Peter Campbell, Earthjustice

As the technical staff in our nonprofits, we wrestle with all sorts of complex security concepts: firewalls, encryption, network address translation.

But here are three quick questions:

• Would you spend $10,000 on a security system for your building, and then set the access code to "12345"?
• Would you set the administrative account name and password to your network to the same thing that five other companies in your building use?
• Would you allow an outside vendor to manage your network without sharing the passwords with you or anyone else at your organizations?

All of the sophisticated systems in the world offer little more than a swiss cheese defense if we don't have good organizational policies to address the human side of security.

Jake Marcinko, Blackbaud

These days, big data breach headlines are becoming almost blasé. We’ve grown so accustomed to such incidents that the mere threat of a data breach no longer carries the weight and urgency that it once did.

The lack of greater public outcry regarding the volume of data breaches is perplexing when you consider that according to an October 2009 Gallup poll, 66% of all U.S. adults worry "frequently" or "occasionally" about being the victim of identity theft. The issue of identity theft ranks higher among poll participants than the issues of terrorism, burglary, sexual assault, and murder.

According to a study conducted by Javelin Strategy and Research, almost 30% of those polled said they would stop donating to or sponsoring an institution that suffered a data breach.

So, how do nonprofits address data security and privacy concerns with limited technical resources?

If you use a Twitter, go online, or have ears, you've probably heard all about the Twitter hack a week or so ago. Nic Crubilovik of TechCrunch, who has been corresponding with the responsible person, has shared the details of the hack.

This wasn't one of those sophisticated, sexy hacking attempts that Hollywood likes to make movies about. No, this was a simple game of hack the password. First, the hacker used the "forgot password" feature on Gmail, which told the hacker that the password was being sent to the user's backup email account: xxxxx@hxxxxxx.com. The hacker correctly guessed that the email was going to a Hotmail account, and headed there to try to log into it. This is when his luck really kicked in:

Do you know what DNSSEC is? I didn't either. I'm still not totally certain, but what I CAN tell you is this: It used to be that you didn't really have to worry about the kinds of security issues that plague big organizations, but the times are changing, and so are the hackers. More of us than ever are vulnerable to the kinds of security holes that hackers like to exploit.

Lucky for us, we have the Public Interest Registry on our side. Lance Wolack of PIR is leading a session at the NTC to help us untangle all the security mysteries that threaten our .org domains: "Building a Stronger and More Secured Online Community". We spoke about that session a while back:

Flickr Photo: DunechaserI'm shovelling my way out of both snow and email this week.

The snow part has been humorous (because Portlanders don't do snow). The email in-box project has also been surprisingly fun: I found quite a few tidbits -- or this n'at, as Pittsurghers would say -- worth sharing.

Here are some of the things I came across that you might also enjoy:

Flickr Photo: RXAPhotoLast week, I received a nice email from Wes Trochlil at Effective Database Management. Many moons ago, Wes helped us select our association management software. I like getting email from Wes because he usually has great practical advice.

True to form, this email included a list of suggestions from his clients for making an end-of-year IT checklist. As we close out the year, we should probably all ask ourselves if those widgets, gizmos, and gadgets we work so hard on all year are actually working. One suggestion was:

The Convio security breach is in the news again, this time in the New York Times, just in time for the holiday giving season. NTEN members Beth Kanter and Allan Benamer are both quoted, and both raise really important issues that you need to consider.

“This wasn’t the best time for this to happen,” said Beth Kanter, a consultant and blogger. “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.”

Beth's right. The holiday giving season is upon us.  Even if your organization was not affected by this breach, you need to let your stakeholders know what you're doing to protect their data, and proactively help them protect it themselves. Remind your stakeholders about good password policies. Let them know you're looking out for them.

Convio's GetActive platform suffered a security breach a couple of weeks back that resulted in the compromise of some users' passwords.  If you'd like in-depth information, check out Allan Benamer's blog for a blow-by-blow account, but for most users the issue is simple: How can I make sure my password is safe?

In the case of something like the GetActive breach, the simple answer is, you can't. 

The Nonprofit Times has a good story today about the potential perils of Cyber-squatting, and how better domain management can help protect you. This probably applies more to the larger nonprofits out there, the kind who generate enough web site traffic to warrant the investment this kind of fraud takes. But, it could happen to anyone.

More importantly for most orgs, it raises the general issue of managing your domain wisely. Even if your organization is not likely to fall victim to cyber-squatters, not knowing where your domain is registered or who is listed as the contact is an issue for any organization.

PIR, the Public Interest Registry, launched a campaign this year to ProtectYour.org. They cite key 5 steps to protecting your domain:

1. Verify registration of your .ORG domains
2. Verify and update .ORG administrative contact information regularly
3. Check that email contact information is valid
4. Consolidate .ORG domains names with one registrar
5. Register your .ORG domain name for the maximum time