By: Peter Buttler

A big misconception of many nonprofit startups is that cyber security is a persevere of only well-established major organizations or firms. In fact, this is further from the truth. Startups require more security measures right from its inception because cyber criminals are more inclined towards grassroot organizations, as they are typically easier targets than large enterprises.

This article will cover why online security is essential for nonprofit organizations and what security measures they can take for data privacy and security.

Why Online Security Is Important for Nonprofit organizations

Nonprofits collect a lot of data - from donation forms, research surveys, meeting records, mailing lists, to audio/video recordings.  And without proper protection, your data is not only open to cyber criminals, but also to government surveillance and corporate hacks. Therefore, the more data you gather, the more it becomes a necessity to manage it safely.

Nonprofit organizations collect data that may range from contact information (e.g., address, phone) to sensitive and personal information (e.g., background information, medical history, orientation, etc.) of high profile people such as political figures, risk exposed refugees, people experiencing homelessness or those escaping domestic violence. 

In addition, nonprofits that conduct commercial activity needs to comply with PIPEDA (Personal Information Protection and Electronic Documents Act), Canada's privacy law that deals with data privacy. While PIPEDA only applies to commercial activities and even though most of the nonprofit’s activities are non-commercial in nature, the law still applies to a nonprofit organization whenever it conducts commercial activity. There are also four provincial privacy laws that apply to nonprofits: British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector, and Ontario’s Personal Health Information Protection Act.

As you can see, nonprofit organizations have a responsibility to protect the privacy, integrity, and safety of the groups they serve i.e. the donors/funders that support their cause.

Key Threat Models to Watch Out For

Unauthorized Stakeholders

Government Surveillance

Governments intelligence collects data from all around the world either deliberately or indiscriminately in the form of metadata. Governments actively monitor social media and can request and receive data related to specific people.

This threat model is significant for organizations that deals with refugees, activists from different countries with poor human rights records, or are heavily involved in political activities such as protests, banner drops, etc.

Corporate Information Collection

This refers to the mass collections of data by social services e.g. Google, Amazon, and Facebook. These platforms collect data and metadata related to the organizations and may use it or share it with third parties for targeted advertising.

Large organizations may conduct surveillance on activists who might threaten their interests. For example, environmental activists that were spied on by large oil and gas companies.

Malware Attacks

Malware attacks are when hostile or intrusive software are used to hack into your nonprofit’s digital properties, such as emails, websites, or social media accounts. These attacks can vary from data snooping to a large data breach.

Physical Risks

Physical security risks are often overlooked as a threat model. A common example is leaving a password of your computer on sticky notes. Anyone with physical access can instantly log in to your computer containing sensitive information.

Nonprofit sharing an office building, or co-working space should be especially vigilant in guarding against physical risks, as it’s difficult to monitor people's access at their workplace.

Security Measures for Nonprofits

Password Management

Setting up strong passwords wherever possible is fundamental and an absolute must. A password should be at least 12 characters long and must include letters (Upper and lowercase), numbers, and special characters. If it seems overwhelming, you can use a password manager (e.g. LastPass, KeePass, Passpack)  that stores and encrypt your passwords with a master password.

User Access Management

Nonprofits should have a system which could segregate user roles within the organization and control user access depending on those roles. For example, user roles at a social service nonprofit might include:

1. Administrative staff
2. Marketing and outreach
3. Senior administrative staff
4. Case workers

In such scenario, case workers would need access to client case files and personal information   That administrative and marketing staff wouldn't need access to, whereas, senior administrative staff needs access to financial documents that others may not need.

A nonprofit should set user roles that suit them best. The decisions should be documented and frequently reviewed to ensure relevance. Once decided, you can manage the information privileges according to roles that are assigned. Google Apps, Microsoft’s Office 365 or other cloud productivity suites can set up these roles easily.

Efficient Computer Use

Good security practices develop good organizational security. Nonprofits can train their staff to follow these best practices:

1. Keep operating systems and applications regularly updated
2. Use Antivirus, Malware, and Firewall software, such as Bitdefender or Symantec
3. Password protect your computer, especially when you work in a shared office
4. Always use an email provider that offers Secure Sockets Layer (SSL), e.g., websites with a green lock icon appearing in the address bar means that a website is on SSL
5. Don't use any unknown USBs since USBs keys can potentially carry malware. Only use USBs given by someone you trust
6. Be wary of phishing emails and reread/recheck links before clicking (Authentic websites never asks for the personal information unless you ask them)
7. Avoid pirated or cracked copies of any software

Mobile Devices

Mobile devices, such as smartphones, tablets, and other portable devices, has become common in the workplace, especially with the rise of BYOD (Bring Your Own Device). While mobile devices offer a lot of flexibility for staff, it is also a source of sensitive information and can be vulnerable to hacks, especially on unsecured public networks. You can improve your mobile devices’ security by:

1. Updating the operating system of your mobile device
2. Making frequent encrypted backups
3. Using strong passwords or use complex pattern codes
4. Checking for permissions before allowing apps to access your device
5. Disabling ad-tracking
6. Using a secure VPN when connecting to public Wi-Fi networks
7. Using encrypted messaging services such as Signal, Telegram, WhatsApp, Threema, etc.

Cloud Office Suites (Google For Nonprofits and/or Office 365)

Google for Nonprofits and Microsoft’s Office 365 Nonprofit productivity suite are advantageous for many nonprofits, especially since they’re free.

However, many organizations do not properly utilize user privileges when using apps like Docs, Sheets, Forms and email. Here are some tips to maintain control:

1. Before you use any cloud office suite (Google Apps or Office 365), define user roles and access permissions first before working
2. Check who has access to your spreadsheets and documents, and which users can grant access to your files
3. Remember to revoke access to old projects for departed staff, and external contractors once their contribution is finished

Cloud Storage

If you are moving your storage to the cloud, make sure to select a cloud storage provider that has data centres in Canada. Selecting a cloud provider that uses data centres outside of Canada makes it susceptible to government spying and hacks. For example, Britain's Government Communications Headquarters (GCHQ) taps directly into global internet communications and shares this information with its  American counterpart, the National Security Agency (NSA).

Regular Backups

To keep data secure, always keep at least two back-ups (encrypted and password protected) copies of all your databases. It’s recommended to make this a regular practice by setting up backup days. Remember, according to ExtremeTech’s article on “How long do hard drives actually live for?”, 20 percent of hard disks fail in the first four years.

Where To Learn More?

Canada has a thriving culture of data privacy rights and online safety; You can also follow encryption guides for improving digital security and communicate safely. There are many sources to help you learn more. Electronic Frontier Canada (EFC) and Online Rights Canada (ORC) are doing excellent work and run regular training sessions.

About the Author

Peter Buttler is a Professional Security Expert and Lecturer. He serves as a Digital Content Editor for various security organizations. While writing, he likes to emphasize on recent security trends. You can follow him on Twitter.