Maybe you think you do not need security measures. Isn’t that something that governments take care of? Isn’t that very complicated and expensive? To be honest, yes, it may be very expensive and complicated if you work on a highly sensitive issue and need to protect the identities of your team and the people you work for. But if you are a standard nonprofit, this is not super-complicated and not very expensive at all. And since the government is not taking care of this for you, it is something you need to set up yourself. Something you need to make sure your team implements every day – in everything. You can make your security measures as extensive as you want, but here are my three tips for basic security measures you should put in place today.
Maybe the word measure sounds like you need to undertake a huge activity. No. Read my tips below, they are simple to implement. Nevertheless, I know that many nonprofits do not apply them. Because they think it is complicated. And because any new routine feels like a burden. Nevertheless, I urge you to push your team on this. You can formalize your approach by developing it as a security policy and by referencing this in your contracts and personnel guide. And yes, a policy can start with just three simple measures as below. And you can add to it as you go along and discover new actions that are needed.
So, let me get back to the why. Why bother? Because all of you have information that you do not want to share publicly. Because that could be harmful to your operations or to your team, your target group or your organization’s image. For instance, what if someone outside your organization could access your bookkeeping software? They could find out private information about your team’s salaries. Or if someone could access your MailChimp account and download the e-mail addresses of your private individual donors? Or if someone could find out the names of the victims of domestic abuse that you are supporting? That could of course be harmful to these persons. And your organization would also no longer feel safe to this vulnerable target group. And on top of that, it may be that this would show a breach of local personal data protection legislation, like the GDPR in Europe. Probably you own a lot more private information, or information that you would like to keep private at any rate, than you are aware of.
Tip 0 – raise awareness
I would recommend that you brainstorm with your team to inventory all accounts your organization has, and all types of information you collect and store. Imagine what could happen if someone from outside the team could gain access to this information? What if they had bad intentions, what harm could they do? To your operations, your team, your target group, your organization’s image? I bet this exercise will help you and the team understand the need for some level of security measures.
So here are my 3 tips for basic security measures you should put in place today:
Tip 1 – use software to keep your passwords safe
Make sure no-one in your team saves passwords for any of your organization’s accounts in their browser. It is very tempting to do this, as most browsers kindly suggest saving your passwords for easy login next time. Easy login, for anyone who has access to that laptop or computer at any moment. Indeed, not very reassuring after all. There are quite a few tools that can keep your passwords safe. I myself use Lastpass for this. You can have a free account for individual use or use a paid account for a very low amount monthly. A paid account allows you to safely share passwords among your team. Lastpass also helps you generate super-safe passwords that are hard to hack.
Tip 2 – use e-mail addresses under your own web domain
If you have a website, you have the possibility to create e-mail addresses under your web domain. (Addresses that look like email@example.com with the same name after the @ as your webdomain) E-mail correspondence under your domain is stored on your own server, where your website is stored, too. That is much safer than depending on Yahoo or Hotmail for safeguarding your e-mail box. Added value is that it of course looks much more professional to be mailing from your own domain than from some Hotmail account. (If you create functional accounts, like firstname.lastname@example.org or director@, etc.) you can also make sure that any successor to a certain position has access to all business correspondence and the e-mail address book from the start, without added action needed!)
Tip 3 – use a shared drive system for your files
Instead of saving documents on personal laptops, or keeping them inside personal mailboxes, make it a routine to store documents on a shared drive (and deleting them from the e-mail). This way, everyone in the team who needs to work with certain documents can have access safely. In any shared drive you can also differentiate access, so that some folders may even be invisible to people who have no business there. For instance, sensitive financial information or personal data about your staff can be made accessible to the director, finance manager and HR manager only. Any system can do this. If you have Office 365 you can use Sharepoint for this, for example. If you are looking for a possibility to share documents securely with external parties, you could for instance use NextCloud.
You have probably heard that for security reasons you must create new passwords every quarter. And quite probably, like most people, you have thought of doing this but never gotten around to it… My bonus tip to make this a routine is to plan time in your calendar for this task. Use your electronic calendar to schedule a password change event every quarter. Do this for the next two years. Invite all your team members to these events, too, and make sure they are reminded timely. Since you will all be using Lastpass by then, a change of password no longer is a burden of a new thing to remember or store. After all, Lastpass can do this easily and securely for you all.
Want to know more and ask questions?
If you want to discuss this more – jump into the Facebook group and get input from a wide range of peers and from myself!
Here is how you can join my free Facebook group
You can join my free Facebook group how to become a professional and resilient nonprofit with Suzanne Bakker here. In this group we will create a safe space for open exchange and discussion on potentially sensitive topics like boards, nonprofit management, fundraising, etc.