Right now, one conversation dominates the nonprofit space: donor data security. Modern nonprofit operations rely almost entirely on donor data, which is collected, stored and mined on a mix of software solutions. If one of those platforms compromises data security, the entire organization is at risk. It makes sense that nonprofit leaders are focused heavily on the topic.
While security breaches are a possibility for any platform, there are ways to protect your organization and your donors. We’ve identified the most important practices we teach to our customers when they make the switch to Virtuous and we want to share them with you. Here are the 5 ways you can proactively protect your donor data, no matter what solution you’re using.
Understanding Good Donor Data Security
Good data security relies less on your technology and much more on having a well-trained team. According to the technical director of Symantec security response:
“…bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. ‘You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.’ Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.”
So, while any vendor you work with should have robust security measures in place, the best thing you can do to protect your donor data is to train your staff on good data practices and how to avoid phishing attacks and other socially-engineered online threats.
5 Best Donor Data Practices
What are good data practices for nonprofits? Here are the top things to consider.
1. Password Protection and Management
Your first line of defense on any system is your password. But not all passwords are created equal. In fact, there are some very bad passwords — including your organization name with 123 at the end. Train your staff (and anyone who has access to donor data) to create unique, complex passwords that wouldn’t be easy to guess. Services like LastPass or Dashlane will help you keep track of all your passwords, plus store them so that you never have to remember the random string of 12 characters.
To that end, your nonprofit should avoid any policy that requires regular password changes. Many of us have experienced the headache that requires a password change every 3 months, all in the name of protection. However, research shows that this policy can actually be a detriment to overall data security. People want to make things easier for themselves, so when they are required to update their passwords frequently, they tend to pick easy-to-remember, thus, easy-to-guess passwords. They also tend to store passwords in publicly accessible places to remind themselves of the new version of their password. The best policy is to stick to a stronger password and keep it.
2. Use Two-Factor Authentication for Important Donor Data
Most sophisticated software solutions, like Virtuous, will either allow, and sometimes require, two-factor authentication before they grant access to donor data. Two-factor authentication is a term that describes a second layer of protection beyond a username and password. Most often, two-factor authentication involves a code sent via email or text message that you must enter in order to log in to your account after you’ve entered your standard login credentials.
The purpose of the second layer is to make it harder for someone to gain access to an account even if they guess the username and password. Usually, only the single user will have access to both the login information and the numeric code. Rather than require a password change every quarter, it’s a good idea to implement a two-factor authentication policy.
Additionally, you should create strict policies around donor data access. That doesn’t mean keeping information from other teams. In fact, Virtuous encourages all our customers to share information across the entire organization. Context and comprehensive donor data improves experiences and increases revenue. However, digging into the information doesn’t require everyone having direct access to everything. Make sure that you’re only sharing the personally identifiable information (PII) of your constituents with those who definitely need to access it.
Together, these two policies will ensure that you can maintain donor trust and commitment to your goals.
3. Implement Stricter Policies for Data Entry
I often say while training Virtuous admins, “Just because someone can see certain data, doesn’t mean they need access to edit it.” Remember, we are a platform that serves responsive nonprofits. We believe in sharing data and breaking down silos. We also know that secure donor data is paramount to your success. To that end, we suggest each organization identify specific team members who have exclusive permission to create and edit donor records.
It’s much safer (and more efficient) to train a smaller group of people on the exact way to enter data to keep all your records clean, while also limiting PII exposure to those who shouldn’t have access, including event volunteers or temporary team members. Good donor data entry training should cover what information is necessary for development, plus what information should be omitted from your CRM. For example, extremely sensitive data like social security numbers or credit card information should be excluded, especially if your CRM is not PCI compliant.
The good news is that as soon as your small team is trained on good data entry policies, the process should run efficiently and provide you with the right donor signals to create unforgettable donor experiences with increased donor trust year after year.
4. All Donor Data Needs a Place
Donor data should live in a single place: your CRM. The right CRM for your nonprofit will not only organize all the most relevant donor data, but it will also plug into all your additional solutions, without requiring you to duplicate information.
Tracking credit card numbers on slips of paper, maintaining spreadsheets and other external files with donor data, and other practices like these are all potential security issues. All of the strict data entry policies, rigid password requirements, and two-factor authentication features can’t help if you can simply lose track of a paper reply device with a donor’s credit card information on it.
Ensure that your entire team is trained to input donor data directly to your CRM. That way, you have one central source of truth. One place where everyone can see the information, but only a select few can edit that data.
5. Never Transmit Donor Data via Email
Email is notoriously not secure. Of course, it’s a tool that every organization uses frequently to share reports, update teams and connect with your constituents. We’re not suggesting that you move away from email. However, your team should be very selective about what you share.
If you attach a spreadsheet with all of your donor’s information to an email, you put your donors at risk. Instead, share files internally via secure links to internal drives or via encrypted file services. Better yet, create a report in your CRM and send a link to the report in the software. That way the report would require a login to access.
See the Difference Virtuous Can Make to Your Donor Data Security
To see for yourself the ways that Virtuous supports our customers with better donor data practices, plus the way we approach security, schedule a demo today. Our team will listen to your most important questions and concerns and provide direct, easy-to-understand answers with the suite of Virtuous products.
