How do nonprofits safeguard their missions and the integrity of their work? Three leaders speak.
Running a nonprofit is a juggling act. It’s two jobs—or more—in one. You must care for the community you’re serving and the organization you’re leading. You hire employees and delegate responsibilities. Maybe you outsource some of the work. Suddenly, you have a hundred-member team made up of staff and volunteers, and your IT is off-site.
Then there’s a breach. Donor data, personal data, client data—stolen.
Unfortunately, this is a real threat. In 2020, Blackbaud, a cloud solution that works with the social good community, fell prey to a two-part ransomware attack. Vermont Foodbank, the George W. Bush Presidential Center, Human Rights Watch, and many more organizations were affected. So how does a nonprofit stay secure? And how do you pick up the pieces while reassuring the people you work with—and for—that they can feel safe with you?
To answer those questions, we spoke with three grant recipients—all presidents and CEOs of their organizations—about the ways they safeguard their nonprofits. These include Ethan Hemming of Warren Village, Laura Solidum of Catholic Charities Northeast Kansas, and Bela Moté of Carole Robertson Center for Learning. All three organizations are experiencing growth, and all have had to consider adding extra protective measures as a result.
Ethan Hemming, President & CEO Warren Village
Even one incident of fraud can affect a nonprofit’s reputation. What are some of the basic ways you safeguard Warren Village?
First of all, every volunteer and every staff member does a background check through the Colorado Bureau of Investigation. And that’s repeated routinely. Then when you move into the learning center, which again is a state-licensed, highly regulated environment, those folks go through a different level of background checks. It’s basically part of the state’s human resource system. All teachers have to go through it and that goes into the CBI and FBI. It is very intrusive, but appropriately so. They’re working with children. Then every member of the company, every year, has to go through the state’s mandatory reporter training, which is an online 60-minute module that’s test based, so you can’t just click through.
How do you handle cybersecurity?
We have a real big focus on data equity here. Like when we do a survey of our alumni, we treat them as providers and consumers. We don’t expect them to give us data for free, so they get a reward for doing a survey. We also share back appropriately aggregated data, so they see the outcomes if they’re so interested. We respect them. It’s the same thing when it comes to the personal data. We do outsource our data privacy and data security needs to Verticom and they manage our servers. They do access control, they manage all the permissions, the password changes. I know that sounds basic, but not everybody does it. We also have Mimecast that protects us against phishing attacks, although obviously stuff still gets through.
Have there been any recent attempts that made it through your systems?
During COVID, we had constant attacks through our online donation portal. I don’t remember the exact details, but it was like a penny donated, a penny donated, a penny donated. Apparently, that was one way they were trying to get into the system to then mimic the system to redirect money. But it was never successful, as I was notified of that routinely. Cybersecurity is constant vigilance.
Anything else you’d want to share with your peers, including advice?
Everyone should have a business continuity plan for disasters, but you also need a leadership succession plan. Not an idea of a plan, but like “What happens if I die?” And then make sure your board chair and your treasurer have a copy of that plan. Because the plan needs to make clear who takes over, make sure it’s super clear because it’s for your board and they’re volunteers. And if it isn’t written down, it’s just going to be chaos. Safeguarding can be minimizing the chaos in an unfortunate situation.
Lauren Solidum, President & CEO Catholic Charities Northeast Kansas
Looking at your best practices, how do you safeguard your branch of Catholic Charities?
We look at access, in terms of volunteers and hiring, even our board members. We, as a part of the archdiocese, use a system called Virtus. It’s an abuse prevention program that we make everyone go through. It’s a three-hour course and required annually. There are also workbook pages in between the annual meetings that need to be completed and focus on topics like abuse reporting. I would say in addition to that, we do background screenings and drug screening at the time of hire. We used to just do a “one and done” in terms of a background screen, but now, after some research, we’ve found that repeating every two to three years is really the best practice. And this is for everybody: volunteers, employees, even our board members who don’t always have direct interaction with the people we serve.
When did you start adding in cybersecurity?
We celebrated our 65th year last October, and for at least the last 10 of it we’ve been working with penetration testing. We have one IT manager, and the rest is outsourced. We do monthly penetration testing and also do training as a part of onboarding. And then we’ve been spending a lot more time on intentionality, particularly around email and cybersecurity passwords. We now have alerts to change passwords every three months.
What are your biggest concerns when it comes to keeping your organization safe?
Client information is huge. Individuals coming to us share a lot of the challenges that they’re experiencing. Some of our programs require—I’m specifically thinking about our financial education training—we have to know the clients’ budgets to be able to help. So we’re careful about what we ask. And we’re intentional about safeguarding the information we get. If we don’t need it, don’t ask for it.
Is there any advice that you’d want to give nonprofits about how to keep their organizations and the communities they’re serving safe?
I would just say that safeguarding is an investment. You know, for lack of a better word, it’s not sexy. It’s not a new and shiny program, but it’s necessary to build a foundation of trust with the clients, your donors, and your volunteers. Sooner than later, you should add it as a part of your budget so it’s just a part of the infrastructure.
Bela Moté, President & CEO Carole Robertson Center for Learning
How do you know where to begin when it comes to safeguarding?
Literally thousands of children cross our threshold every single day, and there’s a responsibility to keep them safe and enrich their lives and make sure that they’re learning. The Department of Children and Family Services tells us what we need to do to be even licensed. Our public funders tell us what we need to do to safeguard the environment, and we do those things. If we don’t, then that means that we’re at risk for losing our funding or being out of compliance. Right off the bat, any new hire is trained on being a mandated reporter. We are required to report anything that looks, feels, smells like abuse, whether it’s physical abuse or sexual abuse.
Do you handle your own cybersecurity or outsource that piece of safeguarding?
We have a partner who helps considerably with making sure that we stay current in the way that we protect ourselves from breaches. Multiple access points before you get into your device, making sure that if an employee logs into her computer, we know exactly what time she logged in, what time she logged out. But not every regulatory body that licenses us or gives us funding has caught up to the technologically advanced ways of doing things, which means we also have to maintain paper records. Not everything can be in the cloud. And so when we have a visit from DCFS or an audit, for example, we have to access to those paper files. It’s our job to know who can access them, are they stored securely, how are they updated. Details like which files go on-site versus which are at the admin office. It requires a lot of focused energy and planning from our people.
What about the financial side?
We have 19 board members, though we expect to grow by 1 or 2 in the upcoming months. Then we have an executive committee that is really where a lot of the governance aspects of the organization are discussed and debated. We also have a finance committee. It has oversight of our fiduciary, including budget approval for every fiscal year and monthly tracking of expenses. We have audits to make sure that we’re doing what we said we were going to do as a nonprofit. And there’s internal controls and fiscal policies and procedures that support those things. It’s very much a partnership between executive team and our board.
Anything else you’d like to add?
Every nonprofit has to continue to invest in infrastructure. We now have everything centralized. For example, there’s one portal that we enter all our children’s data into. Whether that be enrollment data, outcomes data, family data, there is one hub that is connected and protected. We’re moving into cloud-based servers so our employees can access us from wherever they are. But also, you have better control when you don’t have multiple shared drives and don’t have multiple servers on-site that can crash at any given time. Finally, we are stewards of many things, but most importantly, we are stewards and partners in young children’s lives. And so we can’t look at a very narrow definition of safety. There are layers of safety. Some of them are infrastructure related, some of them are directly related to environment. Safety should be part and parcel of how you do business. It isn’t just when something goes wrong.