At NationBuilder, we take security seriously — very seriously.
From a technology standpoint, we aim not just to meet but to exceed industry standard best practices for our systems. We are continually monitoring our technical systems and work with external security firms to ensure that our customers’ databases are secure. That said, the most significant security threat to the vast majority of organizations is internal. Making easily avoidable physical and administrative security mistakes can leave you vulnerable, even to the least sophisticated “hacker.” Or, more likely, to petty theft, retaliation from an upset staffer, or the impulse of a rogue volunteer.
In this day and age, one of the most important things that organizations, especially campaigns, can do is take these five proactive steps to build a robust internal security culture — while demanding excellence from yourself and your team.
1. Use a device manager that gives your company or campaign the ability to remotely lock and/or erase any device with organizational data on it.
Sh*t happens. We all lose things; we make mistakes, items get stolen. Even our best selves are subject to human error — so as an organization, plan for it.
If anyone on your team accesses their work email from their phone, make sure you can remotely wipe that phone. If a work computer is stolen, make sure that you can remote-wipe that laptop. So long as you’re using a cloud storage service (e.g. Google Drive, Dropbox) to store your team's data, the only thing permanently lost will be hardware.
Make sure that the organization, not a specific individual, owns the data on each device. That requires a collective commitment to use work computers exclusively for work, and personal devices for everything else. As an organization, your employees or volunteers should not access organizational data on their personal phones. Such a policy also aids in being able to control how your data is accessed.
Here are some instructions on how to set up remote wiping:
- For Mac: Make sure "Find My Mac" is enabled, then follow these handy instructions
- For PC: Here are instructions for Windows
2. Limit plugins and extensions.
Extensions, extensions, extensions. Third-party web browser extensions can do amazing things, but they also collect or request to collect data. Check and make sure that the extension you want to use only requires a limited amount of data to work.
Also, pay attention to the access you grant each extension (i.e. read or write access). If an extension is compromised, then you could become compromised. Recently, Grammarly, a popular grammar check browser extension, made news when a security vulnerability left their 22 million users accounts accessible to remote hackers. It's a timely reminder that third-party vendors and tools can be among your biggest unexpected vulnerabilities.
3. Set your screen to lock immediately and require a password.
Co-working spaces, remote work from public spaces, and open office floor plans are more popular than ever, and they also make it easier than ever for passersby to glimpse or access information on your display. How often do you leave website tabs, documents, or emails containing sensitive data open when you step away from your laptop for a quick bathroom break?
Locking your device and setting a short time delay before your screen saver or sleep mode activates gives you an additional layer of physical security. As a rule of thumb, if you're not using the computer, it should be locked.
For Mac: You can even set a personal message for someone who finds your computer locked.
- For PC: Here are several ways to lock your screen
4. Only give people access to the data that they need to do their job.
If you haven’t checked out our documentation on how to use custom permission sets in NationBuilder, now is a great time. Limit the number of people with full admin access to your nation to one or two. Everyone else should have at least some restricted feature permissions. For example, most volunteers don’t need the ability to export your people database, nor to change your account settings.
Staff and volunteer turnover at nonprofits and on the campaign trail is high. When someone is no longer actively working with your organization, you should revoke their control panel access. Even a trusted former consultant may have their email compromised — which, in turn, could expose your nation to intruders. To mitigate this sort of risk, periodically audit and clean up your list of control panel users.
- Customize permissions: Head to Settings > Defaults > Permission sets, and choose which features to restrict
- Audit control panel user: Head to People > Point people to see who has access to your nation
5. Connect to WiFi networks securely.
The best practice is to all-out avoid free, public WiFi networks. But, if you are on public WiFi, do not access company or customer data unless it's through a Virtual Private Network (VPN). Using your phone hotspot can aid in heightening security because you can create the password you required to access it. When at home, make sure that your network is password protected, and that your router has the latest software and firmware available from the manufacturer.
- To learn how to set up a personal VPN, check out this guide
- Find a VPN provider that meets your needs: The best VPN Services of 2018 (PCMag)
While this is not a comprehensive list, these five small steps are some of the best things you can do to safeguard yourself and your organization against data breaches.
Emily Schwartz, Vice President of Organizing and Kam Williams, IT Manager at NationBuilder