transmission of data to and from mobile devices across multiple platforms. Personal devices should be checked for compliance and sufficiently resilient to withstand their operating environment.
Ford said: "As charities continue to wrestle with limited budgets and greater demands from staff to use their own devices, now is the time for them to think seriously about BYOD and data security. By creating a consistent and coherent BYOD strategy, organisations can mitigate the threat of security vulnerabilities and empower employees and volunteers to use mobile technologies to help generate vital funds, without placing donor relationships at risk."