Data Backup And Recovery For Non-Profit Organizations

How non-profit organizations can implement secure, compliant backup and recovery to protect their corporate and customer data.
Arturo Bello
May 25, 2023

Non-profit organizations face a unique challenge when it comes to data protection: no matter what their focus is, they all handle a wealth of personal data. They deal with customers, donors, and even people who have signed up to receive their newsletter. This data is critical for helping non-profit organizations to receive and allocate funding and provide their customers with effective services. This makes it invaluable to the running of day-to-day operations. If the data is tampered with, then work is disrupted; if the data is lost, work has to stop.

Unfortunately, personally identifiable information (PII) is one of the most valuable types of data targeted by cybercriminals. They can use it to carry out spear phishing attacks, take fraudulent actions, sell the data online to another criminal, or use it as leverage in a ransomware attack. In this case, attackers know that you need the data to operate and may be willing to pay a large amount of money for its safe return.

Implementing a comprehensive data backup and recovery solution is crucial for non-profit organizations as it protects all the data that they store locally or in cloud applications against loss or tampering.

In this guide, we’ll outline the importance of backup and recovery for non-profit organizations. We’ll highlight the key features you should look for in a data backup solution and give our recommendation on the best solution for your organization.

Why You Need Data Backups

Many organizations today use cloud-based productivity applications, such as Microsoft 365 and Google Workspace, and store data in the cloud. While these suites make it easy for teams to store, access, and collaborate on files and projects in real-time, they don’t offer protection should that data be lost or deleted—and they don’t offer native data backups. That’s because they operate on a shared responsibility model. This means that the software provider (e.g., Microsoft or Google) is responsible for maintaining the infrastructure of the suite (i.e., the data center, network controls, applications, and operating system). You, as the customer, are responsible for protecting your data.

In practice, this means that your provider will resolve any issues related to downtime or software failures, but it’s up to you to protect your data against loss caused by human error, programmatic error, or threat actors.

But why exactly do you need to back up your data in the first place?

Backup For Compliance

First, it’s likely that your non-profit organization is required to create backups of your data in order to comply with data protection and privacy regulations. The U.S. doesn’t have a specific national statute that covers data privacy, but each state and sector has specific legislation for collecting, storing, retaining, and securing data.

While the Federal Trade Commission (FTC) usually refrains from carrying out enforcement actions against non-profits, state laws do apply to non-profits and state attorney generals can exercise powers against non-profits for data privacy violations.

Most regulations don’t explicitly require you to implement backup and recovery; instead, many state policies mandatethe implementation maintenance of reasonable data security practices. Implementing a data backup tool can help you to prove that you’re taking reasonable steps to secure your data.

Some regulations that do explicitly require you to back up your data include:

1. GDPR: Many non-profits collect personal data (such as name, date of birth, contact details, social security number, or biometric information) from volunteers, vendors, donors, and newsletter subscribers. If any of the people you collect this data from are EU residents, you need to comply with GDPR—even if you’re not based in Europe. Article 32 of the GDPR states that the data’s owner must have “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. And to be able to restore the availability of data if it’s lost, you need to have backups.

2. HIPAA: HIPAA’s Administrative Safeguard 45 CFR § 164.308(a)(7)(ii)(A) of HIPAA requires covered entities (including non-profit organizations that work with protected health information, or “PHI”) and business associates to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” On top of that, HIPAA subsection 45 CFR §164.316(b)(2)(i) states that covered entities must “Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later”. This means that non-profits working with PHI must store records of policies, procedures, actions, or assessments carried out for a minimum of six years.

3. PCI-DSS: All businesses—including non-profits—that handle and process credit cardholder data must comply with PCI-DSS, a security guideline set by credit card brands. PCI-DSS Requirement 9.5.1 states that you must store media backups containing cardholder information in a secure, preferably off-site location, and review the security of your backup location at least once a year.

Backup and recovery tools not only help you meet the compliance requirements for data protection, but they also ensure that you can easily find specific data in the event you need to present information for litigation, auditing, or compliance purposes. Rather than having to crawl through files, folders, mailboxes, social media posts, and any other types of data your organization handles, you can simply use the backup solution’s search tool to find exactly what you’re looking for in a matter of seconds. Data backup solutions also have export tools that allow you to share reports easily.  

Backup For Security

Even if you aren’t required by law to back up your data for compliance, you should still be creating backups as a security measure. Data loss is a challenge for all businesses, and it can occur in numerous ways.

One of the most common causes of data loss is human error; this could be something as simple as an employee accidentally deleting a file, or spilling coffee over their laptop. While human error usually only causes the destruction of a small amount of data, it can still disrupt business operations—particularly if the lost data contains personal, financial, or time-sensitive data.

Another cause of data loss amongst businesses is natural disaster. Some disasters—such as earthquakes—are only likely to cause damage amongst organizations living in a geographically volatile area, but others—such as floods and fires—could affect any business. If you store your data in on-premises data centers, a natural disaster could completely destroy all of it, halting business operations entirely.

The final, and most sinister, cause of data loss is cybercrime. According to a recent study, 68% of organizations have experienced one or more endpoint attacks that successfully compromised data and/or their IT infrastructure, and 81% of businesses have experienced an attack involving some form of malware.

Ransomware is one of the most prevalent forms of malware. Once installed—usually via file download or an email with a malicious link—threat actors can encrypt an organization’s data, or lock users out of it. They then demand a ransom from their target, in exchange for safely returning their data.

However, paying the ransom doesn’t necessarily mean that you’ll get all your data back, nor that the threat actor will cleanse your systems of their malware—you are dealing with a criminal, after all. So, the best way to recover from a ransomware attack is to completely wipe your own systems and restore your data using backups.

Backup and recovery tools can help mitigate each of these challenges by capturing point-in-time copies of your data, then writing those copies out to a secure, secondary storage facility that’s isolated from your main environment. This means that if you lose data due to a cyberattack, natural disaster, or even simple human error, you’ll be able to restore it using your backups.  

Features To Look For In A Backup And Recovery Solution

Non-profit organizations should implement a strong backup and recovery solution to protect their data and ensure they can resume normal operations in the event of accidental or malicious data loss. The best backup and recovery solutions offer the following capabilities:

Point-In-Time Backups

Point-in-time backups capture copies of your data at given intervals (e.g., hourly, daily), then write those copies out to your secondary storage facility. This ensures that, should a file be deleted, or an entire system wiped, you’ll be able to restore a recent version of it. Some backup solutions use journalling technology to create multiple backups per day, whenever a change is made. This is a strong feature to look out for if your business relies on up-to-date data to operate, as it can help minimize downtime and the effort of recreating work that was done after the backup was made.

Granular Search And Restore Functionality

The strongest backup and recovery solutions enable admins to easily locate individual pieces of data using a granular search tool. This should enable admins to filter the backup database by file type, date, etc., as well as carry out targeted keyword searches.

Flexible Restoration Options

Once you’ve found a copy of the lost data, it’s important that you can restore it—whether that’s carrying out file-level recovery or a full system recovery. The best solutions enable you to restore data in its native format, and to its original location or a different one.

Customizable Retention Periods And Storage Limits

Most backup and recovery solutions offer long retention periods, but it’s important that you check your organization’s compliance requirements and choose a solution that meets those needs. For example, if you’re a healthcare charity that accesses your customers’ health records, you may need to set longer retention periods for that data compared to other data you’re using, in order to comply with HIPAA.

You should also be able to control how much storage space you use. For organizations that work with large amounts of data, it’s a good idea to look for a solution that offers unlimited storage or lets you increase storage easily.

Comprehensive Activity Logging And Auditing

To help you meet compliance and auditing needs for data protection, the best backup solutions offer complete audit trails of all backup activity. That not only includes a history of when backups have been created, but also a full log of all user search and restore activity.

Additional Security Features

Security is critical when it comes to a data backup solution. You need to make sure that your backups remain secure even if your live environment is compromised, otherwise you won’t be able to restore your data effectively.

The best backup solutions will offer an array of additional security features, including encryption of data at rest and in transit, multi-factor authentication, and role-based access controls. The latter of which enables you to control the actions (view/search/restore) that each user in your organization can carry out on different types of data. This is particularly important for complying with data protection regulations that require you to secure your data with least-privileged access.

Data Sovereignty

You may be required by certain compliance standards to store your data in a specific location. The best backup solutions will offer multiple data storage locations in different countries, allowing you to take full control of your data sovereignty.

Easy Deployment

Finally, a backup and recovery solution should be easy to deploy. This will allow you to protect your data as soon as possible after purchasing. Features such as integrations with third-party applications will help streamline the deployment process. Some providers also offer dedicated support teams to help you with deployment. Alternatively, you can purchase your solution through a managed security services provider (MSSP) like Constant Edge, who will take care of the deployment for you.

Our Recommendation: CloudAlly

Data backup and recovery tools are critical to the security and smooth operation of non-profit organizations, ensuring they can recover efficiently in the event of accidental or malicious data loss.

Constant Edge has partnered with CloudAlly, a market-leading backup and cloud data protection platform that is trusted by over 16,000 organizations globally, to provide backup and recovery for non-profit organizations.

Backup

CloudAlly offers comprehensive backup and recovery solutions for the most popular SaaS applications used by businesses, including Microsoft 365, Google Workspace, Dropbox, Box, and Salesforce. The platform automatically creates daily backups for all users—with Active Directory integration for user discovery to ensure even new user data is backed up—and admins can also perform backups on-demand. Backups are written out to one of CloudAlly’s global data centers, with options in the US, Canada, UK, Ireland, Germany, and Australia to help meet data sovereignty requirements.

Recovery

CloudAlly Recovery

CloudAlly offers unlimited data retention and flexible restoration options, including historical snapshot, cross-user restore, non-destructive restore, and mailbox recovery. Users can perform granular searches using filters and keywords to find the exact data they need to recover, then restore individual files or carry out bulk restoration.


Security

CloudAlly Security

CloudAlly secures all backups, including meta-data, with AES 256-bit encryption. The platform offers OAuth and support for multi-factor authentication, with granular role-based access controls. By using these controls, admins can define permissions for user activities such as viewing their account settings page, managing their notifications, and restoring backups. If a user wants to restore data, they must submit an export request, which ensures that only authorized parties can restore backups.


Compliance

CloudAlly Compliance

CloudAlly is GDPR and HIPAA compliant, as well as ISO 27001 certified. The platform automatically logs details of all backup events and user activity in a comprehensive reporting dashboard. When needed, activity reports can be easily exported as .CSV files. CloudAlly can also carry out full audits. These audit reports are confidential and not shared with partners, customers, or even internal staff except on a need-to-know basis.

CloudAlly offers exclusive discounts for non-profit organizations looking for backup and recovery. Enquire with Constant Edge today to get your discounted quote and start a free 14 day trial.

Secure Your Data With Constant Edge

Implementing a strong data backup solution can give your business the confidence to focus on its objectives, without having to worry about data loss—be it caused by human error, natural disaster, or a cyberattack.

If you represent a non-profit organization looking for a comprehensive, secure backup and recovery solution, we can help. Constant Edge has a team of data protection specialists who understand the importance of backup for non-profits and can advise you on the best solution to meet your business’ needs. Get in touch with our team to learn more.

Contact us