For years, important nonprofit donors would make decisions on where to put their money based on how much money went to programs. If one nonprofit spent 15 percent on overhead and a competing agency spent 12 percent, then the prevailing by-the-numbers mentality dictated that the donors would go with the nonprofit that spent 12 percent.
In the nonprofit world, they call this the “overhead myth.”
Karl Hedstrom, IT director for NTEN, a Portland, Ore., organization that works with nonprofits to improve their technology, says times are changing, as more large donors recognize that spending money on technology to make the nonprofit more efficient and secure makes good business sense.
“I think people are beginning to recognize that small overhead will make the nonprofit less efficient than if they spent some money on technology to help with the organization’s marketing and communications, as well as to improve security,” Hedstrom says.
Rick Cohen, COO at the National Council of Nonprofits in Washington, D.C., adds that the process can be so bottom-line driven that nonprofits don’t always have an opportunity to tell donors about their recent technology improvements. He recommends that nonprofits spell out these investments in their annual reports.
While Hedstrom and Cohen point out that there’s a lot of attention paid to the bottom-line approach, the 2018 Global Trends in Giving Report found that donors are becoming more concerned about security and privacy.
According to the report, 83 percent of North American donors do not want the nonprofit to share their contact information with other organizations. And, 93 percent say they want nonprofits to make a concerted effort to protect their contact and financial information from data breaches.
So, it’s time for nonprofits to focus and get more serious about privacy and security. Here are some tips based on interviews with Hedstrom and Cohen:
1. Restrict Access to Data
Cohen says not everyone in the organization needs access to important donor information. He says that quite often, only the executive director or person in charge of fund-raising will have access to donor information.
Hedstrom adds that NTEN’s customer service staff are not allowed to share donor information with the public, and nobody on the staff can access donor credit card information.
2. Use Password Managers and Multifactor Authentication
Hedstrom believes that only password managers can consistently update unique passwords efficiently. Cohen says while many nonprofits cannot afford multifactor authentication, if it’s at all possible they should consider it.
3. Make Sure Third-Party Processors Conform to Best Practices
Cohen says whether the organization uses PayPal or Network for Good for its payment processing, ask them about compliance with the Payment Card Industry Data Security Standard and what they’ve done to meet best practices. Hedstrom says as part of NTEN going through its PCI checklist, the organization decided to make PCI DSS compliance easier by no longer taking credit card payments over the phone.
4. Practice a Defense-in-Depth Strategy
Hedstrom says NTEN adheres to all security best practices, such as deploying anti-virus, anti-malware, firewalls and intrusion prevention systems. And when NTEN employees travel, they use a VPN to connect to the corporate network instead of using Starbuck’s or the airport’s Wi-Fi network.
5. Deploy SSL Certificates
Cohen says nonprofits must be sure that their website has SSL certificates, and when users log on to the site they are logging in to a secure (https://) connection. He says sites should offer a secure connection for every page on the website, not just the home page, but certainly any page where information is collected, whether it’s for a newsletter sign-up or for donations.
6. Adjust to GDPR Regulations
7. Check Out New GDPR Tools
There are a number of software tools nonprofits can choose from today to comply with GDPR. For example, Salesforce has a product geared toward nonprofits and universities that gives organizations 360-degree visibility into their constituents.
Varonis GDPR Patterns lets organizations run classification patterns that look for European Union citizen data. Organizations can detect and respond to security events based on the Varonis GDPR Risk Assessment.
Snow Software also has a GDPR Risk Assessment tool that offers complete visibility into all devices, users and applications across on-premises, cloud and mobile platforms. It helps organizations build a GDPR plan and offers visibility into how many devices are in use across the enterprise, where the devices are and who has access to them, what applications are installed on each device and if those applications contain personal data.
The Symantec Control Compliance Suite includes a GDPR Readiness Assessment as well as compliance automation. This helps nonprofits implement a cost-effective, holistic approach to GDPR compliance that includes compliance automation, monitoring and data tracking.