Nonprofits On The Internet: A Secure System Is Essential

The Internet may be one of the best communication tools ever for nonprofits, but to ensure that this powerful tool works for - not against - an organization, security must be a priority, from the moment that a nonprofit decides to establish an online presence and continuing as long as the group is using the Internet. As people become more sensitive about personal information they provide online, the margin for error on security matters becomes increasingly small for nonprofits. Not only is constituent trust at stake, but most nonprofits don't have the resources to weather an incident such as a major exposure of constituents' personal information. One significant security breach can, in a matter of days, undo years of building a trusting relationship with supporters; nonprofits must protect themselves and their most valuable asset - a loyal constituent base.

Take stock of risk factors
The online nonprofit must fully appreciate that its system now is connected to a worldwide computer network that nearly a billion people access regularly, and composed of systems totally outside the organization's control. Inevitably, not all of these people are benign. Some of them may oppose the nonprofit's mission. Others are motivated by theft of the personal information the organization holds for criminal purposes, or simply electronic vandalism for its own sake. Additionally, some reside in jurisdictions without law enforcement for Internet crimes.

A nonprofit must take steps proactively to protect itself: any attempted exchange of data between the Internet and the organization's systems must be carefully controlled, and assumed to be hostile unless proven otherwise. Running an Internet service accessing constituents' data without proper security measures is akin to leaving the donor history file in plain view on the back seat of an unlocked car.

Design security into the system
The most widespread misconception about IT security is that it is a combination of products or features -- for example, a firewall -- which can be tacked on to an otherwise insecure system, and that requires little or no ongoing maintenance. Nothing could be further from the truth. A system is only as secure as its weakest link; security is something that must be designed into the overall architecture from inception, considering every component and its operating procedures.

Maintain constant vigilance
Maintaining security is a process of continuous vigilance. Most successful compromise attempts exploit latent security flaws in software products that have only recently been discovered. However, in about 99 percent of cases, the software manufacturer has already produced an update or patch, which fixes the security hole. The compromise could have been prevented if only the system administrator had taken time to keep up to date with newly discovered vulnerabilities and corresponding security fixes.

Sophisticated criminals aware of security holes often craft automated tools to easily compromise thousands of unsuspecting owners' desktop computers and small servers. The recent NIMDA and Code Red worms exemplify this. Conversely, an attack against a well-run system usually involves days or weeks of careful probing to discover technical details and obscure flaws about those systems. Vigilance is once again the key - logging and monitoring information will provide clues about potential attacks while there's still time for taking additional preventative measures.

SSL is not the cure-all
Nonprofits should not assume total security because a site uses SSL encryption, (a URL beginning with "https"). SSL only protects the initial communication from the browser to the Web server by encrypting it. Attackers never attempt to tap and decrypt this traffic in any event; breaking into the Web server itself by other means offers a much easier target.

Manage credit card risks
Nonprofits that process donations online should know that credit cards have two major security issues:

1. Information used for one transaction (name, card number, zip code and sometimes address) can be used for another with a different payee.

2. The payee can be in a foreign country.

Internet criminals refer to the combination of a card number and personal details as a "phish," which they treat as a form of tradable currency. A computer with stored card details can yield thousands of "phish" in a single theft, and organized crime is starting to turn its attention to this lucrative new medium. One solution: process all credit card gifts and memberships instantly, immediately provide the donor a receipt and never store card details.

Partner with a security specialist
So, how can a nonprofit with limited IT resources provide Internet services and still manage these issues? As the software industry moves from the model of sending out software on CDs to deliver fully provisioned services online, there are application service providers (ASPs) which specialize in nonprofit-specific online infrastructure. Just like using a bank to manage money, the most cost-effective way is to partner with a specialist who leverages economies of scale by providing the same service for many organizations.

Top 5 questions to ask partners
How should an organization evaluate a service provider for security? There is little in the way of standardized certification and hiring a consultant to assess a provider's setup is cost-prohibitive. The following questions can help prepare you to screen potential Internet service partners.

1. In lay terms, how will you approach the online security needs of our organization? If the answer is a list of product names and buzzwords, think twice.

2. What types of training and experience does your operating team have? As in any other field, there's a big difference between a system administrator with 10 years of experience in running secure, enterprise-level IT systems, and a junior person with vendor certification in operating an office PC network.

3. Who are your other clients, what is the duration of their contracts with your company and how many have renewed or expanded their relationships with you?

4. What quantifiable "results" or case studies can you share regarding your work with clients?

5. May we talk with some of your clients?

Protect Your Investments
Nonprofits must protect the investments they make in utilizing Internet technology. Security must be integrated into the design of any organization's technology infrastructure for conducting business online. By partnering with an ASP that specializes in Internet solutions for nonprofits, a nonprofit frees itself to focus on what it does best -- serving its constituents and fulfilling its mission.