Nonprofit volunteers are huge asset – and security risk

 By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal

There are thousands of nonprofit organizations in the Upstate. From churches to the Peace Center, nonprofits make up a vast enterprise of employment, civic engagement, and philanthropy here. And in two weeks, Greenville will roll up its sleeves and pitch in with Hands on Greenville (goo.gl/xVPU05). It is a part of a very deep sense of community and voluntarism that is woven into the fabric of Greenville life.

But while we value the importance of nonprofit work, many continue to subscribe to the outdated belief that effective organizations must run lean and mean, donate nearly every penny raised to the cause, and keep operational costs to below 15 percent of revenues. For nearly a decade, organizations that govern, rate and support nonprofits have been fighting that false flag, which they call the Nonprofit Starvation Cycle.

To reduce the costs of doing business, nonprofits have historically relied on volunteers to do much of the work that paid, professional staff should be doing. This reliance on willing volunteers has been the lifeblood for many nonprofits operating on a shoestring budget. Volunteers’ purposeful passion is both critically important and inherently risky.

Nonprofits and small businesses are no longer just collateral damage in the cybersecurity wars, they are increasingly becoming the intended targets – both for the wealth of donor information in their control, and as unwitting stepping stones to bigger phish.

A big part of the problem revolves around volunteers. Calm down, everyone. Not volunteers themselves, but more precisely, the way nonprofits manage volunteers.

Issues range from the fear of alienating volunteers by forcing onerous security requirements and procedures on them, to going outside of protected systems and providing information in unprotected formats for volunteers to work on.  The problem is less about the volunteers themselves than the way nonprofits think volunteers will react.

The best protection against hackers is informed and engaged staff. All the technology in the world will not protect an organization – any organization – from uninformed or uninvolved authenticated users who do the wrong thing, either intentionally or accidentally. This is particularly true of volunteers. By definition, volunteers are there to help, not hurt.

Here’s a look at four typical ways nonprofits make accommodations for volunteers that can put the organization at a significantly greater security risk.

What organizations do: Organizations make assumptions that volunteers will not follow rules, that they can’t be asked to change passwords or follow appropriate procedures. Nonsense.

What they should do: Establish best practices and policies for email usage, sensitive data protection, file access, web browsing, password requirements, etc. And – here’s the tough part – take a day or two to train both staff and volunteers. Everyone needs to understand the reasoning behind policies. Once they do, volunteers or staff, need to be held professionally accountable. Nonprofits that treat their volunteers like professional staff – with respect, training and the attendant accountability often get far better results.

What organizations do: CRM and donor management software licenses are expensive. Often that means nonprofits buy one or two licenses and share the login credentials with others in the organization. This may mean that passwords with administrative access to data about donors are in the hands of dozens of people, unprotected and, by extension, exposed. Volunteers, or staff, may log in from unsecured home networks putting admin credentials at risk of being scraped by a key logger or accessed via other malware.

What they should do: Yes, software licenses can be expensive. But sharing account passwords is an unforced error putting nonprofit donors and reputations at risk. I would never recommend that any business not follow licensing requirements. But businesses should segregate administrative controls into a single license held by the office manager or ED. Lower level licenses that do not have administrative authorities should be purchased and provided to other staff – paid or volunteer.

What organizations do: Sometimes organizations are smart enough not to share the passwords, but instead routinely extract data into spreadsheets that are easily accessible to unauthorized users. These external copies of data, called shadow databases allow sensitive data to be removed from secure networks, possibly passed around on vulnerable USB keys, or taken home and loaded up on unsecured home computers.

What they should do: Shadow databases – extra copies of a central database that exist outside the main repository – are a major vulnerability for NPs and all organizations. A significant factor in many of the healthcare data breaches nationally has been stolen laptops containing shadow databases with patients’ names, diagnoses, and other sensitive information. Nonprofits often create these shadow copies so that willing volunteers or even staff can work at home. That’s risky on several levels. No employee or volunteer should be authorized to remove sensitive information from the database, or to take copies of that information off site. It’s a myth that if people are working at home they aren’t really working. They still are. It’s just that instead of helping you, they are creating a significant risk.

What organizations do: Once they understand the risk, some organizations will initiate a procedure prohibiting the practice of creating shadow databases or maintaining data anywhere outside of the main system. That’s fine going forward but does not address the horse that is already out galloping around in the field.

What they should do: The data that is out of the barn is still your responsibility and still a major risk. Nonprofits need a data cleanup: Ask everyone on the staff to inventory if they have any external data on their computer, at home, on a USB. How many copies are out there, is some of it updated outside of the main database, meaning I cannot know that my main data is accurate. It will take some time and some effort, but you can’t sleep well without doing this step.

Nonprofits could not do all the incredible work they do without volunteers. But volunteers are often engaging in professional activities and acting as professional staff. They do this because they are passionate about the cause and the organization. Treat them like professionals, with respect and information, explain the risks and the reasons for the policies. And thank them for accepting the minor inconveniences while helping to keep your nonprofit safer from cyber threats.