While many workers use their own devices, the BYOD trend can be risky for organizations, particularly for nonprofits that use volunteers to seek and accept large donations. Often, donations are made over information tables at the local grocery store or train station. Volunteers take donations on their personal devices using common mobile payment apps.
“You don’t want to just be handing over your banking credentials to a stranger in the grocery store,” says Bryan Bassett, research manager for enterprise mobility at research firm IDC.
Nonprofits may not have the IT budgets of large enterprises, and they often let employees cover the cost of their mobile devices themselves. The security risks of allowing nonprofit employees to use personal devices can be greater than the convenience it offers. These risks include users uploading sensitive data to unauthorized cloud services and unsecure Wi-Fi networks. Users also may lose their devices or fail to encrypt emails, according to the Nonprofit Risk Management Center.
If a nonprofit does have an IT department, it may lack the visibility to verify how a user securely accesses a mobile device and whether it’s unlocked by a phone PIN or fingerprint, Bassett says.
Another worry is that cybercriminals can follow the flow of money from a donor to a nonprofit. This money trail effectively helps hackers get access into your organization.
“I think the wealthy nature of donors is certainly an attraction,” says Michael Covington, vice president of portfolio strategy at Jamf, a company that offers mobile device management (MDM), endpoint protection and application management solutions for Apple devices. “There are times when the work that a nonprofit pursues could be used against a donor, so tying a donor to a nonprofit publicly is something a donor would like to avoid.”
In addition to Jamf, other MDM solutions include IBM’s MaaS360, Lightspeed Mobile Device Management and MobileIron. “There are definitely different flavors of MDM and device management for all sizes of organizations,” Bassett says.
Click the banner below to unlock exclusive data analytics content when you become an Insider.
How Nonprofits Can Establish a BYOD Policy
To reduce these risks, nonprofits should establish formal BYOD policies between the organization, staff and volunteers. These agreements dictate how users securely sign in and outline whether devices can be remotely locked if they go missing or wiped if an employee leaves the company.
“While the agreement piece of paper itself really is just a liability thing, it does help communicate to the employees what is expected of them and what they can and can’t do,” Bassett says.
READ MORE: Why automation and security will be key for nonprofits.
Covington says that a clear BYOD policy is critical. “I think transparency is really key in these environments to let the users know what they should and should not be doing,” he says. “Most BYOD programs fail to document what the policy really is,” Covington says.
Getting staff and volunteers set up on a BYOD policy is a process. Once enrolled in a BYOD program, the nonprofit would first send a QR code or a text message link to staff or volunteer devices. Users would then receive security applications directly on the device. After the volunteer stint is over, the nonprofit can turn off access to these apps.
In the past, MDM solutions were known to help IT departments take full control of personal devices, or even wipe them, but this “nuclear option,” Covington notes, does not always work. Wiping does not take into account the data privacy issues of personal applications.
Nonprofit Workers Can Partition Mobile Devices
With MDM applications, users can enroll their devices and immediately access the specific application the company has loaded for them. From that point, the nonprofit can specify how data flows to the staff member’s or volunteer’s device. MDM apps also can limit users’ access and manipulate donor data.
“Essentially, what you’re doing is creating a partition for work and separating that from the personal side of the device,” Covington says. “The business does not have a window into everything that happens on the user side, but this work partition is where application controls can be put into place.”
Apple and Android offer MDM applications that allow users to create separate work profiles, Bassett says. “Both Apple and Google have been very diligent in making sure that separation is incredibly secure,” Bassett says.
If a small nonprofit is unsure about how many volunteers it will need, the native apps let you flexibly scale up or down. Meanwhile, apps from companies like Citrix and Microsoft provide more customized solutions with capabilities for larger enterprises that have thousands of employees, Bassett says.
EXPLORE: How to keep your mobile devices secure.
Key Steps to Securing Personal Devices at a Nonprofit
Nonprofits also can configure specific cloud storage sites where users can store content. For nonprofits considering this, Bassett suggests they do their research to make sure the installed applications have been vetted and the companies offering them are financially backed.
Experts agree that MDM applications are evolving into a broader set of tools to help companies achieve business outcomes, with features such as patch management, compliance auditing and mobile threat defense. Staying secure means that nonprofits must protect their donor lists first and foremost. Nonprofits should practice good device hygiene to thwart phishing attacks and malware attempts.
