Blog

Good Enough Data Security for Small Organizations in the Age of Mega-Hacks

Good Enough Data Security for Small Organizations in the Age of Mega-Hacks

Baird Straughan, March 2021

At WaterGrass we aspire NOT to work in data security.  Our client organizations are relatively small, unlikely to attract persistent hackers.  For financial transactions, we use the secure connections of much bigger players – Salesforce, Click and Pledge, iATS.  We advise clients to keep credit card numbers and other sensitive information to a minimum.  It’s been thirteen years now, and so far, so good.

But our luck can’t hold.  Last year revealed the Solar Winds hack, an infection of software that’s used to build other software.  Its scope is so broad that six months later we still don’t know the extent of it.  Solar Winds was soon eclipsed by the recent Microsoft Exchange attack.  (If you use Microsoft Outlook, you probably use Exchange.)  The attack is believed to have originated from a Chinese government-related actor seeking pharmaceutical and government secrets, but the code was later leaked.  As I write this, cyber-criminals of all sizes are on a spree and it’s estimated that hundreds of thousands of computer servers have been infected.

My anxiety has me spending way too much time reading reports about security breaches.  So you don’t have to go down the same rabbit-hole, here’s the gist.

The majority of hacks: …

… are just opportunistic applications of already-known bugs to infect computers which haven’t been updated or protected.  There are plenty of those devices lying around, and hackers have automated bots that send emails and test websites in order to find any system with a hole in it.  (For instance, since this article went up, this website has been tested every night by a bot which tries the username “admin” and then 20 different passwords.  If the actors behind the bot test enough websites, they’ll surely get into some where the owners never bothered to change the username and have a common password.)

Ransomware is targeted largely at older infrastructure.

So far, the databases most likely to suffer ransomware attacks are older legacy systems that run from on-premises servers at organizations like hospitals, corporations or government entities with valuable data or financial assets, or that perform a critical service.  It’s notoriously hard to keep these systems up to date – sometimes they use legacy hardware that can’t be replaced and operating systems that can’t be updated.  So far, I haven’t read of an online database like Salesforce allowing a ransomware attack.  (Update as of 8 May 2021: Ransomware attacks are very rapidly moving “downstream,” in some cases attacking even single individuals with threats to share embarrassing data stolen from health provider databases.  However, I still haven’t heard of intrusions into Salesforce.)

Some of your personal information has probably been hacked and published.

Check out the site Have I Been Pwned to find out whether any of your email addresses has been shared along with other personal information on the web.  Most hacks of financial accounts (read “bank accounts”) occur because hackers get a huge list of email/password combinations and try them on the online portals for  banks and financial institutions.  If hackers have your Yahoo password, and you use the same password for your bank account, your savings are in danger.  If you use that password on your work accounts, your organization is in danger.  (You can sign up to be alerted when your email is listed on a hacker website, so that you can immediately change passwords.)

You, human, are the weakest link.

Compared to machines, you are forgetful and flighty.  User error contributes to almost all hacks.  By far the most common errors are outdated operating systems, simple passwords, and clicking on a link in a phishing email.  The SolarWinds exploit arose after someone hacked and published an admin password (“SolarWinds123”) which had not been deactivated.  The DNCC emails were hacked in 2016 because Russian intelligence got a DNCC staffer to click on a link in a decoy email that had been written to look genuine.  As hacks evolve, more and more effort goes into “social engineering,” meaning the practice of customizing malicious emails to look believable and entice human users into a fatal click.  It will be very hard not to make a mistake.

Unencrypted text messages (SMS) to mobile devices are surprisingly unsafe.  

They can easily be captured by listening devices or even forwarded to other phone numbers without your knowledge.  It’s amazing that banks still use them to send confirmation codes.

We can’t stay ahead of the bad guys. 

An increasing number of hacking tools come from nations (like Russia or China or sometimes even our own NSA) or groups that work for hire.  These entities devote huge resources to finding “zero-day exploits,” which means that they actually invent previously unknown entry-points that even the manufacturer of the software itself doesn’t know.   For the SolarWinds intrusion, Microsoft estimates that at least a thousand programmers worked together on the malicious code.  There’s no practical defense against these zero-day exploits until they’re publicly discovered and a patch is developed.

So what can be done?  Luckily for most nonprofits, your system doesn’t need to be impregnable so long as your data isn’t sensitive.  It just has to be harder to hack than the data in it is perceived to be worth.

Take these steps:

Keep your hardware and software up to date.

If your Windows machine can’t run the latest version of Windows, or your Mac the latest version of iOS, then you’ll miss the updates.   Machines connected to the internet (ie virtually all of them) are exposed to malware.  The operating system’s owner (ie Apple, Microsoft, Google) has to update them quickly whenever new malware appears.  Using a machine running Windows7 or OS6 and connecting to the internet is like entering a coronavirus ward without vaccination or a mask.  You should probably throw those old machines away – sigh.

Which means …

Install the $*@&% updates, religiously and promptly.  No excuses.  (Require this in your employee manual.)

Keep your data non-toxic.  

If you would not store a piece of information in an unlocked file cabinet, don’t save it in the database.   If you really must record credit card transactions, store at most the final 4 digits and the expiration date.

Create a unique new password for every online account. 

The biggest problem with passwords is that people use them on multiple accounts.  When one account is hacked, thieves try that password on other accounts.  So use a password safe like Bitwarden, a free product that allows you to easily invent and retrieve unique, secure passwords.  (At WaterGrass we use KeePass, an open-source version.)

Accept the PITA of Multi-Factor Authentication.  

MFA requires you to both enter a password and then (usually) to type in a code sent to your phone or (better) to insert a unique physical “key” into one of the computer ports.  Google employees have used physical keys for years, and report that none have fallen victim to a phishing attack – an amazing record, given Google’s size and value.  It’s not that no Google employee ever shared login information by mistake.  It’s that even after they did, hackers couldn’t get into the system without the physical key.

Get a Virtual Private Network.

Especially if you share sensitive information over the internet.  They’re not expensive and they protect your communications even if you use public wifi at the airport or train station.  (Which you shouldn’t.  Use your phone as a hotspot instead.  Sigh.)

Make this Mandatory but as Easy as Possible for Your Employees.

In your employee manual, require employees to:

  1. Install software upgrades as soon as they are available.
  2. Use a different password for every account.

Then provide them with a password safe program and instruction in how to use it.

Rely on Big Players.

For data security, rely on the big players like Apple, Salesforce or Oracle.  So far, online databases have a better record than those with their servers on-premises, because they can centralize the security functions and enforce security rules.  Salesforce, one of the biggest providers of database services to nonprofits, will soon require users to move to Multi Factor Authentication.  The WaterGrass database is built on Salesforce, so all of our clients will be making that change too.  And we’ll be changing with them.

Ah, the world we live in.

WaterGrass & UNH Paul School Partner to Extract Lessons from Fundraising and Volunteer Data

WaterGrass & UNH Paul School Partner to Extract Lessons from Fundraising and Volunteer Data

Great news!

It’s been 12 years since we founded WaterGrass, and along the way we’ve gathered some 200 organization/years of anonymized data on donor and volunteer behavior. There’s surely a lot to learn in it, but we’ve been too busy developing new features to really dig as we’d like to.

Now Dr. Phani Kidampi of the University of New Hampshire and the graduate students in the UNH Business School’s Data Sciences capstone program will bring their skills from the corporate sector to bear on our data.

This is a wonderful chance for some rigorous, cutting-edge analysis of granular data about donations and volunteering. Our data extends back an average of 7 years for our organizations, and the total data set comprises some half a million anonymized donations and contributions of volunteer hours.

From previous analysis we’ve learned things like:

  • Organizations with formal membership programs raise more per donor than organizations which don’t.
  • The median donor gives to our clients a little less frequently than once a year. (Good reason to ask for donations more often.)

If you’ve got questions you think we should investigate, let us know! For instance, “How did COVID and the turmoil of 2020 affect fundraising?” That’s one we’re sure to look at.

The project will last through the second semester, and in May or June the masters students will present their results, which we’ll be sharing broadly, on this blog and elsewhere. Weigh in with your ideas, and we’ll invite you to the final presentation!

Baird


For Valentine’s Day Let’s Celebrate … Data Mavens!

Every organization needs one - that person who keeps the data straight, ferrets out duplicate records, nags you to update the addresses you've kept in your rolodex and Excel spreadsheets - you know who I’m talking about … the Data Maven!

At WaterGrass we’ve worked with lots of them.  Picky picky picky.  

But so vital vital vital.

It’s time they were celebrated.

Nobody wants to be the data maven.  It’s an anxiety-provoking, devil-in-the-details job, constantly trying to maintain order against the natural entropy of information and the pressure of other things that need doing.  It would be so much easier for them to just ignore the little mistakes, but … at some point they suffer one time too many from bad addresses in a mailing list or donations attributed to the wrong family and they can’t stand it.  So they take up the burden for the whole organization.

Usually they feel a little guilty about it.  Often they’ll apologize for being so exacting when they ask us for corrections.  They worry about irritating their colleagues.  It wears on them.  It's a hard role to play.

They need allies.

We’ve seen too many organizations where a data maven leaves and no one takes his or her place.  Soon, the remaining staff can’t get good reports or mailing lists.  Then they distrust the database.  They begin to keep important information in spreadsheets of their own.  Eventually fundraising can suffer, sometimes catastrophically.

So let’s use this Valentine’s Day to spread some love to people who don't get honored enough.  Let's celebrate ...

Maventine’s Day!

To kick it off, here’s a poem for all the data mavens out there:

We know “Read” isn’t “Red.”

We know “Green” isn’t “Greene.”

You make us write out organization names fully without contractions

So our data is clean!

We hope you and your organization have your own data maven to celebrate.

Baird & Carl

 

Note: WaterGrass poetry is provided on an as-is, use-at-your-own-risk basis. 

Resilient During the Pandemic: A Snapshot of Giving to Watershed Groups

At WaterGrass, we provide fundraising and volunteer management tools to small and growing nonprofits, and our users allow us to review their data for insights (we keep everyone anonymous).  Last year was tumultuous and we were a little apprehensive about how our users fared.  Now that the 2020 end-of-year fundraising is past, we selected ten well-established river and watershed groups among our users and crunched the numbers.

For the ten groups we looked at …

…overall individual contributions increased from 2019 to 2020.

Charitable giving in the US has generally increased during the pandemic, and that was reflected for our users.

Total individual giving (donations, membership, major donations) for these ten organizations has held relatively steady over the last six years. Between 2019 and 2020 donations and memberships rose, while major donor gifts increased by about 150%.  Donations were up about 7% whereas memberships were up about 10%.  Our clients reported that their rivers and trails saw more users than ever before, which may have translated into more support.

…event income declined.

Overall, the only decline for our groups was event income, which fell 67% (see above chart).  That’s not surprising given the inability to hold in-person events during most of 2020.  The drop was not as bad as it might have been, though, due to some creative programming.  Annual meetings, silent auctions, and Wild and Scenic Film Festivals went on virtually, and groups partnered with restaurants and local breweries to provide take-home refreshments as a celebration.  The innovation was impressive and no doubt kept event income at meaningful levels.

…the shift to online giving accelerated.

Over the six-year period we examined, online giving increased more than 10-fold, while direct donations (checks, cash, and other donations that didn’t come in through a payment website) grew 60%.  In 2020, our organizations received nearly a quarter of their individual revenue online.  That’s a conservative estimate, since not all groups clearly delineated gifts that came in online.

…volunteer hours fell.

Volunteering is an important part of the work of river and watershed groups.  Volunteers power river cleanups, water quality monitoring, and other activities.  Volunteering as measured by hours donated has been relatively strong, and our data shows a generally upward trend over the six year period we examined.  This trend may partly reflect more thorough tracking of volunteer hours–WaterGrass has recently rolled out several new features that make tracking easier.  

What seems clear, however, is the dramatic drop of volunteer time recorded for 2020.  Reported hours dropped from over 22,000 hours to just about 8,000, another decline of nearly ⅔, or 63%.  That’s surely due in part to the cancellation of in-person events due to COVID.  Many of our groups replaced them with socially-distanced volunteering initiatives, but were generally not able to track hours for those.  As a result it’s difficult to know the full scope of volunteerism in 2020.

This is, obviously, a quick snapshot, but it suggests that individual giving for these ten groups continues to be resilient, even in the face of a global pandemic.  Later in the year, we’ll present an in-depth analysis of the full set of WaterGrass data.

Carl Paulsen, WaterGrass

UNH Masters Students to Analyze WaterGrass Data for Best Practices

UNH Masters Students to Analyze WaterGrass Data for Best Practices

Great news!

One of WaterGrass’ goals has been to analyze our anonymized, aggregate data in order to learn about trends and best practices for individual fundraising.

From our analysis we’ve learned things like:

  • Organizations with formal membership programs raise more per donor than organizations which don’t.
  • The median donor gives to WaterGrass a little less frequently than once a year.  (Good reason to ask for donations more often.)

But recently we’ve been too busy developing new features to really dig into the data, and so we’re delighted to announce that Dr. Phani Kidampi of the University of New Hampshire and his data science graduate students are interested.  As their capstone program, the four students will analyze the anonymized, aggregated records of individual donations (not grants or fees) of WaterGrass groups for which we have 3+ years of records.

They’re particularly interested in seeing whether they can do “predictive modeling” – for instance, what can a volunteer’s past history tell you about the likelihood they’ll donate? Large marketers have used modeling like this for a while, and it will be fascinating to see what it yields for our nonprofits.

This is a wonderful chance for some rigorous analysis of granular data about donations and volunteering.  Our data extends back an average of 7 years for our organizations, and the total data set comprises some quarter of a million donations and contributions of volunteer hours.

If you’ve got questions you think we should investigate, let us know!  For instance, “How did COVID and the turmoil of 2020 affect fundraising?”  That’s one we’re sure to look at.

The project will last through the second semester, and in May or June the masters students will present their results, which we’ll be sharing broadly, on this blog and elsewhere.

Baird Straughan