New Trends in Fundraising Outreach for 2022

Posted on November 15, 2022November 17, 2022Categories Uncategorized

At WaterGrass, we try to stay close to our client organizations, especially at the end of the year, when they bring in a disproportionate amount of support from their communities. We enjoy learning with them what works and what doesn’t, and sharing their lessons with others.

For the past five years, Carl has run an End-of-Year Appeal series for WaterGrass organizations.  This year, he was surprised when:

  • Fundraising goals for the EOY campaign jumped substantially;
  • Groups employed a greater range of techniques to reach out.

The change is striking enough to share what we’re seeing.  Here are five takeaways:

Giving Tuesday is serving as an “anchor” for the start of End-of-Year campaigns.

Lis Heras, Development Coordinator at Friends of the Rappahannock, is one who has used Giving Tuesday with success. She shared a printed piece she used to inform board members and others about their fundraising options, and recorded a short video for us:

More are using “peer to peer” campaigns

Melanie Cheney writes, “ When it comes to P2P giving, we’ve heavily focused on Facebook Fundraisers and have seen great success doing them in the past, and we’ve encouraged others to create one as it is a super easy P2P giving option.”

“I often have prioritized it in this way when asking people to consider hosting a P2P:

  1. You can host a Facebook Fundraiser centered around Giving Tuesday (or anytime really).
  2. Create a Peer-to-Peer Fundraiser on CoMoGives during the entire month of December! (See below.)
  3. There are more ways to support your favorite non-profit than donating money.  You can share emails, Facebook posts & Fundraisers with your friends, telling them why you support Missouri River Relief!  You can also make a pledge of action here, on the webpage.”

One of the downsides of Facebook is that it doesn’t share your donors emails with you so you can’t reach them directly.  Melanie says, “If we don’t already have their contact info, we reach out to them through Facebook and ask for it. Sometimes it works, sometimes it doesn’t.”

Organizations make the process of donating easier by including QR codes in their printed materials.

Allie Schneider says, “I heard about the idea of including QR codes on fundraising materials and thought I’d try it to see if our donors responded to it. I tracked engagement by creating two campaigns in Click & Pledge. One was embedded on our main donation landing page, accessible by a button on our homepage of the website. The second was embedded on a ‘hidden’ page that wasn’t linked anywhere. It was only accessible by typing in the exact url (which we didn’t promote) or using the QR code. This helped keep the two methods separate.”

“We’ve discovered we have minimal engagement with our QR codes. People seem to prefer to donate by credit card by going directly to our website. HRWC will continue to include QR codes for a few reasons. It’s a low-cost way to offer additional donation methods, it’s new so we’d like to give our donors a chance to become familiar with donating to HRWC via QR codes, and as a safety precaution, HRWC no longer accepts credit card donations by mail so we are going to include QR codes on our mailings so donors still have a credit option.”

Some groups choose to fundraise through aggregators (like United Way) rather than process donations themselves.

Lisa Cole from Missouri River Relief is trying out a donation aggregator site offered by the Community Foundation of Central Missouri. 

She explains that “it’s part and parcel of this larger effort in which we participate, and that makes it easier than offering one, directly, ourselves.   Last year we had a significant struggle, to be honest, getting people—even our board—to participate in it. But for other local organizations, it seems to be as powerful as the industry best practices indicate.  I’ve invited our board to offer one this year.  Last one actually did (in addition to myself and another staff member).”

Heavier use of videos to highlight the resources you’re protecting.

The Eagle River Watershed Council in Colorado has to compete with many high-profile nonprofits in the area, so their Development and Communications Manager Melanie Smith used the pandemic lull to develop more professional-looking materials, including their letters, website, and videos.

“In 2020 everyone was isolated and online.  We had a budget for outreach, so we developed a new website and a “foundational video” to let the river tell its own story.” Melanie says,

“Last year we developed a flexible tag line:  “This place is home.  Help us protect it.”  Or “This place is wild.  Help us protect it.”  So we had a lot of B-roll left over from the original video, and from it we created shorter videos for each one of those tag lines.  We broadcast them however we could, even including them on donation pages if it didn’t slow the load time too badly.  We did social media ads, and linked it into the signature of our emails.”

“And we saw an unanticipated growth in donations,” she reports, although she’s not sure that it can all be attributed to the new materials.

You’ll find a copy of the video Melanie mentions here. Check out the Eagle River Watershed Council’s full YouTube Channel, where you’ll even find a video of a spoken-word poem.

What new techniques did YOUR organization use in this year’s year-end appeal?  What can other organizations learn from YOUR fundraising this year?  Add your comments below!


What Did COVID Teach Your Volunteer Programs?

Posted on May 2, 2022May 2, 2022Categories Uncategorized2 Comments on What Did COVID Teach Your Volunteer Programs?

COVID served as a sort of stress test for many volunteer programs. Could they survive without in-person activities? Could you adapt them to the new circumstances?  

Most important – Were there changes you made that you’re adopting permanently?

At WaterGrass we convened a discussion on the topic.  (WaterGrass is an organizational database that among other things manages volunteer activities, so we have the raw data on volunteering.) Jason Frenzel from the Huron River Watershed Council Council and several other volunteer managers share their experiences and insights over the last two years.

This was a preliminary discussion – a more extended one will take place at River Rally in June – but some fascinating insights arose.  If you or your organization manages volunteers, I’d love you to post your comments.

  1. Organizations that had already begun managing volunteers through online portals or even delivering programs online saw a much smaller drop in their volunteer hours.
  2. Some groups reported changes in their participant demographics. In particular, low income populations were less represented.
  3. Some urban groups pivoted to provide other needed services to marginalized populations, beyond their standard education and recreational activities.
  4. Trails and waterways attracted more use and highlighted the importance of these organizations in their missions. Few of them capitalized on that to raise funds or Garner new volunteers.
  5. Volunteers were eager to find activities during the pandemic, and hungry for anything offered.

One organization reported that when it closed its volunteer programs it also lost the ability to stay in contact with and cultivate new volunteer leaders, on whom it depends to lead many of its large activities the impact of this will be felt in the coming years.

Volunteer programs were forced to adopt digital strategies when they couldn’t convene face-to-face activities; many of them discovered things that they would now continue to do online instead of in person.

What was your experience?  What changes did you make in your volunteer programs? Which will you keep? Please post your comment below.

And if you’re interested in the WaterGrass database as a tool for managing volunteers and donors, give me a shout!


Issues campaigns for non-advocacy organizations

Posted on March 16, 2022March 16, 2022Categories Uncategorized

Many conservation organizations shy away from advocating on issues because they work closely with local governments or state agencies and don’t want to antagonize them.

But advocacy can also lead to growth.  For example, over the last 20 years Organizations in the Waterkeepers Alliance – which advocate and also take legal action against polluters – have grown much faster than typical watershed associations which are usually focused on water quality monitoring and public education but avoid controversy.

Even neutral organizations that provide technical expertise should take advantage of hot Issues in order to highlight the importance of their work. 

For example, the Superior Rivers Association provides water quality data to local tribes and municipalities. It sees itself as a technical organization.  But when a huge taconite mine was proposed for their headwaters, the organization hosted informational public meetings and used those to recruit new water quality monitors to help establish a baseline and track the water quality in the case that such a mine were built.  They increased donations, and the number of trained water quality monitors rose by 50%.

They never took a stand on the taconite mine proposal itself.  But they did come out against loosening water quality regulations that stood in the mine’s way, because as a technical organization they valued sound science.

Critical issues like proposed mines are an opportunity highlight the importance of your conservation organization, whether it’s advocacy-oriented, technical or academic.

Online outreach on hot issues lets you reach even more individuals.  Originally used only by national groups, today it is ubiquitous among statewide organizations. Local conservation groups should be adopting it now too, because it’s local issues that people feel strongest about.

If you’re curious about online advocacy tools be sure to join us for Kathleen Tyner’s presentation about online advocacy at the West VirginianRivers Coalition.  She has tried out three tools so far, with great success.  And she has some clear recommendations even for small groups.  (Her presentation is Wednesday, the 23rd of March, at 1:00 PM Eastern.  You can sign up here.)

Volunteering at Scale

Posted on February 7, 2022May 2, 2022Categories Uncategorized

Baird Straughan, 7 Feb 2022

We started WaterGrass to help organizations manage growing volunteer programs with limited staff, and the Milwaukee Riverkeeper has achieved that in spades.  Along the way, they illustrate some basic principles of large-scale volunteer programs, and illuminate a new challenge for us.

In our webinar How One Organizer Led 218 Events with 2780 Participants in a COVID Year*, Allie Mendez described the Milwaukee River’s Adopt-A-River program, how it has grown and how MRK automated it through the WaterGrass database.

Some features that made this program a success are:

  • The software automated every step.  As the programmer, I thought that some of MRK’s requests were over the top.  Surely any volunteer organizer with just a little database knowledge could handle some of the procedures manually.  But the results is that Allie doesn’t have to think about the database at the same time she’s managing people.  The bigger the program, the more important ease of use becomes.
  • The program intentionally filters for people who are likely to succeed.  It selects for volunteer leaders who are comfortable with automation.  As Allie said, “We primarily communicate with email, so we know that if people can’t keep up with [the emails in our signup process], then they probably aren’t a good fit for the program.”
  • Allie also introduced a change to the registration process to allow prospective site leaders to take time before they committed to the program.  “Before the pandemic we had in-person orientation,” Allie said, “and people would sign the Adopter Contract forms the day of and we would get them into our system right away.  But turning it virtual has actually helped us retain our volunteers better because we give them a chance to think about it [before they commit].  This is essentially round two of our weeding out.  With training being virtual now, people need to make sure that they fill out those forms and return them on their own time.  This cuts down on our work by making sure that people are really interested and committed.”
  • Because the process is uniform, Milwaukee Riverkeepeer can measure results, make adjustments and learn. Otherwise, for example, they wouldn’t be sure that their volunteer retention had really improved.

The challenge is that automated processes sacrifice personal contact with the participants.  This can have a real impact  on the program, because it’s harder for the organizer to get to know those up-and-coming leaders who will be the next generation of cleanup site captains.  Without food and camaraderie, it’s hard to create a bond.  And while this process is very efficient, there are a lot of people that it misses because they aren’t comfortable online.  Those are challenges for the next iteration.

How would YOU approach this challenge? (Please add your comments below.)

In theory, CRMS systems like Salesforce (upon which WaterGrass is built) help build relationships because you can automatically tailor your marketing to each person. Generally, that means sending a pre-written series of messages via different channels (email, text, Twitter, etc.) automatically, with certain logic branches depending upon the recipient’s response.

But that’s not quite building a relationship. Eventually the recipient realizes they’re getting automated responses that lead to a pre-defined conclusion, rather than a personal give-and-take.

Here are my ideas. I can envision using a couple automatic message “paths” to test whether volunteers want to become the kind of leaders you need. If they answer “Yes,” then they’re probably expecting a response from a human. I’d suggest a phone call within a day or two to discuss whether they’re a good fit for the program.

That takes time, which means you need to employ Allie’s principle of filtering potential leaders down to a manageable number. Your pre-written messages need to appeal narrowly (or broadly) enough to attract the right number of candidates. And it means focussing only on volunteer programs you’ve decided to invest in, because otherwise you won’t have time to develop the potential leaders who respond.

What are your ideas about blending automation and personal outreach to volunteers?

* Allie updated the numbers for the title.

Know Your Database Culture

Posted on July 8, 2021July 8, 2021Categories Uncategorized

Installment #1 of the Nine Database Best Practices.


Databases provide us with the tools to make our jobs with nonprofits easier.  Or at least that’s what they SHOULD do.  The trouble is, a database is like any other tool; it works best when in the hands of a skilled craftsman.  In the hands of someone who doesn’t know what they are doing it can make a mess.

There are a lot of things to learn in order to become a database craftsman, or what we like to call a database maven.  Nothing will replace strong support services for learning how to use a database, and that’s probably the single most important benefit of the WaterGrass database – our unlimited support model.  But there are some basic principles that can help keep you out of trouble and on the way to success.  We at WaterGrass have put together a list of 9 best practices we encourage all our clients to follow.

Let’s start with the human element.

Your first step on the way to database bliss is to assess and recognize the database culture in your organization.  What do we mean by “database culture?”  For example,

  • Do staff love the database or run in fear every time your director asks for a report?  
  • Do you have rules for how to enter data into your database?  Are they followed?
  • Do data get entered regularly or whenever staff happen to have the time? 
  • Who is responsible for making sure the data is accurate?  Everyone?  No one?
  • When a new program begins, do the staff incorporate it into the database, or do they just open a new spreadsheet?
We see groups go through a transition that we like to group into 5 levels of database sophistication.  These range from the reluctant staff with no expertise to those groups that know how to fully embrace databases and put them to use to grow their organization. Data Culture Spectrum

Where do you think your organization lies?  Is yours an organization with one lone advocate who understands the importance of databases or are you an organization where a number of people use the database, but only some use it well?  Even if your Executive Director would like everyone to use the database regularly, will your program staffers comply?  Or will they continue to run their projects from spreadsheets?

If you can move your organization along this spectrum, your database WILL make your lives easier.  But you first have to understand where your organization lies and then make a commitment to improve.

Discuss your database culture with your colleagues.  This exercise will help you avoid choosing overly ambitious projects which lead to frustration, and to identify next steps which build success. (In the corporate world, more than half of new database initiatives fail – usually because they didn’t fit the corporation.  In the nonprofit world, we have fewer resources and less ability to enforce new rules, so it’s even more important to choose wisely.)

Consider where you stand in your database journey and think about where you’d like to be and how to get there.  Think about it like a long-term campaign.  Who are your allies?  Do you need a database advocate?  Have one but need broader adoption among staff?  What would help that transition along?  Perhaps you need some regular meetings to ensure you stay on track, and to celebrate your meaningful progress.  Perhaps you want to design reports that would demonstrate the value of the database to the larger staff?  Or do you need a web based donation and signup systems or dashboards showing fundraising or volunteer progress.

Then consider which of the following practices in our upcoming blogs that you can actually implement.  You don’t have to adopt them all immediately (though you should strive for that over time).  For now, pick one practice that: 

  • suits your organization;
  • will generate benefits quickly;
  • and is within your capacity.
Implement it fully.  Hold off on others until it becomes second nature.  As you make progress on this one practice, be sure to talk about it in your organization.  Show your progress and how it has helped with your job.  This one step will help you move along the spectrum.

But make no mistake, evaluating your database culture is one of the 9 best database practices!


Finding Your Database Maven

Posted on June 8, 2021June 8, 2021Categories Uncategorized

Baird and Carl with thanks to the many mavens we have learned from. 

At WaterGrass, we’ve watched a lot of organizations grow.  The successful ones maintain consistency in their database and get really good at using the data to generate donations and engagement from their supporters. They can do that because their data is entered uniformly and accurately.  And the person to thank for that is their data expert … their connoisseur of data … their data maven.

We work closely with data mavens.  Over time, we’ve realized how hard the job is and what a unique set of skills and predispositions are needed.  

The job of maintaining the database can be thankless and stressful.  Many organizations have at least some staff members who don’t enter information promptly, or accurately, or at all. Sometimes those staff members are the organization’s executives or program staff, and some of them may even think that maintaining the database is not the organization’s “real work.”

Data mavens often have to “manage up” to change the culture of the organization so that colleagues share the responsibility for accuracy and the vision of how the database will streamline their work.  This is a cultural transformation that can take years.  Large corporations fail at their database initiatives more than half the time, usually because staff won’t adopt the changes.  In nonprofits, it’s harder.  It involves planning, cajoling, rewarding, setting rules, holding people accountable, listening and rethinking.

Here’s how we would interview for a staff position that’s in charge of the organizational database:

Do they dislike ambiguity in data?  

How to test: Give the job applicant a data entry task.  Mixed in the data include variability – like using both the state abbreviation and the state name in addresses, or “Department of Environmental Protection” on one record and “Dept Env Protection” on another. (Experienced mavens usually opt for writing names out fully.)  Insert misspellings. Include some contributions with a category of “membership” and some with a category of “mmbr.”  Tell them there may be some variations in the data, and to handle it as they best see fit.

Good applicants will tend strongly toward making data entries uniform.  They will want to know whether “Dept Env Protection” is really the same as “Department of Environmental Protection” and if it is whether they shouldn’t be the same.  They may opt to make the data uniform themselves and then confirm with you that they did it correctly.  They will get into the details.  You are looking for someone who takes initiative to make data accurate, and who does so quickly, but also wants feedback so they don’t make mistakes.

Are they patient while they communicate the need for clarity and accuracy?

Mavens have to manage their own feelings – because the inaccuracies that drive them crazy may seem unimportant to other people.  They may hear themselves referred to as “picky” or “perfectionist.”  It’s stressful to have a role that requires enforcing rules on the unwilling, and they have to manage their own frustrations as they deal with others.

How to test: Give them a data task with confusing or contradictory instructions  – that is, they cannot complete the task well without corrections to the instructions.  Let them know that it may need some modifications.  Your ideal candidate will look over the instructions carefully and reread them to make sure they haven’t simply misunderstood.  Then they will come to you for clarification, probably referring specifically to the part of the instruction that they didn’t understand and potentially explaining to you why the clarifications are needed.  Agree with them on a solution so they can complete the task to your satisfaction.

Are they interested in the data’s meaning?

When faced with a report or a chart generated from a data, mavens understand that it tells a story and will ask questions like:

  • Does this fit your expectations?
  • Is the data it’s based on accurate?
  • Are you measuring the right thing?
  • If this is accurate, what does it mean?

How to test:  Share a trend chart generated from your own database that shows an unexpected rise or drip.  Perhaps it’s a chart of your membership numbers over the years, and there’s a sudden jump last year you can’t explain.  Ask the maven how they would help you figure out what’s happening.  Good candidates will diplomatically note that you already have issues with inconsistency.  They will usually want to see the data itself, or indicate that if they were to take the job they would want to see it.  They will ask what might have changed to cause the increase.  Above all, they will be intrigued.

Are they committed to your mission?

This is the secret sauce.  The best data mavens care deeply about the organization’s mission; they are often firmly rooted in the community or place that they live.  If they worked in the private sector, they would probably earn more and have an easier time imposing rules for data entry on their colleagues.  But they stay in their jobs because of what the organization does.

How to test: Invite them to one of your organization’s in-person activities.  See whether they come, whether the activity energizes them, and how they fit into the culture.  If they’re from a culture or race that’s not well-represented in your organization, take specific steps to make sure the event is welcoming.

Do the problems with your data make them wonder about your organization?

The glitches in the exercises outlined above will disturb someone who cares about accuracy. 

How to test for it: At the end of the interview, ask their impression.  After they’ve answered, explain that the inaccuracies, misspellings, and bad instructions were actually intentional.  Say you’re testing not just for ability to use the database but about how the applicant would work with others to improve data and turn the database into a tool that everyone uses.  You know the data will always have inaccuracies, and the job requires patience and tenacity in working with colleagues.  The right candidate will be relieved to hear your explanation, and possibly excited that you understand the human dimensions of the job.

In sum, data mavens have a special set of personal qualities as well as the skills to work within the organization and the commitment to stay with you over years.  Finding the right person can greatly smooth your operations and set your organization up for long-term growth.

Are Online Volunteer Waivers Legally Valid?

Posted on April 30, 2021September 15, 2022Categories UncategorizedTags , ,

Baird Straughan, April 2021

Online waivers speed up event registration, reduce paperwork, and liberate organizers so they can concentrate on the event itself and the people attending.  Nevertheless, some of our client organizations worry that if an accident occurred, courts wouldn’t respect a waiver that’s not on paper.  What’s the truth?

Short answer: At present, an electronic waiver is legally as good as a written waiver in U.S. courts, so long as it’s properly constructed.

The federal “E-SIGN” statute from 2000 legalizes the use of electronic and online waivers, and courts have respected this principle.  It states that a 

. . . signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation. 

Doyice Cotten of Sportwaiver has “found no cases in which a waiver has failed simply because it was not a paper waiver.  They do fail on occasion, but for the same reason that paper waivers fail – poorly written or against public policy.”

Courts have rejected arguments that waivers are insufficient because they are signed online.  For example, in a Colorado case (Berenson v. USA Hockey, Inc. (2013)) a person sued arguing the online waiver did not provide sufficient proof of the agreement (plaintiff argued the online waiver didn’t prove she had signed it).  The courts ruled in favor of the defendant, USA Hockey, upholding the online waiver.

Different states handle liability differently, so your nonprofit should get advice from an attorney versed in your state’s laws to make sure your waiver has the right components.  Many of our clients find law firms who advise them pro-bono.

From our experience constructing online waivers in WaterGrass, we’ve built a list of the some basic rules electronic waivers should follow:

  1. The waiver should be “click-wrapped,” meaning that the participant can’t complete the electronic signup without completing the waiver first.  In some court cases plaintiffs have alleged that they signed up for the activity but never saw the waiver.  The defendant organizations were able to show that the waiver’s programing made it impossible to sign up without clicking on the “I agree to the terms and conditions” button.  (WaterGrass waivers are constructed this way – if the event requires a waiver, then a registrant has to agree to it before they can register.  WaterGrass also stores which waiver the participant agreed to.)
  2. The waiver establishes that the registrant is a volunteer – meaning that they expect no payment or benefits, and they know they are not eligible for compensation in the case of an accident.  (If participants are remunerated, they qualify as employees, and generally have a right to coverage.)
  3. It contains a listing of potential hazards they may be exposed to if they choose to participate, and explicitly mentions negligence as a waived condition.
  4. It establishes that they sign the waiver of their own free will.
  5. … that they assume all risks and agree to “hold harmless” the organization in the case of an accident.
  6. … and that they agree to “indemnify” the organization for expenses incurred as a result of their participation.  (Ie. Hospital costs if there’s an accident.)

Those are some of the conditions that protect your organization from unexpected financial claims.

There are optional best practices as well:

  1. The waiver may include a release of rights to photos or videos made by the organization that include the volunteer.  Volunteer events are some of the most “photogenic” opportunities you’ll get to showcase your people and your mission, so get permission to use the photos you take.
  2. The registration page should display the waiver’s title prominently within the registration form,  identifying it as a “Release” or “Waiver of Liability.”  In some judgments, courts have cited the prominence of the title as an additional reason to find the waiver valid.
  3. The form should display the full waiver text on the screen, rather than within an abbreviated window with a scroll bar.  In this way, you require the participant to at least page through the whole length of the waiver before they can sign.  They may not read it, but they won’t be able to say they didn’t see it.
  4. The waiver form should give the volunteer both the chance to accept and to reject it. If they reject it, a pop-up informs them that they can’t participate with signing the waiver, and invites them to join a different activity.  (Thanks to Milwaukee Riverkeeper for the last two suggestions.)

As a starting point for your waivers, there are plenty of templates online.  But states have different terms of art and different requirements, so you should always check out your final version with an attorney who knows local laws.

Happy organizing!


Good Enough Data Security for Small Organizations in the Age of Mega-Hacks

Posted on March 30, 2021May 7, 2021Categories UncategorizedTags , ,

Baird Straughan, March 2021

At WaterGrass we aspire NOT to work in data security.  Our client organizations are relatively small, unlikely to attract persistent hackers.  For financial transactions, we use the secure connections of much bigger players – Salesforce, Click and Pledge, iATS.  We advise clients to keep credit card numbers and other sensitive information to a minimum.  It’s been thirteen years now, and so far, so good.

But our luck can’t hold.  Last year revealed the Solar Winds hack, an infection of software that’s used to build other software.  Its scope is so broad that six months later we still don’t know the extent of it.  Solar Winds was soon eclipsed by the recent Microsoft Exchange attack.  (If you use Microsoft Outlook, you probably use Exchange.)  The attack is believed to have originated from a Chinese government-related actor seeking pharmaceutical and government secrets, but the code was later leaked.  As I write this, cyber-criminals of all sizes are on a spree and it’s estimated that hundreds of thousands of computer servers have been infected.

My anxiety has me spending way too much time reading reports about security breaches.  So you don’t have to go down the same rabbit-hole, here’s the gist.

The majority of hacks: …

… are just opportunistic applications of already-known bugs to infect computers which haven’t been updated or protected.  There are plenty of those devices lying around, and hackers have automated bots that send emails and test websites in order to find any system with a hole in it.  (For instance, since this article went up, this website has been tested every night by a bot which tries the username “admin” and then 20 different passwords.  If the actors behind the bot test enough websites, they’ll surely get into some where the owners never bothered to change the username and have a common password.)

Ransomware is targeted largely at older infrastructure.

So far, the databases most likely to suffer ransomware attacks are older legacy systems that run from on-premises servers at organizations like hospitals, corporations or government entities with valuable data or financial assets, or that perform a critical service.  It’s notoriously hard to keep these systems up to date – sometimes they use legacy hardware that can’t be replaced and operating systems that can’t be updated.  So far, I haven’t read of an online database like Salesforce allowing a ransomware attack.  (Update as of 8 May 2021: Ransomware attacks are very rapidly moving “downstream,” in some cases attacking even single individuals with threats to share embarrassing data stolen from health provider databases.  However, I still haven’t heard of intrusions into Salesforce.)

Some of your personal information has probably been hacked and published.

Check out the site Have I Been Pwned to find out whether any of your email addresses has been shared along with other personal information on the web.  Most hacks of financial accounts (read “bank accounts”) occur because hackers get a huge list of email/password combinations and try them on the online portals for  banks and financial institutions.  If hackers have your Yahoo password, and you use the same password for your bank account, your savings are in danger.  If you use that password on your work accounts, your organization is in danger.  (You can sign up to be alerted when your email is listed on a hacker website, so that you can immediately change passwords.)

You, human, are the weakest link.

Compared to machines, you are forgetful and flighty.  User error contributes to almost all hacks.  By far the most common errors are outdated operating systems, simple passwords, and clicking on a link in a phishing email.  The SolarWinds exploit arose after someone hacked and published an admin password (“SolarWinds123”) which had not been deactivated.  The DNCC emails were hacked in 2016 because Russian intelligence got a DNCC staffer to click on a link in a decoy email that had been written to look genuine.  As hacks evolve, more and more effort goes into “social engineering,” meaning the practice of customizing malicious emails to look believable and entice human users into a fatal click.  It will be very hard not to make a mistake.

Unencrypted text messages (SMS) to mobile devices are surprisingly unsafe.  

They can easily be captured by listening devices or even forwarded to other phone numbers without your knowledge.  It’s amazing that banks still use them to send confirmation codes.

We can’t stay ahead of the bad guys. 

An increasing number of hacking tools come from nations (like Russia or China or sometimes even our own NSA) or groups that work for hire.  These entities devote huge resources to finding “zero-day exploits,” which means that they actually invent previously unknown entry-points that even the manufacturer of the software itself doesn’t know.   For the SolarWinds intrusion, Microsoft estimates that at least a thousand programmers worked together on the malicious code.  There’s no practical defense against these zero-day exploits until they’re publicly discovered and a patch is developed.

So what can be done?  Luckily for most nonprofits, your system doesn’t need to be impregnable so long as your data isn’t sensitive.  It just has to be harder to hack than the data in it is perceived to be worth.

Take these steps:

Keep your hardware and software up to date.

If your Windows machine can’t run the latest version of Windows, or your Mac the latest version of iOS, then you’ll miss the updates.   Machines connected to the internet (ie virtually all of them) are exposed to malware.  The operating system’s owner (ie Apple, Microsoft, Google) has to update them quickly whenever new malware appears.  Using a machine running Windows7 or OS6 and connecting to the internet is like entering a coronavirus ward without vaccination or a mask.  You should probably throw those old machines away – sigh.

Which means …

Install the $*@&% updates, religiously and promptly.  No excuses.  (Require this in your employee manual.)

Keep your data non-toxic.  

If you would not store a piece of information in an unlocked file cabinet, don’t save it in the database.   If you really must record credit card transactions, store at most the final 4 digits and the expiration date.

Create a unique new password for every online account. 

The biggest problem with passwords is that people use them on multiple accounts.  When one account is hacked, thieves try that password on other accounts.  So use a password safe like Bitwarden, a free product that allows you to easily invent and retrieve unique, secure passwords.  (At WaterGrass we use KeePass, an open-source version.)

Accept the PITA of Multi-Factor Authentication.  

MFA requires you to both enter a password and then (usually) to type in a code sent to your phone or (better) to insert a unique physical “key” into one of the computer ports.  Google employees have used physical keys for years, and report that none have fallen victim to a phishing attack – an amazing record, given Google’s size and value.  It’s not that no Google employee ever shared login information by mistake.  It’s that even after they did, hackers couldn’t get into the system without the physical key.

Get a Virtual Private Network.

Especially if you share sensitive information over the internet.  They’re not expensive and they protect your communications even if you use public wifi at the airport or train station.  (Which you shouldn’t.  Use your phone as a hotspot instead.  Sigh.)

Make this Mandatory but as Easy as Possible for Your Employees.

In your employee manual, require employees to:

  1. Install software upgrades as soon as they are available.
  2. Use a different password for every account.

Then provide them with a password safe program and instruction in how to use it.

Rely on Big Players.

For data security, rely on the big players like Apple, Salesforce or Oracle.  So far, online databases have a better record than those with their servers on-premises, because they can centralize the security functions and enforce security rules.  Salesforce, one of the biggest providers of database services to nonprofits, will soon require users to move to Multi Factor Authentication.  The WaterGrass database is built on Salesforce, so all of our clients will be making that change too.  And we’ll be changing with them.

Ah, the world we live in.

WaterGrass & UNH Paul School Partner to Extract Lessons from Fundraising and Volunteer Data

Posted on February 25, 2021March 1, 2021Categories UncategorizedTags , ,

Great news!

It’s been 12 years since we founded WaterGrass, and along the way we’ve gathered some 200 organization/years of anonymized data on donor and volunteer behavior. There’s surely a lot to learn in it, but we’ve been too busy developing new features to really dig as we’d like to.

Now Dr. Phani Kidampi of the University of New Hampshire and the graduate students in the UNH Business School’s Data Sciences capstone program will bring their skills from the corporate sector to bear on our data.

This is a wonderful chance for some rigorous, cutting-edge analysis of granular data about donations and volunteering. Our data extends back an average of 7 years for our organizations, and the total data set comprises some half a million anonymized donations and contributions of volunteer hours.

From previous analysis we’ve learned things like:

  • Organizations with formal membership programs raise more per donor than organizations which don’t.
  • The median donor gives to our clients a little less frequently than once a year. (Good reason to ask for donations more often.)

If you’ve got questions you think we should investigate, let us know! For instance, “How did COVID and the turmoil of 2020 affect fundraising?” That’s one we’re sure to look at.

The project will last through the second semester, and in May or June the masters students will present their results, which we’ll be sharing broadly, on this blog and elsewhere. Weigh in with your ideas, and we’ll invite you to the final presentation!


For Valentine’s Day Let’s Celebrate … Data Mavens!

Posted on February 10, 2021February 10, 2021Categories Uncategorized

Every organization needs one – that person who keeps the data straight, ferrets out duplicate records, nags you to update the addresses you’ve kept in your rolodex and Excel spreadsheets – you know who I’m talking about … the Data Maven!

At WaterGrass we’ve worked with lots of them.  Picky picky picky.  

But so vital vital vital.

It’s time they were celebrated.

Nobody wants to be the data maven.  It’s an anxiety-provoking, devil-in-the-details job, constantly trying to maintain order against the natural entropy of information and the pressure of other things that need doing.  It would be so much easier for them to just ignore the little mistakes, but … at some point they suffer one time too many from bad addresses in a mailing list or donations attributed to the wrong family and they can’t stand it.  So they take up the burden for the whole organization.

Usually they feel a little guilty about it.  Often they’ll apologize for being so exacting when they ask us for corrections.  They worry about irritating their colleagues.  It wears on them.  It’s a hard role to play.

They need allies.

We’ve seen too many organizations where a data maven leaves and no one takes his or her place.  Soon, the remaining staff can’t get good reports or mailing lists.  Then they distrust the database.  They begin to keep important information in spreadsheets of their own.  Eventually fundraising can suffer, sometimes catastrophically.

So let’s use this Valentine’s Day to spread some love to people who don’t get honored enough.  Let’s celebrate …

To kick it off, here’s a poem for all the data mavens out there:

We know “Read” isn’t “Red.”

We know “Green” isn’t “Greene.”

You make us write out organization names fully without contractions

So our data is clean!

We hope you and your organization have your own data maven to celebrate.

Baird & Carl