Security for Nonprofit Activists

 I’m from the Midwest, and there we expect that most people – like all Minnesotans – are nice. Truth be told, I’d rather not think about people who want to do me or my trusted allies, friends and activists harm. Yet if the end of 2016 has taught me anything – it’s a) keep fighting and b) forget about Pollyanna and protect ourselves and c) don’t live in fear.
Or, in other words, now is the time to get off the couch and get out into the world. But lock the door on your way out.
Overwhelmed with where to start? Here are five practical things to do today.
1) Turn on Two-Factor Authentication, on all the Things.
In simplest terms, this is like getting cash out of an ATM and needing both the card and the pin. Most software as a service programs have some version of this now. If you’re a google apps user, this is the first start. If you are the Google Accounts administrator, you can turn this on for all your users via the admin console to then opt-into as a policy for your colleagues.
Salesforce has been a leader in two-factor authentication. If you’re a user you’ve probably already experienced the helpful (hmm, often frustrating) need to verify logins on new internet connections. If you haven’t turned it on yet, now’s the time. Here’s how.
2) Enable the “Find my Phone” Settings for your iPhone / Google’s Android Device Manager
For Mac users, make sure that all your devices are registered on iCloud – so that you can remotely lock, find or erase them if necessary. This is especially important if you’re using the two-factor authentication above, while SMS in general is still vulnerable this will offer another layer of security.
For PC users the software depends on the device – Lenvovo has software that will enable a remote lock via an SMS code.
Android Phone users should register with Google’s Android Device Manager and download a more secure remote locking App – check out trendblog’s detailed recommendations.
3) Do a Salesforce Security “Health Check”
I recently discovered this new out-of-the box feature via Salesforce to scan the security settings of your Salesforce org and discover what needs tightening.  Be careful of some of the settings – “Lock Domain into Originating Session” might affect integrated apps, and it may be easier to create a permission set for “password never expires” for some of your integrations that would more easily cause a security risk long-term if you are changing (and writing down and losing) the passwords every 90 days.


4) Check Yourself and your Colleagues for  “Phishing-Readiness”
I admit it, I recently clicked on a fishy link from my son’s baseball coach, even though I knew it was suspect, because I thought well, maybe it wasn’t – okay, really I just wasn’t thinking and was checking quickly on my phone.
Check yourself, again and again, to not click on those funky links. Especially if it says invoice, payment, thanks, bonus, anything exciting.
I remember an account executive telling me about his on-boarding at a large software company. He spent a full week learning about phishing threats, and then actually got tested via LinkedIn requests and other “review” emails to see if he would bite (he did, and had a follow-up conversation with his manager). Check yourself, and remind your colleagues before they click.
5) Get Savvy on your Personal Security
Idealware recently had a great webinar on security for nonprofits, co-sponsored by Fission Strategy. It’s worth watching the whole thing here. One of my key takeaways is that we as activists must take actions to protect our personal information out in the world. In addition to Fission, Community Red is taking the lead on helping activist and activist organizations protect themselves, and has some great consulting in addition to Resource Links about how to limit the personal information out there on you in the world.
Still Reading? Idealware has a great collection of security resources for nonprofits and activists.

Megan Himan has over fifteen years experience in the nonprofit sector and over ten years working on the Salesforce platform. She has a unique combination of deep technical skills paired with an ability to strategically convene groups, coach executives and leadership through transitions, and execute on project deliverables. She is Founder & Principal of BrightStep Partners - solutions with strategy for Salesforce success. In September 2017, she was named a Salesforce MVP.

Posted in Implementation Success
One comment on “Security for Nonprofit Activists
  1. K says:

    Excellent article, Megan, and I’m going to share this with my staff. I’m glad I’m doing a few of the practices you outline here, but certainly not all. Thanks to you, I’m learning how to be less vulnerable when it comes to internet security.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Our (New!) Blog Site
Visit our new Blog location!

Visit our new Blog location!

Our Consulting Site
Follow BrightStep Partners on
%d bloggers like this: