GoFundMe, a dominant player in the crowdfunding space, acquired Classy earlier this year.
GoFundMe Chief Information Security Officer John Downey explained that while there are some genuine security concerns for nonprofits, the issue can get overemphasized in the media due to improved messaging on the part of the security industry. He cited the marketing-heavy approach to widespread security vulnerabilities like Heartbleed and noted that solving these problems requires a methodical approach.
In terms of bad actors, “It’s kind of like people walking down the street, jiggling the handles on doors, checking and seeing if one is unlocked,” he said.
“What you need to do is look out for the opportunistic attacker who’s doing that to your organization. If you can do that, then you’re in a better place than a lot of people in the industry.”
Patrick O’Brien, a member of Stripe’s platforms team, pointed to the role that insider threats can play in damaging organizations, including leaking personally identifiable information (PII) onto the internet.
“Think about how your hiring practices are and how you can instill security in the teams that you’re hiring,” O’Brien said. “And then, when people leave, how do you contain all of that PII data that you have? Because a lot of times, what we end up seeing is things start to leak out when there’s attrition.”
Technology certainly plays a role in encouraging security. But the speakers emphasized being strategic with tech deployments — for example, implementing multifactor authentication for employees. (For those working within a tight budget, Google’s authentication system was cited as an effective choice.) Madhu Bussa, a senior solutions architect with AWS, noted that the risk of misconfiguration within infrastructure could compromise security.
Partnerships are also important to consider, O’Brien added, especially when working within regulations like the Payment Card Industry Data Security Standard or the General Data Protection Regulation.
“What I would probably do if I was in that same situation is probably try to partner with users and platforms that have the same values, and make sure that from a value perspective, security is something that they care about,” O’Brien said.