CommitChange now hosts Fika for Social Good events in the MidWest, an informal series of discussions for nonprofit leaders and tech professionals. During our most recent meeting, we discussed data and digital security.
Between the years of 2004 and 2016, I worked directly for nonprofits in one capacity or another, and as the Director Nonprofit Advocacy for CommitChange, I continue to work with nonprofits to help optimize their digital strategies. Part of my job over the years has been to help nonprofits keep their data and digital accounts secure. At our most recent fika, we discussed a few simple and relatively easy ways that nonprofits can boost their data and digital security.
Never send sensitive information via regular email. This includes information about your donors, constituents, organization, or personal details. Sensitive data includes, but is not limited to, account usernames and passwords, financial information, and personal information like your social security number and birthdate.
There are two reasons you don't want to send this kind of information via unsecured channels (and you can assume your personal and work email are unsecure, unless you know for certain that you use an encrypted email client like Thunderbird). The first reason is that a need to send sensitive information should never arise. If you need to communicate with members of your team or constituency, there are more secure methods to send information. If you need to send information to a third party, like a bank or service provider, they should never ask for you to send that information via email. If someone does ask you to send private information via email, and they appear to be working for a trusted source in some capacity, instead of clicking a link or calling a number in the email, navigate to their website independently (via a Google search or direct URL) and contact them to verify that the request is valid. Phishing is common and is a tactic where criminals use branded email templates, deceptive links, and URLs that are close to, but not quite the same as an official URL to trick people into giving their information over.
The second reason that you don't want to send private information through an unsecured email is that, if your account is compromised, then whoever is in control of your account now owns all of the information in your sent and received emails. You don't want to put your organization's data at risk.
Sending Sensitive Information:
The most secure way to impart information is via one-on-one contact with the recipient. If you can't transmit the information in person, then calling them on the phone is the next best option. However, if you must send information through a computer or another digital device, then look into secure messenger and email services like Signal and Thunderbird with Enigmail, our recommended picks.
I've worked in nonprofits for more than ten years, and one of my pet peeves, that I've seen a number of people in a number of offices do, is when people leave their password or a group password taped to a computer monitor. Please, please, please, don't leave your passwords out where people can see them. While a certain level of trust is necessary between coworkers, think of all of the different kinds of people who come and go in an office environment every single day, from delivery people to the cleaning crew who come in when no one's around.
Whether you need secure passwords for just your computer or you need to share passwords with your team, using a password manager is the way to go. Services like LastPass allow you to log into one system to manage multiple passwords that are often strings of letters, numbers, and symbols that are harder to crack than the passwords the average computer user will come up with. And, instead of pasting a stickie to your computer or sending a password via email, you can add users who can then access shared passwords without having to put your organization's security at risk.
Many nonprofit still send out mailers with a return envelope and donation card inside. Many of those cards are mailed back with credit card numbers and other personal information written on them. Team members answer the phone and write down information that needs to be updated in the system or collect personal information from those they aid for special programs. Letting this information on physical documents sit around is a security risk. The best thing to do with this information is to shred or otherwise destroy it, but if you want to retain a hard copy, the next best thing is to secure it in a locked filing cabinet until a hard copy is no longer needed. At the end of the day, there shouldn't be any loose documents or files with sensitive information left on your desk.