4 Cyber Security Mistakes Nonprofits Make and How to Fix Them
Cybersecurity has become an ever-growing concern for all industries. Especially throughout the COVID-19 pandemic, we started relying more and more heavily on technology for communications, work, events, and fundraising.
Moving forward, we anticipate this increased reliance on technology will continue. Hybrid and virtual fundraising opportunities will remain a prevalent part of the industry into 2021 and beyond due to their increased ability to reach a broader audience.
To keep your team, your organization, and your supporters safe throughout this increased reliance on technology, you’ll need to make sure you avoid the common cybersecurity pitfalls that nonprofits fall into.
Lax security can result in breaches that can forever harm your reputation among supporters. Since they trust your organization with their important information, it’s vital their data stays safe and secure. Check out Bloomerang’s nonprofit cybersecurity guide for a full breakdown of security measures. In this article, we’ll cover the common mistakes that you can take immediate action to avoid, including:
- Using Poor Password Protocols
- Not Accurately Managing User Accounts
- Failing to Update Software Right Away
- Skimping on Team Education
Security is no laughing matter and with organizations relying more and more on their online platforms, cybersecurity has become incredibly vital. Let’s dive in.
1. Using Poor Password Protocols
One of the most common issues that nonprofits and for-profits alike run into when it comes to security is improper password protocols among their teammates.
Does your password include your pet’s name, spouse’s name, a significant date, or a keyboard pattern? These are a handful of the most common and therefore hackable passwords that people use. Then, to make it worse, many individuals use just one password to secure all of their accounts.
It’s important that your organization requires staff members to follow proper and modern password protocols to secure their accounts. For instance, you should make sure that passwords:
- Are at least 8 characters long. Longer is always better, so encourage staff members to use a long randomized list of characters including numbers, letters, and symbols.
- Avoid patterns or personal information. The best passwords are randomized lists of characters with no meaning behind them at all.
- Are unique to each platform. Don’t use the same password for every account. Make sure that all of your passwords are unique so that each will be secured at the same high level.
Teach your staff members about the importance of strong passwords and encourage (or require) them to use strong passwords and update their passwords on a regular basis. If you’re worried about them losing track of all of the different passwords they use, leverage a secure password manager to store everything for them.
Insecure passwords run the risk of allowing a hacker access to your entire system of information, especially when you don’t properly manage user accounts, as we’ll discuss further in the next section.
2. Not Accurately Managing User Accounts
Picture your CRM software. If you use a cloud-based system, you certainly have a password to log in and gain access to the information within it. Now, imagine one of your staff members is a little careless with their password, making it “qwerty” (one of the most commonly used passwords).
Their vulnerable account ends up being compromised after a hacker correctly guesses the password. If you haven’t set up user permissions for each of your staff members, this hacker will gain access to all of your supporters’ sensitive data. This could include names, addresses, payment information, and more.
User permissions aren’t a sign of distrust in your teammates; they’re a precaution in case the worst happens.
Only give your team members access to the tools and information that they actually need for success. For example, consider the information each of these team members might need access to in your CRM:
- Event planners might need access to your supporter segments and contact information to create a successful event and segment marketing outreach for event invitations.
- Major gift fundraisers might need access to wealth and engagement information about each of your supporters to guage who might be a prospective major supporter. Then, they’ll need the contact information for them as well to reach out.
- Marketing directors probably don’t need financial information about your supporters. However, they will need access to engagement history and contact information to segment supporters and send out information regarding the organization’s next campaign.
When you set up the permissions for different team members in your system, be sure to explain that these permissions don’t represent the amount of trust that you have in your team. Rather, it’s a security measure that you need to take with everyone.
A security breach could make your supporters lose trust in your organization, which greatly reduces your potential to retain those donors or build a strong base for support for your organization.
Create an open line of communication between yourself and your team members about the importance of security and explain the purpose of the permissions to make sure they understand your intentions. This will help avoid the possibility of distrust or ill-will among teammates.
3. Failing to Update Software Right Away
When you get the notification that it’s time to update your phone’s software, do you do it right away? Or do you hit “ignore” and wait until it’s convenient for you, sometimes waiting weeks to make these vital updates? In truth, it’s better to make these updates as soon as possible given that they often contain important bug fixes and security patches necessary to keep your information safe.
Your nonprofit’s software is the same, so it’s vital to install updates as they’re available to maintain a secure system.
For example, let’s consider your website. Updates in your content management system might be designed to prevent malicious infiltration that could make vulnerable the information you collect from your supporters through donation forms, event registrations, and more. If you don’t update immediately, you’re leaving your site unprotected.
This guide explains that when you purchase nonprofit software, one of the things you should ask about is the product’s changelog. A changelog is a record of the updates that software has undergone over the years, which provides important information about the various patches and security updates that it’s already had. By analyzing this information, you can see how frequently security updates are rolled out across the system.
To be sure that your system is as up-to-date as possible, we recommend assigning one person to be responsible for updates. This prevents multiple team members from leaving the responsibility to someone else and the task never getting done.
Then, communicate who this person is to everyone else. That way, when a team member sees that an update is available, they can simply contact the appropriate person to install it. And they’ll make sure it’s done in a timely manner.
4. Skimping on Team Education
The first step many organizations take to emphasize cybersecurity is usually to educate staff members on the importance of online security. While this is a great starting point, simply understanding security measures that you need to take as an organization isn’t enough to ensure lasting precautions are taken.
When it comes to team education, you should make sure to:
- Invest in a course to teach about cybersecurity. As we said, this is a necessary first step, but it’s not the end-all-be-all solution. Look for existing courses by professionals in the industry. For instance, you might look for educational content through credible resources such as Nonprofit Courses and invest in your team’s base of information.
- Make sure staff members understand the policies at your own organization. After you’ve laid the foundation with effective team education resources, you can explain your own policies and what you’re doing to keep everyone safe, as well as set expectations for your team.
- Continue training and check-ins to make sure everyone upholds standards. Test your team with fake phishing emails and other check-ins to ensure everyone follows the correct procedures. This keeps cybersecurity front of mind for everyone.
Often, especially when planning a large event or campaign, nonprofits recruit volunteers or temporary employees to help handle some of the extra work. If you find yourself in this situation, make sure you also incorporate cybersecurity courses and education for these team members. The last thing you’d want is for a small mistake to happen and your organization to become vulnerable online.
Nonprofit cybersecurity is an issue that organizations need to take seriously in order to maintain safe and secure data. When data breaches happen, you’re likely to lose the valuable trust that you’ve built up with your supporters, potentially permanently damaging the reputation of your organization.
Avoid the common mistakes that nonprofits make when it comes to cybersecurity and make sure you’ve done everything you can to ensure a secure system.