These days nonprofits leverage the web for a huge variety of mission-critical activities from fundraising to engaging with program participants. While a lot of opportunities exist online to further a nonprofit's mission, the modern internet landscape can be a very dangerous place. Bots scanning for website vulnerabilities, hackers attempting to steal data, and malicious programs all threaten to harm nonprofits' online assets. Keep reading to learn our best practices for online security and learn more about how ArcStone keeps our clients safe from online threats.
How to Approach Online Security
Having great online security requires policies, procedures, and tools that cover a wide range of a nonprofit's operations. Security is also a highly technical subject that many nonprofits struggle with due to the lack of technical staff and know-how. For our clients, we offer advice, tools, and support to help safeguard their online presence, but security is also a human endeavor requiring discipline around daily practices.
The Human Factor
Even one careless individual can cause great harm to a nonprofit's online security, so first let's cover what staff need to do to help safeguard your organization's online assets. It's also important to realize that each staff member's technical knowledge and ability vary greatly, so providing training and guidance is critical. Human security concerns usually fall into one of three categories: access control, communications, and vigilance.
Controlling access to systems is really where good online security starts. You don't want the wrong people to have access to critical systems or security too weak to keep nefarious individuals out.
Some critical aspects to good access control are:
Limiting who has logins to critical systems
Prohibiting the sharing of logins and account information
Using fine-grain permissions to only allow the access needed for the role
Limiting access by location or device for highly sensitive systems
Enforcing strong password policies and two-factor authentication
Using a password management system to store and share login information
COMMUNICATIONS & DATA
How your staff communicates and shares critical data is also an important aspect of online security. We already covered how to safeguard access information, but there is a wide variety of data that can be considered highly sensitive, such as donor information or program participants' personal information.
Some critical aspects to good communications and data security are:
Use strong encryption in communication tools when available
Use encryption on all company devices
Limit the use of personal employee devices or enforce security policies on those devices as well
Avoid collecting any personal or sensitive information on your website - use a third-party service
Avoid displaying contact and personal information on your website - put barriers up to make stealing data harder
Don't use email file attachments - use Google drive or another file sharing tool
Train staff about email scams, spotting spoofed emails, phishing, and dangerous email attachments
The online security landscape is constantly evolving and new types of threats emerge every year. Staying vigilant and up to date on security issues can be an important aspect of your overall organization's level of security. Hopefully, you have an excellent technology partner or agency which handles the maintenance of most of your platforms.
Important security vigilance steps to keep in mind are:
Clearly document and communicate company security policies to staff on a regular basis
Researching all software programs for security concerns before installing
Keep all software programs up to date and patched - don't use end-of-life software
Review all third-party platforms TOS and security policies
Keep an eye out for poor security practices by staff and partners
Get a security audit by a reputable company
How ArcStone Keeps Our Clients Safe
We realized long ago that having great online security was a huge burden for nonprofits and often outside of their reach. That's why we decided to bake in security to all our processes and offer great security training and tools to all our clients. We aren't usually involved in every aspect of our clients' online security, but it's very common that we will build websites and host them for clients. An organization's website is also often a security focal point, handing a lot of critical areas of their mission.
Building Secure Websites
The first step to having a very secure website is to build it right in the first place. We have chosen to build websites on the WordPress CMS platform, which has both demonstrated a stellar history of security and created an entire ecosystem of enhanced website security tools that can be used if needed.
The first step we always take in building a website is to develop a detailed blueprint of the site. This document helps us build secure websites by outlining critical website functions, determining which third-party tools will be used, and outlining how any critical data will be collected through forms or displayed on the site.
Critical steps we take to building a secure website are:
Creating a detailed blueprint that outlines all website functions and technologies needed
Vetting all third-party tools, plugins, and services needed to build the site
Advising clients on how to securely collect data online and what not to do
Reviewing planned website content for potential abuse and security issues
Using secure project management tools throughout the whole process
Leveraging a secure source code control management tool to manage all programmers and code development
Secure Website Hosting
Once a new website is built and launched, it's exposed to the entire world and a huge host of possible online threats. Simply existing on the internet makes a website a target. Since we often build and host websites we have some unique advantages that make your website's security easier, and the technical staff to help support future updates.
Important components of ArcStone's Secure Website Hosting:
All websites we host leverage an up to date SSL security certificate
Logins and access information is all kept in a secure password management system
Only necessary staff has access to hosting systems
Websites are backed up daily - and our backup system is routinely tested
All website code is managed in a secure source code control system
Our websites all have a security plugin installed
We limit who can have website CMS admin access
All CMS code and plugins are kept up to date
An intrusion detection system is used to alert us of unauthorized website code updates
A Continually Evolving Field
Online security never stands still and neither should your strategies for dealing with potential threats. If you want more information about how to create an online security strategy check out our free on-demand webinar on Online Security for Nonprofits.
If you have any questions or concerns about your organization's online security please reach out and you can speak with one of our security experts.