Cyber security is one of those subjects that fills most of us with dread. Implementing policies is easy to delay and to forget about.
A breach probably won't happen. What are the chances of it happening to us?
The truth is, today a data breach is more likely than ever. Hackers are getting more sophisticated and have more tools at their disposal. The security practices that worked even 5 years ago are now becoming outdated.
In the last 18 months, there have been numerous high profile cases of data breaches and fines of organisations in our sector. With the GDPR now in force, any fines issued going forwards could now be significantly higher, not to mention the reputational damage.
The good news is, this is a very solvable problem. With a small amount of effort and cost (and I do mean a little), you can keep your supporter data more safe than ever.
1. Don't store credit card details. Ever.
As an organisation, you should never be storing credit card details. It should be impossible for you to access card details of your supporters.
Don't store them in spreadsheets, on paper, in a database, anywhere. Losing donor information in a breach is bad. Losing card details is far worse.
When building your website donation flows, don't save card details to a database. Send them immediately and securely to a PCI compliant payment gateway like Stripe. Their entire business is built around secure payments.
Payment providers like PayPal and Apple Pay are also very secure, as you never even process the card details yourself.
If you accept credit card payments over the phone, make sure that the card details are immediately entered to the secure payment provider.
2. Use secure passwords
The most important thing here is to use a long password, preferably at least 10 characters.
Here's an example of some passwords that are not secure:
- [email protected]
Here's a list of the top million passwords used in the world. Don't use them. If you were a hacker - wouldn't these be the first million you tried?
At Beacon, we go a step further and forbid any password in this list of 1m.
3. Use a password manager
Going a step further, you can use a "password manager" - a place where you can store all of your passwords for different services. They're very secure.
The principle is simple - you only have to remember one password. Every other password you have is unique, hard for robots to guess, and impossible to remember - stored in a simple and secure app that you can access whenever you want.
At Beacon, we use a fantastic product called 1Password. It's a simple and secure product, and lets you even share passwords with team members if needed. Plus - they have discounted pricing for nonprofits!
Watch the video below to learn more:
Other popular password managers are:
4. Use two-factor authentication (where possible)
Also known as "multi-factor authentication", this gives you an additional layer of security on top of a password. Every time you login to a software provider (e.g. Outlook 365), you'll need to also enter a unique code - either from an app on your phone, or from an SMS sent to you.
This video from Duo gives a great overview of two-factor authentication:
For maximum security, we recommend that you encourage all of your employees and volunteers to enable two factor authentication on every service that provides it.
Here's how to enable two-factor authentication on some of the popular software companies:
Some charity software providers (e.g. JustGiving, Virgin Money Giving) don't support two-factor authentication yet. They should. Encourage them to add the feature, it's the standard for all modern software companies!
5. Encrypt your computer hard drives
Not all PCs, Macs, and smartphones have encryption turned on. This means that if a hacker stole your computer, it would be reasonably straightforward to access any of the data saved on it.
Here's how to enable encryption:
As standard, you should enable encryption on all devices that have access to your data - even if that data is just your email app on your phone.
6. Don't share login details
Sharing login details means that many people share a single password. If one person loses it or shares it accidentally with the wrong person, someone you don't want could get access to your data. This article gives a great overview of why you shouldn't share logins.
Most CRMs and other software products nowadays allow you to add multiple users to a single account. If this feature exists, use it!
If you have to share logins (for software that doesn't allow multiple users), use a very secure password in a password manager like 1Password.