Not too long ago, I went to a local nonprofit’s website to sign up to be a volunteer. Their online volunteer application form asked for my social security number – but the form was being submitted via an unsecured connection. I wrote them an email about the security issue. I never heard back. The form is still there!
Securing your nonprofit’s website is the cost of doing business, and it’s not difficult to do.
Here are the most common nonprofit website security issues along with tips on how to fix them.
- Important information transmitted via unsecured forms
- No PCI compliance
- Out of date content management system (and related plugins)
- Too many people with user accounts
- No privacy policy
- Content that your nonprofit does not have permission to use
Important information transmitted via unsecured forms
EXAMPLE
Your nonprofit’s website includes a volunteer application form with a field for a social security number. The form is sent via regular connection, no secure connection, no SSL certificate.
WHY IT MATTERS
Safeguarding personal information is your legal and ethical responsibility to your organization’s donors and supporters.
HOW TO FIX IT
“Free” solution: Stop collecting information that your organization doesn’t need. The volunteer application in my example would have been fine without my SSN and the organization could have collected that information (for a much-needed background check) via a secure method and later on in the vetting process.
“Not free, but also not that expensive” solution: Add a secure socket layer (SSL) certificate to your website and use it to secure all online forms. Your website vendor can help you, or contact SmartCause Digital and we’ll give you a hand.
No PCI compliance
EXAMPLE
Your nonprofit’s website allows donors to make an online donation to your organization using a credit or debit card. Your website hosts this service, using no third-party vendor to manage the information. You have never discussed “PCI compliance” with your team and/or your website vendor.
WHY IT MATTERS
Payment Card Industry (PCI) compliance is your legal responsibility as a business. Safeguarding your donors’ information is also your ethical responsibility.
HOW TO FIX IT
“Easiest” solution: Use an external vendor to manage online payments to your nonprofit. Let someone else worry about the technical and legal headaches. Just be sure to choose a vendor that can create payment/donation forms that match your website’s design. You want to reassure donors that the donation form is a trusted part of your nonprofit’s web presence.
If your organization continues to process online donations without a third-party vendor, read up on PCI compliance, even if it’s just to put your mind at ease that you *are* doing everything right. While you are reading, if you find an area for concern, talk to your web vendor ASAP.
Read the PCI FAQs: http://www.pcicomplianceguide.org/pcifaqs.php
Visit the PCI for small business website: https://www.pcisecuritystandards.org/smb
Out of date content management system (and related plugins)
EXAMPLE
Your nonprofit website uses WordPress (or Drupal or Joomla) and the software and related plugins have not been updated in several months.
WHY IT MATTERS
The communities of developers that support each of these content management systems (CMS) regularly publish security updates – for a reason! If you don’t update your website’s software, your site will become the target of hackers who wish to exploit known vulnerabilities. This means headaches for you and your website, such as getting hacked and flagged in Google’s search results as a potentially harmful website.
HOW TO FIX IT
“Free” solution: If you know how to make a backup of a site, go ahead and update the CMS and plugins! Get this task on the calendar and on a regular schedule – maybe once a month? (And don’t feel bad, I suffered from a similar problem with my own site. My solution was to put these updates on my calendar to ensure they are regularly addressed.)
“Not free, but not that expensive” solution: If you have no idea how to make a backup of a site, get your vendor to help you update the CMS. (SmartCause Digital can help you with updates for WordPress or Drupal.) Also, remember to include regular CMS updates in the technology budget and make sure to add the updates to your calendar on a regular schedule.
Too many people with user accounts
EXAMPLE
Your nonprofit’s website has user accounts for staff who no longer work there. Your executive director has a user account with top level permissions… and she hardly ever logs in to the site.
WHY IT MATTERS
These out of date and top level user accounts can be hacked to access your website’s administrative area. Fewer user accounts means less risk. Even better, fewer user accounts with fewer permissions means even less risk!
HOW TO FIX IT
Good news, these are all “free” solutions!
Regularly disable user accounts that are no longer needed. Put this to do item on a schedule – maybe once a quarter?
Give staff members just the permissions that they need and will use. For example, the executive director might log on to the site once every month to post her “letter from the ED”, so just give her access to publish that kind of content – and nothing else. She may even appreciate not being overwhelmed with options when she logs in to the site.
Configure your content management system to require more secure passwords (longer, using letters and numbers, etc). You might even configure the CMS to ask users to change their password every 3 or 6 months.
No privacy policy
EXAMPLE
Your nonprofit’s website collects email addresses, but there no place on the website that tells visitors how that information will be used.
WHY IT MATTERS
It’s your ethical responsibility to be transparent about how your organization handles information collected via your website. Supporters will also trust your organization more if you explain how you handle their information. Writing a privacy policy increases your site’s security because it helps your team figure out what your organization is actually doing with the data and what policies you already have in place (or what policies you need to put in place.)
HOW TO FIX IT
“Free” solution: Post a privacy policy! In it, tell your supporters: what information your website collects, what your organization does with the information, how to opt out, who to contact with questions.
“Might be a little expensive?” solution: Copy SmartCause Digital’s privacy policy as inspiration. Just be sure to have your organization’s lawyer review it. (By the way, is there a lawyer among your nonprofit’s board members? Lawyers are great contributors towards building a strong nonprofit!)
Content that your nonprofit does not have permission to use
EXAMPLE
Your nonprofit was mentioned in a newspaper article, so you posted the entire article on the nonprofit’s website. You needed an image, so you searched Google, found an image you liked and posted it to your nonprofit’s website without hesitation.
WHY IT MATTERS
Website security is also about avoiding legal trouble! Posting another organization’s content (text, images, video, audio, etc) on your nonprofit’s website without explicit permission is a legal liability.
HOW TO FIX IT
“Free” solution: Search for images with a Creative Commons license or free stock images and always provide attribution to the original creator by linking back to their site. Some useful tools: Search images on Flickr and then use a filter to just show options with a Creative Commons license (http://compfight.com) or Browse free stock images (http://deviantart.com/resources/stockart and http://stockfreeimages.com)
Learn the right way to quote and link to articles. Some rough and quick guidelines:
- Only quote the article’s title
- Add a brief summary of your own and
- Link to the article on the source’s website.
Read up on this issue: http://www.sba.gov/community/blogs/can-you-use-or-reproduce-work-others-your-website-or-blog
“Might cost money” solution: If you want to repost an entire article to your nonprofit’s website, contact the publication for their explicit permission. They may charge a fee or they may grant permission for free.
