Do you leave the door to your nonprofit’s office unlocked at the end of the day? Probably not. I mean, if you did that, anyone who wanted to get into your office could walk right in and take anything they wanted. You don’t keep your office behind a moat full of fire and alligators, but you do lock the door and probably the file cabinets.
Similarly, you can make some simple and straightforward commitments when it comes to online security for your organization. Take the time to at least lock the door to your online systems. I’ve written before about good password management and my love of LastPass. But there’s another level here: strong online account management.
I’m generally governed by these three guidelines:
1- Whenever possible on a platform, each user has their own account and only the permissions they need
2- When people must share a single account, only share passwords using your password manager or secure notes
3- Use Two-Factor for any service that allows it
If you already know what I mean or already do these things, you can stop reading. If you’re not sure what I mean or you don’t do it, I’ll explain more.
1- Whenever possible, each user has their own account with correct permissions
Anytime a platform allows multiple users and you can can afford multiple users, set up multiple user accounts and use the different levels of permissions that the platform offers. Don’t make anyone an administrator who doesn’t need to be. Don’t allow any of these accounts to reuse passwords and make sure users only use their own account to access the platform. There are a few reasons for this:
1- There are fewer places where passwords can be compromised.
2- You’ll be able to track which user is doing what in the platform. You can followup when you have a question about what a user has done on the platform or you can track down errors.
3- Users won’t have user permissions that exceed their knowledge level on a platform.
Examples of places where you want to set up multiple users accounts, some as administrators and others with lower permission levels:
- Your WordPress, Drupal or Nationbuilder website
- Most CRMs rely on setting up unique user accounts (how else will you take good notes about interactions with constituents?)
- Your Google Analytics account (you can specify which website properties users can access)
- Your Facebook Page management (user permissions vary from “insights only” to full page admin)
- If your web host allows separate account access for billing info and technical access, use both
- Dropbox or other file sharing accounts
- MailChimp (you can set up users that can create, but not send, campaigns)
- Stripe or other credit card processors who allow multiple accounts
2- When you have to share a single account, use your password manager
Some platforms require that you only have one login to access your account, so that you have to share the login credentials with more than one person. This means that sharing the account credentials means sharing all the administrator permissions so you need to be especially secure about how you treat these types of accounts. The account is only as secure as the least-secure person who uses it. You want to always be aware of who has access to this account.
You can also configure sharing in your password manager so that shared users cannot see or edit the password.
If you’re trying to share access to this type of account with an individual who doesn’t use a password manager, tell them that you won’t share access until they have a secure password storage system.
What if you want to share with someone who uses a different password manager? There are other reasonable products besides LastPass, here’s a comparison of other options. In those cases, use a secure note to share the credential.
I like PrivNote.com, which allows you to share a password-protected note that will be destroyed once it is viewed. Google docs, DMs and email are insecure ways to share account access credentials.
These admin-level accounts generally have permissions that include the ability to completely delete the account. It’s not unreasonable to remove the share when people are done needing access to the account, then update the password. It’s easy to do this with your password manager.
Examples of accounts where you have to share a single account and always know who can access it:
- Some website hosting providers
- Your registrar account
- Paypal and other credit card processor accounts
3- Use Two-Factor Authentication (2FA) whenever you can
Setting up two-factor (2FA) is one of the best ways to protect against account breaches. Once a user enters a password, they have to enter a second verification code to access the account. For example, the platform will send a verification code via text message or email. Even better, you can use an authenticator app to get the second verification code — Google Authenticator or LastPass Authenticator are both easy to use and generally more secure than text/email verification.
In many cases, you can have a service “recognize” your device for up to 30 days, so that the only action that will trigger the request for the second verification is a login using a new device. If you get a notification request from a second device when you are not attempting to login, you need to update your password immediately because someone besides you has attempted to get in and has managed to enter a valid password.
If a service allows 2FA, set it up for your users. MailChimp recognizes the value of 2FA so much, they’ll give you a discount if you use it.
It’s tough to use 2FA for shared accounts that multiple people need to access (say, your webhost account) but some platforms will allow you to create “tokens” that you can store and use for the second verification when you are offline. You can create tokens and give them to people to store in their password manager. You’ll have to refresh this list for them periodically, since tokens can only be used once before they expire.
You can see an up-to-date list of platforms that use 2FA at TwoFactorAuth.org.
Those are the three guidelines I use when setting up online accounts. Set up your nonprofit’s accounts well and save yourself security headaches later!