Tag: cybersecurity

As more nonprofit employees work from home, scammers can seize this time of crisis to manipulate your technology to target your donors and your team.

With the COVID-19 crisis putting tremendous pressure on nonprofits to adapt and respond across multiple fronts – and fast – now is not the time to tackle complex and expensive technical rollouts. However, from team use of security settings to strategic switches, from analog to digital processes, to heightened vigilance when sending and receiving email, there are many opportunities for nonprofits to close the worst of the security gaps.

The best safeguards against a cyberattack lie at the intersection of your technology and your team. All efforts should start with educating all staff members about potential risks, creating shared ownership of both the problems and the solutions.

Here are a few ways to prevent or foil cyberattacks proactively—as a team. As Stanford University nonprofit data security expert Lucy Bernholz says: “Tools matter. People matter more.”

Urge teams to redouble their email vigilance — both sending and receiving.

When receiving email, caution is always warranted, especially with messages from unknown or unexpected sources. Common ploys include relying on fear-inducing subject lines — think “New Coronavirus Cases Confirmed in Your City” — from sources claiming to be reputable government agencies. Emails asking for “urgent donations” of any kind, which may include detailed wire instructions, are also highly suspect. But even benign requests for the recipient to click a link or share detailed information should always be viewed with caution.

Employees should also use caution when sending an email, whether to internal or external audiences. Some sites purporting to provide COVID-19 news updates can contain malware and adware. When possible, it’s better not to attach documents to external emails, as this is a common phishing ploy. Instead, your employees can direct recipients to trusted login portals to obtain information.

Take stock of the protections offered by your digital tools, and use them as a team.

The shift to working from home means many organizations are considering shifts to digital tools to help with day-to-day necessities, like tracking grants or donor activity.

If you haven’t already, it’s worth considering where your organization can switch to all-digital: How about replacing check handling with electronic funds transfer? Or leveraging grant tracking tools instead of spreadsheets? Tools such as Quicken, Salesforce, Zoom, or Skype are just some of the options in this space, and good examples of where to start.

Then, consider how your new and existing digital toolsets protect your organization’s data. Can the team quickly place hands on the organization’s existing vendor contracts to review terms of use? Is the entire team using the latest version of the tool itself? Are there administrative defaults that can be imposed to increase protective integrity?

These tools typically provide protective capabilities such as data encryption, workflow, and usage tracking. One great first step to creating a team culture with a secure mindset: host a meeting where your team navigates together to the security features already existing on your digital tools — then switch them on as a group.

Protect your financial transactions, and keep a close eye on any money movement.

Going with digital options for financial activities requires extra vigilance. Any money movement should be guarded by layers of security, like multi-factor authentication or donor validation. To activate these options, just ask your financial institution and check in with the makers of any of your digital fundraising tools.

For day-to-day monitoring, consider signing up for digital statements from your financial institution. Set aside extra time for monitoring those statements for suspicious activity. If your institution offers instant notifications on account activity, even better.

Know where your organization’s data is stored and who has access.

Organizations often assume that anything to do with data storage and access is relegated to “the tech team.” This is not the case. Anyone within an organization can help ferret out weaknesses in data stores and access points.

Anyone on your team can start by looking at the information most often referenced when engaging with donors — names, donation history, addresses, email, and more. From there, they can ask some basic questions — the same questions you ask yourself at home when thinking about your bank transactions:

  • Where is this information stored?
  • Which vendors am I trusting to keep this information safe?
  • How might untrusted entities obtain access to this data?
  • How could they manipulate existing donor relationships or processes?

It may feel overwhelming to read this right now, with so many needs requiring fast action by your organization to help the world during an unprecedented time of crisis. However, the team energy and trust needed to build and maintain a secure mindset may be closer than you think. When your goal is to protect the integrity of your nonprofit’s mission and ability to help, you will often find your team ready to step up so you can all focus on your primary mission: helping the world.

For more assistance, check out our Cybersecurity Guidance for NPOs.

The 2019 Global NGO Technology Report is based on the survey results of 5,721 NGOs, NPOs, and charities worldwide. Now its fourth edition, this year’s report reveals over 100 nonprofit technology benchmarks for charitable organizations by region: Africa, Asia, Australia, and New Zealand, Europe, Latin America and the Caribbean, and the United States and Canada. In addition to English, the report is also available in French, Spanish, and Portuguese.

The amount of data in the report is extensive, but worth an hour of study. How does your organization compare to other organizations in your region in adopting email marketing, online fundraising tools, social media, and emerging trends? Key findings for each region are presented in the report, but there are four top recommendations that can be gleaned from the data.

1) Send emails more often to your supporters and donors.

Nonprofits in the United States began using mass email in the late 1990s. Constant Contact, which launched in 1995, enabled organizations to reach hundreds, thousands, and then tens of thousands of supporters and donors at a relatively low cost — compared to print, T.V., and radio. It was also at this time that early-adopter nonprofits began launching websites and signing up for online donation processors for the first time, namely PayPal and GroundSpring (acquired by Network for Good in 2005).

Though it is common knowledge today that email is crucial for online fundraising success, in the late 1990s and early 2000s, email fundraising was an unknown, and best practices were being developed through experimentation. Those organizations who first used email to link to “Donate Now” pages learned that it resulted in a slow, but steady growth of online donations over time. The organizations that pioneered email fundraising have spent two decades now perfecting the art and science of digital storytelling that inspires online giving and providing a donation page where it can be done quickly and with ease.

A graphic showing how what percentage of NGOs have a website and elements like a privacy policy and SSL certificate. It is presented alongside pie chart of how often NGOs email supporters.
(Click graphic to enlarge) The report includes data from 5,721 NGOs across 160 countries. Key findings include: 1) The average number of email subscribers is 14,021; 2) 35% of NGOs send monthly emails and 30% send quarterly emails; 3) 71% of websites have a privacy policy; 4) 70% have an SSL certificate.

Outside of the U.S., the story of email marketing and fundraising is quite different. The use of email marketing services like Constant Contact and MailChimp spread more quickly in Canada, the United Kingdom, and Australia and New Zealand, but most NGOs in Africa, Asia, Latin America, and the Middle East have only begun to understand the power of email for digital communications and fundraising within the last few years. In the U.S., people first came online through dial-up and Yahoo! Mail, and Hotmail. In most other parts of the world, it was through the smartphone revolution and rise of social media — especially with the launch of the Android operation system and Facebook reaching the 100 million users benchmark – both of which occurred in 2008.

Today, according to the 2019 Global NGO Technology Report, 71% of NGOs worldwide send email updates, and 54% send email fundraising appeals. In the U.S. and Canada, the numbers are the highest — 82% send email updates, and 66% send email fundraising appeals, while in Latin America and the Caribbean, the numbers are the lowest – 58% send email updates and 39% send email fundraising appeals.

However, what is consistent among all regions is that organizations are too overly cautious about sending emails to their donors and supporters. 30% send email updates quarterly, and 35% send email monthly, yet 27% of online donors worldwide (according to the 2018 Global Trends in Giving Report) say that email is the digital communication tool that most inspires them to give.

If your organization prioritizes online fundraising, it would be wise to ramp up your email marketing efforts. If you send email updates quarterly, increase to sending monthly. If you send monthly, try sending email updates every other week. Tell a good story, ask people to give online, and share your organization’s success stories more often via email. A few may unsubscribe because of the increased frequency, but that will likely be counter-balanced with an increase in online donations.

2) Embrace #GivingTuesday!

Giving Tuesday was created when two organizations, the 92nd Street Y and the United Nations Foundation, came together in 2012 to promote charitable giving during the shopping extravaganzas of #BlackFriday and #CyberMonday which occur in the days after the U.S. holiday known as Thanksgiving. Today, #GivingTuesday has become the biggest giving day in history.

U.S. and Canadian nonprofits have the highest participation rate in #GivingTuesday at 58%. That’s not surprising considering the giving day was born in New York City. The participation rates for NGOs, NPOS, and charities, however, are much lower in the rest of the world:

  • Africa: 22%
  • Asia: 19%
  • Australia & New Zealand: 7%
  • Europe: 25%
  • Latin America and the Caribbean: 20%

    Illustration showing the Giving Tuesday heart logo versioned across six countries with a corresponding hashtag.
    Resource: Giving Tuesday Global

There are two primary reasons why #GivingTuesday is less popular outside of the U.S. and Canada. The first being that it simply takes time for word to spread online worldwide. The organizers of Giving Tuesday have needed years to build partnerships around the world. Also, the online language barrier contributes to English-only bubbles on the World Wide Web. Now that there are more #GivingTuesday resources available in multiple languages — as well as nonprofit websites, the language barrier will begin to crumble rapidly. Now in its seventh year (December 3, 2019), the giving day is picking up momentum worldwide.

Organizations in developing nations often ask how to reach wealthy donors in the U.S., Canada, Europe, etc. First, create an email strategy and make a concerted effort to grow your email list. Second, embrace #GivingTuesday! Study the giving day, download the Official Giving Tuesday Toolkit, and jump right in. Introduce donors in your country to Giving Tuesday and use it as an outreach tool to reach donors abroad. Each year, your organization will learn more about how to promote the giving day effectively online and, consequently, improve your results.

3) Accept cryptocurrency.

The 2019 Global NGO Technology Report also revealed that 2% of organizations worldwide accept Bitcoin or other Cryptocurrencies – up from 1% in 2018. Although not a large increase, the cryptocurrency market is on the verge of radical change.

An illustration of a phone showing money received from a donor. The copy reads, "A connected wallet for a connected world."
Resource: Calibra | Digital Wallet for Libra Cryptocurrency

As much as we love to hate/like/revere/fear Facebook, the release of their global cryptocurrency, Libra, in 2020 will likely, eventually, be integrated into Facebook Charitable Giving Tools and accepted by the world’s largest payment processors. As the largest social network in the history of humankind, Facebook’s entry in cryptocurrency has the potential to transform digital money as we know it and breakdown many of the obstacles to giving and receiving internationally.

If your organization is new to cryptocurrency, The Giving Block and Bitpay are pioneering cryptocurrency payments for nonprofits, as well as information sharing and research. Also, Facebook has launched the Libra Association, a not-for-profit membership organization, headquartered in Geneva, Switzerland.

4) Make your website secure and accessible to all.

Finally, according to #NGOtech19, 70% of NGOs, NPOs, and charities worldwide have an SSL certificate (Secure Sockets Layer certificate) with the lowest rate being in Asia (58%) and the highest rate being in the U.S. and Canada (81%). Google Search began classifying websites without an SSL certificate as “Not Safe” beginning July 1, 2019. Translation: If your organization’s website is one of the 30% worldwide that do not have an SSL certificate, Google is no longer crawling your website thus your SEO is likely plummeting. Even worse, for web users that have downloaded a web browsing security software, such as Bitdefender, visitors are receiving a “Warning! Do not proceed. This website is unsafe.” message when they visit your website. Most will not proceed to visit an unsafe website.

Fortunately, this is an easy, and in most cases, free problem to fix. First, go to your website in your browser of choice. If the URL begins with “http://” rather than “https://”, then your website does not have an SSL certificate. Simply call your web host and request that an SSL certificate be installed on your website. In most cases, the SSL certificate is free.

Also revealed in the 2019 Global NGO Technology Report is that only 18% of websites worldwide are compatible for those with visual or hearing disabilities. In 2010, the World Health Organization estimated that the number of people visually impaired in the world is 285 million. That number has likely jumped significantly in the nine years since. NGOs, NPOs, and charities worldwide serve as the collective online voice for justice and equality, and their online presence needs to reflect that responsibility. It should be a top priority to make your website accessible to all. The first step is to learn and then implement the basic web accessibility guidelines created by the World Wide Web Consortium.

In Conclusion: Additional Must-Know Data and Research Reports

Above are four action items for your nonprofit’s digital communication and fundraising strategy gleaned from the results of the 2019 Global NGO Technology Report. However, many more can be learned from downloading the report and reading the key findings. That said, there are 22 other extremely valuable research reports for the nonprofit, NGO, and charity sectors worldwide. The reports provide benchmarks for success, analysis of emerging technology trends, and valuable insight into how donors are evolving worldwide.

We are calling on foundations to actively partner with grantees to fund and enable cybersecurity.

NTEN, TAG, and Tech Impact aim to elevate cybersecurity as a sector-wide concern, including funders, grantees, and nonprofit partners. The first step to making a change is to build awareness among those with the ability to do and fund capacity building work. This partner report is part of the Cybersecurity Essentials for Philanthropy series by TAG.

In this report we cover:

  • The state of cybersecurity among nonprofit organizations
  • Guidance on providing direct funding for security projects
  • Capacity building grant ideas for cybersecurity
  • Where to locate resources specific to grantees’ size and structure
  • Thoughts on how to set standards for grantees while avoiding unfunded mandates

Download the report and share with someone who can make a difference in philanthropy today.

The secret to a CRM (constituent relationship management) implementation for nonprofits is that it’s not just about technology. It’s about the people.

What people? Your people. Your team. Whom do you work with? What do they need? What processes do they currently follow?

CRM software is a multifaceted tool, so it helps to do a bit of planning before you implement. Some tips based on our experience in nonprofit technology are:

Understand What Your Nonprofit Needs, Before Talking Technology
While a nonprofit CRM can solve many pain points, the most successful technology implementations do actually start with technology. Take time to talk to people. Explore WHY they follow the processes they do. Chances are if they’re still following the same processes from 10 years ago “just because,” it may be useful to reprogram your processes on a whiteboard before you program them into a new system. We believe that even if you’re in IT, it helps to have some experience in change management.

Here are some related book recommendations for people skills to build influence and maybe even help you get people to LIKE change:

Who Should Be Involved? Create a Responsibility Matrix
Use a Responsibility Assignment Matrix, also known as a RACI Chart (for who is Responsible, Accountable, Consulted, and Informed). Before you provision user licenses, you need to know who needs what level of access. Their role in your organization determines that and what they need to do their job. For more technical details on “who sees what,” here’s a handy whiteboard video from Shell Black.

Check Your Nonprofit Technology Infrastructure
What would you do if an earthquake or hurricane hit your nonprofit? Your nonprofit’s infrastructure needs to be sturdy enough to accommodate backups and have a clear disaster recovery process. Your local fire department may have classes on emergency response (see San Francisco’s for an example of volunteer training), so think about what your disaster checklist should be. San Francisco Community Agencies Responding to Disaster (SF CARD) has a good template designed specifically for nonprofits, or you could use disaster prep resources from FEMA.

Use the Cloud!
If you’re still handling donor data on-premise, that means you’re vulnerable to your server going down, handling computer updates yourself, not being able to access data outside the office, and other things that range from inconvenient to dangerous. Using a cloud resource for the location of your donor database for CRM is a way to get updates installed automatically.

Use a Secure CRM and Password Protected Login
OK, we know we’ve been talking about people skills and project management, so let’s get into a few technical tips now. Make sure your nonprofit staff doesn’t write passwords on a post-it on their desks. Use strong passwords with uppercase and lowercase letters, special characters like !@#$%^&*()_ and numbers. Use a password management tool to store your password info with encryption. Don’t share passwords with colleagues. This helps enforce security on who can see what: for example, do programs staff need to see donor credit card information? Probably not. Maintain access to your nonprofit CRM through a secure, password-protected login process to defend against donors’ personally identifiable information being hacked.

Have a Nonprofit CRM Planning, Implementation, and Training/Maintenance Phase
You’re not done when everyone has a login. Make sure you include time for staff training! (Again, effective nonprofit CRM implementation isn’t just about IT; people skills are also essential). Expect there will be a phase-in implementation when resources need to be devoted to either onsite training or outside consultants to train staff on how to use and extend the functionality of the CRM. Look for a nonprofit CRM that has a robust online community for Q&A and many partners to help with implementation if you need it.

This list could be longer because there are lots of details to consider, the most significant being to know when to be “peppy & cheap” and when there is no substitute for secure design protocols. Using old software and hardware can mean anticipating odd compromises to accommodate best practices and security. But that’s what makes life interesting!

Salesforce.org resources for further reading:

Like all nonprofits, Tech Impact continually struggles to balance cybersecurity against cost, time, and user frustration. Unfortunately, there isn’t a lot of room for error! With access to hundreds of nonprofits’ systems, Tech Impact is an attractive target for criminals, activist hackers, and even government agencies. We take our mission seriously and put as much as we are able to secure our environments.

On the other hand, as security experts ourselves, we are quick to spot the difference between what “they say” you should do and what actually makes us more secure. In this post, I’ll share a subset of our security practices so that you too can do more than check the box.

Policies

You’ve heard it before (probably from us) but having written policies is an essential part of any cybersecurity strategy. The trick is to have a specific goal in mind for every policy and to keep the document itself short and to the point. Here are some of the goals and policies that your organization should likely have:

Goal Policy
Be able to hold staff accountable if they use systems or computers in an inappropriate way. Acceptable Use Policy
Educate staff about how to store and share sensitive information Data Sharing & Storage Policy
Make sure risky data isn’t kept forever Retention Policy
Educate staff about how to create, manage, and share passwords Password Policy
Ensure staff understand the potential ramifications (wiping devices if staff leave) of using a personal device for work activities Bring Your Own Device Policy
Prevent staff from transferring money or data based on impersonated emails. Approval Process for Bank & HR Data Transfer
Limit the number of administrators in our systems Administrative Access Policy

One goal of our policies is to allow us to discipline staff who won’t take security seriously. But generally speaking, we don’t expect our policies to guarantee that our staff stays safe. Instead, we use them to educate staff about how to be safe using the tools available to them.

Training

To get staff actually to be safe, we rely much more on training and awareness. Being secure means making the right decisions dozens of times a day. Every time we email a client or share a file, we have to evaluate the risk and take appropriate safety measures. The high frequency of these decisions means that we can’t expect our staff to look up and follow complex policies.

Instead, we teach folks regularly about who might want to attack us, why those attackers are interested in us, and how those attacks are likely to happen. By educating about our actual threats instead of imagined or possible risks, we keep our staff paying attention. That’s why we focus on password strength, phishing attacks, and impersonation attacks and not on protecting against NSA EMF monitoring.

At Tech Impact, our learning culture doesn’t lend itself to formal training. Besides some mandatory training for staff dealing with sensitive data (like HIPAA-regulated data), we mostly don’t force our staff to sit down for training. Instead, we regularly send emails and chat messages to the team with information about attacks we have intercepted or articles that seem relevant. This constant drip of information keeps folks on their toes.

One formal approach we do recommend is to use a third-party phishing penetration service like KnowBe4. Using the service, you can send your staff simulated phishing emails. Folks who fail the tests (by handing over their username and password) can be required to complete additional security training.

Escalation

Between our policies and constant communication, our staff is definitely paying attention! But paying attention isn’t enough by itself if folks don’t know what to do when they encounter something suspicious. At Tech Impact we’re lucky to have a resident security team. Our staff has been trained to forward emails or send questions to the team anytime they are worried about something that came in. By making it easy to report an issue and get help, we have dramatically increased engagement and often prevent staff from taking risky action.

For your organization, this might mean sending one person to security training, or it might mean sending questions to your support provider. However, you approach this make sure to keep a record of the kinds of questions and issues that come in so that you can identify trends and create better training.

Technology

Only now is it worth talking about technology. In truth, technology is important but not enough. Staff and attackers will always find a way to get around anything you put in place. Your best bet (at least for organizations that aren’t facing activist hackers or hostile governments) is to focus on policies, training, and escalation.

But if you’ve handled the basics, or if you are at particular risk, technology can absolutely help your organization stay safe. There are lots of resources out there about cybersecurity technology, so I’m not going to reinvent the wheel. But I will share with you some of the tools that we use. Note that this is only a portion of the technologies we use at Tech Impact to stay safe.

For Everyone

Some of the cybersecurity tools we use are foundational and should be used by every single nonprofit out there. Nothing listed here is particularly complicated or expensive, so don’t wait!

  • Software Updates & Anti-Malware: You should know this by now, but most malware-based attacks use known issues that have already been patched. Keeping your computers up to date and using Anti-Malware software is a foundational need for every nonprofit.
  • Multi-Factor Authentication (MFA): The single most effective thing you can do to keep your organization safe from account compromise. In addition to a username and password, your staff uses a separate code from an app or SMS text message to log into systems. This will almost eliminate the risk of phishing attacks.
  • Single Sign-On: Use Office 365, Google Apps, Okta, or another cloud identity provider to let your users log into all your systems with a single username and password. This enables you to enforce MFA across all your tools and lock all accounts down from once place. Any software you’re using that supports the SAML standard can be integrated for Single Sign-On
  • Device Encryption: Encrypt your devices so that no one can read data off them even if they are lost or stolen. This is free and easy for Android, iOS, Mac OS, and most Windows computers!

For Many

For organizations that have some compliance needs (HIPPA, etc.) or are dealing with otherwise sensitive information, there are some basic tools that can make a big difference without a considerable cost.

  • End-to-End Encrypted Email: Allows you to send social security numbers, healthcare information, passwords, and other sensitive information via email. You send a standard email, but recipients get a simple email with instructions to use a secure web portal to respond.
  • Data Loss Prevention (DLP) Scanning: Scans outbound email, shared files, or files stored in semi-public locations for sensitive information like social security numbers or bank account information. This is an essential backup to your policies educating folks on how to safely store and transmit data.
  • Device Management: Lets you monitor devices remotely and make sure that they are kept up-to-date, encrypted, and secure. It also allows you to wipe them remotely if they are lost or stolen.

For a Few

There are a lot of things we do at Tech Impact because we are at high risk. These aren’t things I would recommend for everyone.

  • Conditional Access: Prevent devices from downloading files or syncing data if they aren’t enrolled in your device management platform. This keeps the staff from saving data to devices that aren’t encrypted or that you don’t own.
  • Advanced Multi-Factor Authentication: Text-message based multi-factor authentication is not secure against a determined hacker. We use code-based MFA from our mobile phones and are exploring U2F and certificate-based MFA to make ourselves even more secure.
  • Centralized Log Analysis: We send all of our logs to a system that looks for unusual behavior. If someone logs in from an unusual location or downloads more files than usual, our security team gets an alert and can investigate.

Wrapping Up

As a technology nonprofit, we know that there are limits to what technology can do to keep us safe. That’s why we use this multi-layered approach that includes policies, education, escalation, and technology. Staying safe is a constant balancing act, and it’s important to remember that some action is always better than no action.

 
Beyond 12 is a national nonprofit whose mission is to dramatically increase the number of first-generation, low-income, and underrepresented students who graduate from college.

As CTO & Head of Product, I’m responsible for keeping Beyond 12’s technology and data secure. One of my first steps was to implement single sign-on (SSO) and multi-factor authentication (MFA) with Okta.

What is multi-factor authentication (MFA)?

We’re all familiar with the basic process of providing our username and password to “prove” that we are who we say we are. Since usernames are typically known (i.e. not a secret), your password is the single factor that’s used to authenticate your identity. However, in today’s cybersecurity environment, a single factor alone simply can’t be trusted to secure access to sensitive data.

Multi-factor authentication requires users to provide at least two different types of evidence (“factors”) to prove their identity. For example, users may be required to provide their password (something they know) plus a temporary code generated on their phone (something they have). This increases the likelihood that the user’s account will remain secure should their password become compromised.

Should we be using MFA?

Beyond 12 needed to streamline security and IT functions in order for the organization to continue growing to scale. A near-term priority for that effort was implementing MFA. If we assume that, sooner or later, someone is going to get phished, or get malware, or encounter something that might compromise one of their work accounts, then at the very least we need to make sure that everyone has MFA enabled to mitigate those threats.

Beyond 12 is entrusted with a lot of student data through its technology products and direct-service programs. Even if we didn’t have legal requirements to protect data in certain ways, it’s still ethically the right thing to do because we care about our students and we want to make sure we’re doing right by them. That includes making sure that their data is accessible only to those who should have access to it.

Whether or not your organization manages data that is tightly regulated like education or health records, all organizations should implement MFA as a kind of digital hygiene. Down the road — as your nonprofit grows, as your business model expands, as you start to gather more data — you’ll already have the right processes in place.

Got advice for deploying MFA in my organization?

Of course, every organization is different, but one of the most important things to keep in mind when rolling out any new technology is to understand your team: how do they use technology? How do they navigate change? How might this new program affect their key workflows? Making time to think through these questions will help you design a more human-centered plan.

While it may be tempting to make piecemeal progress, be true to your security policies and plan for the long-term. If you believe that all access to sensitive data should require MFA, then start with that—even if there’s going to be a bit of staff dissent—because if you roll out SSO without MFA, and then a few months later say, ‘Now that you’ve adjusted to that change, we’re going to introduce this additional one,’ then you’ll have to deal with change management twice.

These are the basic steps that Beyond 12 took to deploy SSO and MFA.

1. Make sure all critical applications are plugged in. This may be obvious, but it serves two key purposes. First, it eases the transition for your staff, who benefit from having one place to go for everything they need to do their work. Second, putting all of your critical applications “behind the wall” ensures that all your potentially sensitive data is covered.

2. Configure groups. Most IT leaders are familiar with group- or role-based permissioning. Beyond 12 created user groups within Okta that were based on the type of applications that group members would need. For example, software development applications are available to the engineering team, and core business applications for communications and collaboration are available to all employees. Contractors and partners represent other potential groups.

3. Set policies. Okta’s adaptive multi-factor authentication gives administrators flexibility to design security policies that are right for their organization. This includes allowing a variety of factors such as passwords, push notifications, mobile tokens, biometrics, and more. It also includes the ability to enable contextual access management that takes into account the user’s device, physical location, and network information for authentication.

4. Teach your staff. Change is hard, no matter how simple or necessary. You can’t over-communicate during a transition like this. Be sure to use multiple modes to meet your colleagues where they are. For example, Beyond 12 held time to walk each team through the transition, set expectations, and field questions; there were detailed emails; plus internal office hours. Every organization is different, but everyone likes to be supported through change.

5. Provide (and get) ongoing support. Make sure that your team knows where they can get their questions answered when they arise. It’s also important for technology leaders to invest in their own professional development. Check for available support or training options from your vendors and make sure all staff know how to access them.

What issues came up after implementation?

Beyond 12’s rollout of SSO and MFA went smoothly, and there were only a couple key questions that arose soon after implementation. The first was how often users would be prompted to provide a second factor. With Okta and many other tools, this is configurable. Another issue that came up was ensuring that team members can securely work offline by providing factors that don’t require an internet connection or cell service, such as a YubiKey or a one-time-password generator (Okta offers their own, but is also compatible with others like Google Authenticator).

What’s next?

Beyond 12 continues to partner with Okta to explore new services and functionality, including automated account provisioning/deprovisioning and custom integrations for new apps. Okta For Good provides ongoing support to nonprofits in a variety of ways including product discounts, pro bono services, and events like the Nonprofit Collaborative at Oktane (Okta’s annual user conference, which is free for nonprofits) and regional user groups specifically for nonprofits.

Privacy issues, transparency questions and data breaches from major tech companies made big headlines in 2018. As a result, many nonprofit organizations may be addressing or questioning their ethical standards and practices. Here are a few articles to help consider your own workplace technology’s power, capabilities, and consequences.

Is ethical tech a farce?

Tech nonprofits have the advantage, says Shannon Whitley of Fast Forward. “Rather than building products that satisfy animalistic behavior, from screen addiction to fear mongering, tech nonprofits are building technology to fill gaps in basic human needs—education, human rights, healthcare… Tech nonprofits are building tech products that serve customers where markets have failed.”

Where is the ethical tech?

Writer Lauren Coulman examines recent missteps of major for-profit tech companies, and shares how some tech organizations are finding ways to bake ethics into their business model. “We need to look beyond the social band-aids to how tech can enable equal opportunity and acceptance,” says Coleman.

How to survive the next era of tech

Journalist Farhad Manjoo offers advice for users of technology as he reflects on recent industry changes and what’s to come. “Before you dive into any new doodad, consider a company’s ethics, morals, branding and messaging. If you aren’t comfortable, look to alternatives.” In our rapidly-changing tech landscape, Manjoo reminds us to “just slow down.”

Restoring public trust in nonprofits

Dan Cardinali writes that some organizations’ widely-publicized misdeeds this year illustrate the need for nonprofits to preserve the public’s trust. His article includes “33 Principles for Good Governance and Ethical Practice,” and advocates for nonprofit workers to speak out against ethical violations. “Especially in this holiday season of giving, donors want assurance that their charitable contributions support worthy causes and are not being used for improper activities.”

What do you see at your nonprofit?

Interested to share your thoughts, or recommend a good read on this topic? Post your comments on ethics in nonprofit tech to our Discuss Community board, tweet us @ntenorg, and if you’re feeling particularly passionate and insightful, email editor@nten.org to submit an article. We’d love to hear from you!

As nonprofit professionals, we hear about cyberattacks and understand the importance of protecting our organizations and our clients. But what are we doing to prepare, and what is stopping us from a higher level of protection?

We wanted to find out, so together with Microsoft, we polled more than 250 community members about their cybersecurity practices. The result is the State of Nonprofit Cybersecurity report.

Report front cover: NTEN State of Nonprofit Cybersecurity

In this inaugural report, we examine the steps nonprofits are taking to develop secure practices around technology use in their nonprofits, and identify some areas where the sector can improve. But it isn’t just academic! We wanted to give you insights that you and your organization’s leadership can immediately use to better secure your systems and protect your data.

Some of the points covered are:

  • the policies and procedures your nonprofit has for who and how people can access your systems,
  • to what extent nonprofits are using technology to protect their systems,
  • what kind of training is offered to nonprofit staff, and
  • how nonprofit operations contribute to cybersecurity vulnerabilities.

Download the report

As laws regarding data security standards such as PCI mature, small companies and nonprofits increasingly find themselves facing complex decisions about the security measures that are right for them.

Here are some options worth considering, as well as what criteria to apply to find the best fit for your organization.

Taking control of your own security


If your nonprofit has the internal resources necessary to implement and support its own IT infrastructure, it may be preferable to host some or all of your information services internally.

As the organization grows, this is often a great option that allows you to tailor security controls specific to your needs. Security can be built in at the design phase, which makes additional measures more effective. A well-structured plan can also allow for scalability as the organization grows. Properly undertaken, hosting your own security infrastructure can be a solid fit for medium to large nonprofits.

When considering internal security designs, there are myriad options and no one perfect answer. Some options that sound cost-efficient at the start become more expensive as time goes on and other high-cost options make more sense in the end as a company takes control of their security landscape.

Assess your security with vulnerability scans or penetration tests

A lesser-practiced but necessary element in any security program is the idea of assessment. A security assessment is a practical exercise in which existing security measures are put to the test. This is often undertaken through vulnerability scanning or manual penetration testing, or a combination of the two.

When scoping penetration tests with many new customers, we find that in the past they have paid high costs for vulnerability scans that are presented as penetration tests. Both are great tools, but you want to get what you are paying for.

Vulnerability scans use complex tools that search your network for known vulnerabilities. They sometimes discover false positives and can be confusing to someone who hasn’t seen them before. They are much cheaper than actual penetration tests because a tool is performing most of the work, not a person.

If your team has some knowledge of vulnerabilities and is comfortable reading these automated reports, a vulnerability scan is a lower cost option that works great for many companies.

Penetration tests often include vulnerability scans to give a penetration (or pen) tester a starting point during your test. That is where the similarity ends. A capable pen tester works with security findings daily and wields a diverse toolset specifically designed to validate the vulnerability scan findings and levy real-world attacks against systems.

Your pen tester should spend most of their time using that information as a starting point in learning the landscape of your environment so that they can test your systems manually. Automated scanners can only find so much—manual testing delves into a much deeper level and often reveals real-world dangers that scanners fail to identify.

Make sure to get information from the pen-tester on the methods that will be used, the impact on end-users (if any), and the estimated time for testing, as well as any meetings, interviews, or additional investigations that may be necessary as part of their service.

A good penetration test report will be highly applicable and much more understandable than a vulnerability scan report. Reports vary widely between different companies, and it is well within your rights to ask for sample reports when shopping for a penetration testing company. In the end, when the test is done, you will be left with a report that you will likely show to management and technical staff as well as vendors. Look for a report that caters to the interests of all stakeholders and can be understood by non-technical staff as well as diving into the technical details so that your employees know where to start fixing the issues.

Vulnerability scans and penetration tests are both great tools, and either may be right for your company. Take the time to know what you’re paying for and start with an option that fits best for you.

Tools vs. services

Before moving on from assessment it’s important to note that your company can run its own vulnerability scans. There are some free scanners that do an okay job, and there are a number of expensive scanners that do a great job. The expensive scanners likely are the ones used when you pay for an outside party to perform your vulnerability scan, and it is a great idea to ask what scanners they use. A few popular free to try (and fee-based for licensed use) scanners are available through websites like Solarwinds or Rapid7. There are many other open-source or OS-based tools available, as well.

If you decide to use vulnerability scanning tools yourself instead of hiring a third party, keep in mind that you may need to hire and train staff to support the tools. All of these tools are complex and may require customization to adapt them to the needs of your environment.

As with general security infrastructure, keeping this functionality in-house adds flexibility and allows you to apply the tools where most appropriate. Just remember that maintaining an in-house vulnerability scanning solution incurs additional ongoing costs in licensing, staffing, and infrastructure.

Let someone else do it for you

Now that we’ve discussed the nitty-gritty of security options, it is important to mention that many nonprofits enjoy the advantages of outsourcing the complexities of handling sensitive data to specialists. There are numerous companies that host and maintain websites and databases as well as those that process payment data without it ever coming in contact with your systems. The line-item costs of outsourcing can be offset by not needing to hire highly skilled employees or to invest in the infrastructure necessary to provide adequate security measures. Lower management burden and ease of planning make this approach particularly appealing to smaller nonprofit organizations.

Informed research is a critical part of choosing a security vendor. Look for companies that go beyond just services by choosing a provider that understands your organization’s needs and can provide a clear path to help you reach your goals for greater network security. Security is an ongoing process; a trusted partner can help you navigate difficult waters that might fall outside formal product offerings.

At Raxis, for example, we provide a formal document attesting that companies have performed a third-party penetration test and have remediated all findings. Such attestation letters show that the organization approaches security proactively and that they are willing to allow an outside party to verify their security posture. We recommend asking potential vendors if they can provide a letter of attestation. Your search for the right vendor might also be better informed by asking for feedback from a few of the security company’s current clients.

Consider strategic growth in your security investments. It is more cost effective in the long run to plan for growth than to react to it. This is especially true in something like security, where the intermingling of disparate technologies is common. Managed service offerings such as network and web application firewalls, for example, may appear to be over and above the expected costs, but an undersized solution will incur greater expense through maintenance than one that was planned to accommodate growth over time.

Making the decision

There are endless options to consider when designing a security program. Security needs and budgets often play conflicting roles in the decision-making process. A good starting point is to work with the different parties involved (network administrators, developers, physical security teams, etc.) to build a list of goals.

Take your time researching the companies that provide the services or tools that you are interested in. Reputable companies will want to work with you to scope a meaningful engagement that fits your budget needs. If they can’t meet your needs, good companies will make that clear from the start.