Tag: cybersecurity

Fraud happens. We know it does. Though not inevitable like death and taxes, fraud is something Americans have come to expect. It shows up in the news almost daily; most heartbreaking of all is news of embezzlement or fraud at nonprofit organizations.

Fraud is pervasive.  According to the key findings and highlights of the 2012 Report to the Nations from the Association of Certified Fraud Examiners’ (ACFE), it is estimated that the typical organization loses 5% of its revenues to fraud each year.

Despite their honorable missions and dedication to helping others, nonprofit organizations are not immune to occupational fraud.

In an economic climate that makes every dollar precious, no nonprofit wants to lose 5% of its annual revenue to fraud. But while few organizations can be as secure as Fort Knox, there are some concrete precautions every nonprofit can take to safeguard against fraud.

The Importance of Securing the Perimeter

Fraud is a possibility wherever sensitive information changes hands. This may be at an external gateway along your security fence such as when a donor makes a contribution, when vendors are paid, or when communicating with donors and members or with banks and other financial service providers. Weaknesses may also occur at internal checkpoints such as internal emails or information exchange. Here are four recommended precautions:

  1. Automate all donor or member payments. Not only does payment automation protect employees but it also creates a record of the transaction that can be verified if needed.
  2. Create controls for checks and Automated Clearinghouse (ACH) payments. Organizations with satellite chapters which pay bills and create relationships with vendors independent of the parent organization will want to establish guidelines for how those payments are made. In all chapter organizations, it is important to create check authorization procedures but particularly in organizations that are run by volunteers. These guidelines could include:
    • Limiting the number of chapter members who have authorized access to the chapter’s accounts.
    • Requiring multiple approvals for payments made by check.
    • Blocking ACH payments – this lets the chapter’s bank know that electronic payments made using the bank routing number and the chapter’s account number are unauthorized.
    • Using a prepaid debit card to make vendor payments – this eliminates the need to store physical checks, and pass checkbooks from one volunteer to another. It prevents the account from being inadvertently overdrawn as the funds on the card are preloaded and authorized.
  3. Establish rules for communicating and storing sensitive information. While these rules may seem overly protective to some, put these in the better-safe-than-sorry category and implement them across your organization.
    • Never send passwords via email internally or externally – this includes login and password information for internal databases and accounts as well as external logins to online grant applications, data storage sites or even social media pages.
    • Use https websites only for sensitive information. Hypertext Transfer Protocol Secure (https) combines Hypertext Transfer Protocol (http) with extra layers of encryption and should always be present when making payment transactions via the Internet or when communicating other sensitive information. If a web site includes “https” at the beginning of the address when it appears in your browser, you know it is secure.
    • Periodically, clean house – shred sensitive documents that are no longer needed and close unused accounts.
    • Regularly change passwords – set up a password change or refresh schedule and always change passwords on accounts when key personnel leave the organization.
      • Note: The Payment Card Industry (PCI) Security Standards Council offers a password policy framework in its Data Security Standard v2.0. These guidelines address password refresh frequency, length, complexity and other essential password policy components.
  4. Develop a system for investigating irregularities. How would you respond to a donor who believes his/her credit card information was stolen after making a contribution through your nonprofit’s website?
    • Create a security SWAT team that includes a small group of top management that is cross functional in nature and includes IT and accounting.
    • Make investigating irregularities the team’s top priority – nonprofits are under greater scrutiny than ever to cross every T and dot every I.
    • Let the donor, member or vendor know you will stop at nothing to understand what has occurred and correct it if possible.
    • Talk to credit card companies and banks, and document every conversation.
    • Obtain a copy of the police report if the donor or member has filed one.
    • Even if the fraud has not occurred through your organization, help the donor find out where the fraudulent charges may have come from by tracking any delivery address or email address associated with unauthorized purchases.
    • Follow up with the donor or member to mend any fences once the issue has been resolved.

Checking the Locks

What’s your most precious information asset? Is it your donor or member database, your accounting software, your clients’ records?  Once upon a time, this information might have been safely locked in your desk drawer. While computers and web connections have given us dramatic advances in productivity and communication, they have also made it necessary for organizations to change the way they protect their assets.

Here a few cyber deadbolts for you to consider:

  1. Secure your network – The Data Breach Investigations report (DBIR) recommends that organizations install and maintain a firewall configuration to protect their systems, then use and regularly update anti-virus software.
  2. Monitor access – This includes changing default logins for newly installed systems, ensuring that every computer user has a unique login ID and password, and reviewing user information to ensure all current users are valid employees or volunteers.
  3. Achieve PCI compliance – The DBIR report found that 96 percent of record breaches involved credit card numbers/data. If you are handling donor or member credit card numbers, your organization should be certified as PCI compliant. Learn more at www.pcisecuritystandards.org. Keep in mind that compliance is an ongoing process, not a one-time event.
  4. Secure personal information – TRUSTe is an independent, nonprofit organization enabling trust-based privacy for personal information on the Internet. TRUSTe or another privacy provider can help you ensure that website privacy and email policies provide protection to donors, members, volunteers and employees. Learn more at www.truste.com.
  5. Protect transactions – Secure Sockets Layer (SSL) technology encrypts information sent over the Internet between your organization and anyone who uses your website for online transactions. VeriSign is one of the most commonly used SSL Certificate providers. Learn more at www.verisign.com.

This article is published as part of NTEN’s Member Appreciation Month.

A recent NTEN survey of 780 nonprofits revealed that 91% of respondents are using some sort of hosted software. In fact, almost 80% are using multiple cloud-based solutions. However, according to NTEN’s report, “the feature-set, ease of use and cost over time” were more important to them than whether or not a solution was cloud-based.

These advantages are precisely why the Cloud is generating a lot of excitement in the nonprofit world these days. Remote access, reduced operating expenses, and less maintenance enable nonprofits to cut costs, operate more efficiently and devote more time and money to their core mission. Some organizations have moved their entire IT infrastructure to the Cloud with dramatic results.

No doubt as word about the benefits of cloud computing for nonprofits continues to filter out, more and more organizations will make the leap. But, newcomers need to be aware of the potential hazards.

There are several reasons why you should approach the Cloud with caution:

  • Security – Security is a top concern of Cloud users – and rightly so. Here’s why:
    • Reliability of access – Network availability is an issue; outages do happen whether it’s the vendor’s fault or Mother Nature’s. Moreover, organizations based in areas where Internet access is slow or unreliable should keep critical applications in-house.
    • Device security – Employees lose mobile devices and fail to use strong passwords; therefore, regularly updating malware and antivirus definitions, and installing patches and updates in a timely manner is critical.
    • Data integrity – Potential problems that affect the integrity of an organization’s data include corruption, misplacement, accidental deletion, physical accidents, malicious acts, hardware failures and a lack of proper user access policies. The importance of backing up your data can’t be overstated. Not only should the vendor perform regular back-ups, you should back up your data regularly as well. That way, if something happens to your data while it’s on the vendor’s network, you have another copy somewhere else.
    • Privacy & confidentiality of data – Data is vulnerable while traveling across the Internet and once in the hands of the cloud service provider, it has to be kept separate from other organizations’ data. Reliable methods for proving the identity of users (called “authentication”) is also extremely important. It’s up to you to make sure that your cloud service provider has adequate safeguards in place to protect critical applications and sensitive data in case of hardware failures, natural disasters, cyber crime or data breaches.

Security concerns, specifically someone gaining unauthorized access to sensitive data and reliability of access, were top concerns of the participants in NTEN’s survey. However, as the report points out, your data’s at no greater risk in the Cloud than it is when it’s stored on a local machine connected to the Internet, as long as the vendor has the proper security measures in place.

There are three keys to keeping your data secure in the Cloud:

  • Verify the vendor’s security policies and procedures – Confirm that they use the latest security technology and also that they conduct background checks on their employees and enforce their own internal security policies.
  • Negotiate a solid Service Level Agreement (SLA) – SLAs should spell out who is responsible for what (like regulatory compliance or backing up data, for example) and guarantee network uptime and support response times. They should also state what steps the company will take if your data is compromised while it’s on their network.
  • Validate security measures – If possible, work the ability to conduct security audits or make site visits into the contract.

Compliance – Even though the cloud computing vendor is managing your applications and data, you’re still responsible for making sure both you and they are compliant with any regulations governing your industry’s handling of data, including privacy and data retention, notification of breaches, etc. If your institution must be HIPAA- or PCI-compliant, then your vendor must be, too. Verify that they are certified to handle such data.
Hidden costs – One of the main reasons nonprofits turn to cloud computing is to save money. However, many find there are hidden costs they didn’t account for during the planning process. Sometimes, cloud service providers charge initial set-up fees or for transferring data to their servers. They might also charge recurring fees for data transfers or storage. In most cases, these fees won’t be enough to keep you from using a cloud service, but you still have to account for the extra cost in your budget so there are no surprises when you get the bill.

In spite of these risks, it is possible to migrate to the Cloud successfully. Many institutions turned to cloud computing as a way to survive when the economy tanked and giving plummeted. Here are a few nonprofits whose moves to the Cloud were hugely successful:

  • Metanexus Institute – In a February 2011 article on The Chronicle of Philanthropy’s website, William Grassie, founding executive director of the nonprofit that works to “promote interaction between religion and science,” detailed the organization’s a-la-carte approach to adopting cloud technology. The institute started using eight different cloud-based services for everything from email to payment processing and cut an astounding $176,000 from its annual budget.
  • Seattle Works – One of three winners in 2011 of the Tech for Good contest sponsored by Microsoft and TechSoup, the nonprofit down-sized its physical office space and added virtual office space with Microsoft’s Business Productivity Online Suite (BPOS). The organization, which connects young adults with volunteer opportunities in the community, reduced its operating expenses by $20,000 – at the same time it expanded its number of volunteers, volunteer hours, and programs.
  • 350.org – This group’s achievement is not centered on how much it saved by moving to the Cloud, but rather the exciting part is how cloud computing enables them to live their mission – solving the global climate crisis by reducing CO2 emissions. Thousands of volunteers and 40 employees based in more than 188 countries around the world work on laptops with an Internet connection from wherever they are – they only have 3 physical offices. According to a recent profile of the organization on The TechSoup Blog, their “IT budget mainly pays for monthly cloud service fees and Internet service provider charges.” A “web team” of four oversees its website and cloud services – which it uses for pretty much everything including: online advocacy, fundraising, managing their supporter database, email blasts and donations (ActionKit); video chat (Skype), office productivity (Google Apps), file sharing (Box.net), internal communications and collaboration (Yammer); and social media engagement (Twitter).

Cloud computing can be a boon for nonprofits when it’s brought online just as any other IT system would be – with careful thought and planning. As the Metanexus Institute, Seattle Works, and 350.org have demonstrated, all it takes to benefit from cloud computing is a willingness to think outside the box.