With the COVID-19 crisis putting tremendous pressure on nonprofits to adapt and respond across multiple fronts – and fast – now is not the time to tackle complex and expensive technical rollouts. However, from team use of security settings to strategic switches, from analog to digital processes, to heightened vigilance when sending and receiving email, there are many opportunities for nonprofits to close the worst of the security gaps.
The best safeguards against a cyberattack lie at the intersection of your technology and your team. All efforts should start with educating all staff members about potential risks, creating shared ownership of both the problems and the solutions.
Here are a few ways to prevent or foil cyberattacks proactively—as a team. As Stanford University nonprofit data security expert Lucy Bernholz says: “Tools matter. People matter more.”
Urge teams to redouble their email vigilance — both sending and receiving.
When receiving email, caution is always warranted, especially with messages from unknown or unexpected sources. Common ploys include relying on fear-inducing subject lines — think “New Coronavirus Cases Confirmed in Your City” — from sources claiming to be reputable government agencies. Emails asking for “urgent donations” of any kind, which may include detailed wire instructions, are also highly suspect. But even benign requests for the recipient to click a link or share detailed information should always be viewed with caution.
Employees should also use caution when sending an email, whether to internal or external audiences. Some sites purporting to provide COVID-19 news updates can contain malware and adware. When possible, it’s better not to attach documents to external emails, as this is a common phishing ploy. Instead, your employees can direct recipients to trusted login portals to obtain information.
Take stock of the protections offered by your digital tools, and use them as a team.
The shift to working from home means many organizations are considering shifts to digital tools to help with day-to-day necessities, like tracking grants or donor activity.
If you haven’t already, it’s worth considering where your organization can switch to all-digital: How about replacing check handling with electronic funds transfer? Or leveraging grant tracking tools instead of spreadsheets? Tools such as Quicken, Salesforce, Zoom, or Skype are just some of the options in this space, and good examples of where to start.
These tools typically provide protective capabilities such as data encryption, workflow, and usage tracking. One great first step to creating a team culture with a secure mindset: host a meeting where your team navigates together to the security features already existing on your digital tools — then switch them on as a group.
Protect your financial transactions, and keep a close eye on any money movement.
Going with digital options for financial activities requires extra vigilance. Any money movement should be guarded by layers of security, like multi-factor authentication or donor validation. To activate these options, just ask your financial institution and check in with the makers of any of your digital fundraising tools.
For day-to-day monitoring, consider signing up for digital statements from your financial institution. Set aside extra time for monitoring those statements for suspicious activity. If your institution offers instant notifications on account activity, even better.
Know where your organization’s data is stored and who has access.
Organizations often assume that anything to do with data storage and access is relegated to “the tech team.” This is not the case. Anyone within an organization can help ferret out weaknesses in data stores and access points.
Anyone on your team can start by looking at the information most often referenced when engaging with donors — names, donation history, addresses, email, and more. From there, they can ask some basic questions — the same questions you ask yourself at home when thinking about your bank transactions:
- Where is this information stored?
- Which vendors am I trusting to keep this information safe?
- How might untrusted entities obtain access to this data?
- How could they manipulate existing donor relationships or processes?
It may feel overwhelming to read this right now, with so many needs requiring fast action by your organization to help the world during an unprecedented time of crisis. However, the team energy and trust needed to build and maintain a secure mindset may be closer than you think. When your goal is to protect the integrity of your nonprofit’s mission and ability to help, you will often find your team ready to step up so you can all focus on your primary mission: helping the world.
For more assistance, check out our Cybersecurity Guidance for NPOs.
Chief Technology Officer, Fidelity Charitable
Katherine Lagana is chief technology officer for Fidelity Charitable®, an independent public charity that has helped donors support more than 300,000 nonprofit organizations with $42 billion in grants since 1991.1 The mission of Fidelity Charitable is to further the American tradition of philanthropy by providing programs that make charitable giving accessible, simple, and effective.
Ms. Lagana joined Fidelity Charitable in 2015 and is responsible for enabling the organization to be on the cutting edge of technology and philanthropy, while ensuring reliability for all Fidelity Charitable systems.
Prior to joining Fidelity Charitable, Ms. Lagana led global product development at LexisNexis®. Before that, she was responsible for advanced global product delivery at Microsoft Office. Ms. Lagana began her career at Apple building higher education, developer, and consumer products.
Outside of the office, Ms. Lagana is an avid volunteer for Habitat for Humanity and STEM programs for young women.