Guest Post by Thomas Negron
“I don’t get the whole lock and key thing. Do I turn the key left? Do I turn it right? I can never remember! I’m not good with mechanical things.”
If your colleague said this, you wouldn’t allow them to be the last one to leave the office at night. Yet, too many of us don’t have the same security concerns when it comes to the digital world.
You’ve read news reports about hackers stealing passwords and credit card numbers. Everyone worries about protecting their information, but too few of us are proactive about it.
At the Nonprofit Technology Conference in April, I spoke on a panel moderated by Kivi where we shared our ten recommendations for new communications directors. One of the recommendations was to solidify your digital infrastructure.
Just as you would change the locks when moving into a new house, you should change your passwords everywhere. Every social media account, website account, hosting account, email account … everywhere. If you’re a buttoned-up organization with cybersecurity policies AND employees who follow them, then you may be in good shape.
But if you’re like a lot of organizations then you may encounter situations like these:
- Eight people have access to the website, and each has admin level access. Two of the people haven’t worked there in months.
- Three people share a made-up Facebook profile to manage your organization’s page.
- The YouTube account connects to the personal email of an employee who quit a year ago.
- There’s a password “system” in place — the Facebook password is My0rg32FB, the Twitter password is My0rg32TW, the Instagram password is My0rg32IN …
My fellow nonprofiteers, we must stop the madness!
Cybersecurity is not solely the responsibility of our colleagues in IT. (Maybe your organization doesn’t even have an IT department.) As communications professionals, the responsibility is ours to make our accounts as secure as possible.
Don’t wonder, “Will we be hacked?” People are trying to hack you right now. It doesn’t matter how big you are or what your mission is. They want access to your accounts and to infect your computers. The question you should ask is, “WHEN will we be hacked?”
Let’s talk about the basic steps you need to do to answer confidently, “Not on my watch.”
Step 1
Install a password manager like 1Password, Dashlane, or LastPass. They all work primarily the same way and will do two things for you.
First, they create a complex password for each account that you would never in a million years be able to remember. What you do have to remember is the master password to access the manager.
Second, they end the need to maintain passwords in a shared document. It doesn’t matter if it’s printed and hung on a wall or an online document. It’s a security risk and should never be done. Never. It’s the same as having a sign on your lawn that reads, “This home is protected by a security system. (The key code is 9799, and there’s a spare key around back behind the big rock.)”
Step 2
Identify and take control of every account. Every. Single. Account. You may be lucky and know what all the accounts are. Otherwise, you’ll have to do some detective work during which time you may discover a program team has gone rogue and started their own Facebook page. Or worse, an account was created by a former employee and you don’t know the password. It may take a lot of time and effort, but take control of Every. Single. Account.
Step 3
Change the password for Every. Single. Account. This isn’t you making up a password you can remember or has some pattern that you think no one will ever crack. This is when you use your newly installed password manager from Step 1 to create a unique nonsensical 36 characters long password comprised of lower and upper case letters, numbers, and symbols. Again, you don’t have to worry about remembering it. That’s what the password manager’s job is. You come up with one password for the manager, and it takes care of the rest of your passwords. It will even enter the usernames and passwords for you.
Step 4
Turn on two-factor wherever possible. (Learn how two-factor authentication works.) Most accounts will encourage you to use an authenticator like the one from Google. Once it’s turned on, you’ll be prompted to enter a code generated by the authenticator after you sign-in. If someone unauthorized does manage to get the password, they still won’t be able to get in without the code.
Step 5
Change the email associated with the accounts to a centralized communications email that isn’t tied to a specific person. Employees come and go, but this comms account will live on. Never again will anyone silently scream as password recovery emails are sent into the ether.
Step 6
Figure out who needs access. Your handy new password manager has an enterprise version which means you can control which colleague has access to which account password. You can even hide the passwords so they never see them.
Controlling access is where you may experience pushback. Someone who can’t figure out how the lock on a door works wouldn’t be tolerated, but somehow it’s still acceptable for someone in 2018 to say they’re not good with computers as if it’s out of their hands and there’s nothing they can do about it.
They may be a terrific person, but they are a security risk. If they’re unwilling to use a password manager instead of a spreadsheet hanging on the wall, they don’t get access. How they choose to protect their personal accounts is their business, but protecting the organization’s accounts is yours.
We have policies in place to protect the physical safety of staff members, volunteers, and program recipients. We have to bring the same level of seriousness to cybersecurity.
If you’re an introverted person who doesn’t like confrontation, it may feel difficult to explain to someone they can’t have access, especially when the person may be your boss. Imagine that supporters are flocking to your site the day tickets go on sale for your big event. Only instead of seeing a ticket page, they see ads for pornography. Now imagine your executive director screaming to fix it as board members call and angrily ask what’s going on. Meanwhile, you’re trying to locate your developer to see if they can restore the site from a backup and how long that will take. What will you say to your supporters while this happening?
You probably shuddered while imagining that scenario. Hold onto to that feeling. I promise you.
No internal discussion about cybersecurity will ever be as awful as dealing with the consequences of not having the discussion.
Thomas Negron started his career in advertising before moving to the nonprofit sector as a fundraiser and communicator. He is the former Communications Director for Catskill Animal Sanctuary and is now a consultant while being a stay at home dog dad. You can find him here on LinkedIn.