When nonprofits use volunteers for information security

When nonprofits use volunteers for information security

Neal B Custer

To explore that question, I met with Nora J. Carpenter, president and CEO of United Way Treasure Valley, a self-described “accidental nonprofit junkie” and one of the best sources around for an insider’s perspective on nonprofit organizations. She has been involved in nonprofit work since 1992 and has served as both CEO of the local Better Business Bureau and senior vice president of the National Council of Better Business Bureaus. This gives her unique insight into the inner workings of both nonprofit organizations and for-profit businesses.

Carpenter describes the most successful nonprofits as “functioning like a business behind the scenes.” With established policies and procedures and strict quality-control standards, a nonprofit can better accomplish its goals. Nonprofits are also similar to businesses in the data they keep: They generally use customer-relationship management software of some kind, which keeps track of personally identifiable donor data. They may also keep credit card information, interact with the Automated Clearing House payment system, and implement Web-based giving methods, such as Paypal.

Carpenter further explained that when comparing nonprofit organizations to businesses, “the biggest difference is the presence of volunteers. Idaho has the third highest volunteer rate in the nation.” Most nonprofits do not have the resources to pay a salary to everyone involved, making volunteers an essential component of successful operation. Volunteers exponentially magnify a nonprofit organization’s ability to accomplish its goals.

In many nonprofits, volunteers occupy positions seen as equal in value – and sometimes more important than – paid employees. Their roles can include directly interacting with donors, collecting payment information over the phone, performing Web development, and even functioning as a nonprofit’s IT department. While United Way has a staffed IT department, Carpenter said this is not typical in the nonprofit world, and many rely almost exclusively on volunteers.

From an information-security perspective, this could present a few problems. To a cybercriminal, the payout from compromising a nonprofit is exactly the same as attacking a business: financial data and personally identifiable information. There is obvious incentive to target nonprofits, and that incentive can be magnified by the reliance on volunteers.

A well-meaning volunteer might set up the organization’s computer systems and network but not have the training (or time) to regularly patch security flaws or to recognize a potential malware compromise in the network because the volunteer stops in just twice a month if things are running smoothly.

Similarly, a volunteer could set up a website or a social-media page but potentially fall victim to social engineering or have accidentally coded the website to be vulnerable. Maybe the volunteer set up the company database as an Excel spreadsheet, shared it with the entire network, and stored credit card information in plain text.

It is an understatement to say modern technology has illuminated previously unseen opportunities for nonprofits. Carpenter calls it “the power of shared opportunity.” Through Web-based giving and social media, the digital world allows for an unprecedented level of real-time community interaction and feedback.

However, this is a double-edged sword, because each step forward creates more access points that can be potentially exploited by fraudsters.

Nonprofits also owe it to their donors to perform thorough background checks on their volunteers, especially ones that will work in IT. As Carpenter mentioned, the most successful nonprofits treat volunteers in these positions as a business would treat a highly valued employee. Trust must be earned, and a background check is an integral part of the process. Nonprofits that do not hold their volunteers to this level of scrutiny risk exploitation.

If you as a nonprofit volunteer are asked to consent to a background check, do not take offense. Instead, understand that the organization is taking critical steps to keep data and donors safe.

Conversely, if you are volunteering but have never been asked for a background check, start asking critical questions. Why aren’t they being performed? What steps need to be taken to assure they are performed in the future?

Ultimately, the biggest unique risk posed to nonprofits doesn’t come from the volunteers themselves but from improper training. If a nonprofit treats its volunteers like valued employees, it should also attempt to train them as such. At a minimum, security awareness and social-engineering prevention training should be performed regularly for all employees. Even if these cannot be budgeted, there are many opportunities to partner with other businesses and organizations specializing in these subjects at no cost.

Ideally, every nonprofit should have at least one person (either on staff or a volunteer) with specialized information-security training. That person needs to be actively hunting for vulnerabilities, patching holes and assuring the systems comply with industry regulations. Even with a single security specialist leading the charge, a handful of regular IT volunteers can be taught what to look for and how to best protect the organization, both from cybercriminals and well-intentioned mistakes.

neal@custeragency.com. Written in collaboration with information security expert Dylan Evans, Reveal’s vice president of operations.

By Neal B. Custer, President of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University.  Courtesy Idaho Statesmen

Read more here: http://www.idahostatesman.com/2014/12/17/3543420_when-nonprofits-use-volunteers.html?sp=/99/103/1785/&rh=1#storylink=cpy


Comments are closed.