Securing your nonprofit’s website: things people do

As Internet hacking, impersonation and surveillance grow in volume and audacity, we all have to become more disciplined about how we browse the Internet and how we protect our online accounts. This includes the nonprofit sector, since we handle extensive personal information about our members, constituents and donors. 2016 brought some alarming Internet hacks and political changes — 2017 will require us to step up our game in response.

Your staff and volunteers need to become smarter about browsing

How often do you pay attention to the URLs and the security status for webpages you visit? Too many users don’t pay any attention at all. But just as you always look both ways before crossing the street, you want to develop the habit of knowing where you are on the web before you step into traffic.

Preview of how Chrome will be displaying security status in browsers for secure and insecure content

Preview of how Chrome will be displaying security status in browsers

Chrome users will get a big nudge in the right direction starting in 2017: Chrome is going to start calling more attention to web pages that are not using HTTPS starting in January 2017, first by drawing attention to any pages that collect passwords (such as your WordPress website’s login page) or credit card info with warning messages in the address bar.

Firefox users a similar system of markers, but these markers will not matter unless we start paying attention to where we are going on the web. 

This means if you are not already, get used to looking for the green padlock, which confirms that your transmission is secure (meaning no one can add or subtract anything to the page you are viewing) and encrypted. And yes, read the addresses of the sites you are visiting. All the time, and especially any time you are submitting information to a site.

Securing Data through Password Management and Good Habits

I have written a number of times on the need to move your organization to password managers like LastPass. Stop creating shared, easy-to-figure-out passwords (like your organization’s acronym and the year it was founded, the nonprofit equivalent of “Pizza” as a password).

These password storage programs, among other things, will alert you to how weak or strong your individual passwords are, and to which passwords are in use in more than one website (so that you can end that practice, here’s why it’s a problem). They will also allow you to control who has access to which online resources for your organization, and can be used to generate strong passwords or force password resets for individual accounts.

Along with better password management, there are good habits for both hardware and software that lend themselves to better security.

  1. Every account on every computer that accesses your organization’s resources should have a secure password that you update regularly.
  2. Don’t leave yourself logged in to your computer indefinitely. Log out or use a screensaver that activates after any brief period you are away. This also goes for any phones and tablets that access organizational resources.
  3. Add two-factor authentication to key accounts (2FA). That means that a message is sent to a second device to confirm that this is a legitimate login. You then enter the second code to gain access to the account.
  4. Learn to recognize suspicious emails. Don’t ever click through on any email asking you to login to a website (unless you initiated that email, for example: a password reset). If you have concerns, open up a new browser tab and log in to the website without using a hyperlink anyone sent you.

There are other important steps to secure your website by moving it to HTTPS, I’ll cover that in the next post.

More reading on Security

My Latest Tweets