Nightmare headline—“900 SINs stolen due to Heartbleed bug: Canada Revenue Agency.” Just substitute “credit card numbers” and the name of your charity to complete the worst-case scenario for an Executive Director. If your charity has a web site but not an IT department to protect it, what do you do? 

To understand your charity’s exposure, let’s start with the current issue. What is this Heartbleed bug that has caused all this destruction? Without getting too technical, it is hacking software that takes advantage of a vulnerability in a common utility used to establish a secure connection between two computers across the internet. What makes this so scary for charities is that there was no cloak and dagger here, no malicious plot directed at one organization—anyone could be targeted. In fact, hackers can just sweep the internet randomly, looking for vulnerable web sites. 

How do you protect yourself? Start by assessing the risks you face while planning your strategies. The above chart divides charity web sites into three categories of increasing risk. Often, a charity’s first web site is volunteer driven, based on current fundraising documentation. As the organization looks to increase donor engagement, the web site may become more interactive to include user feedback, sign-up forms and discussion forums.  Finally, the website may evolve into part of the fundraising strategy, accepting donations and making sales.

Risk protection strategies

Here is an overview of some of the risks and strategies charities should consider when determining their internet presence.

Simple web sites

Risks

• Single person dependency – what if the volunteer moves away or loses interest?
• Obsolete software – software that is not up-to-date is vulnerable to attack.
• Obsolete content – while not a direct security risk, a web site with an attractive web address can be a target for fraud.

• Committee – have a web volunteer report to a group, such as the communications committee, or appoint co-webmasters.
• Use popular software that has regular updates – keep the setup simple by avoiding custom programming. Be prepared to rebuild the web site should the underlying software become obsolete. A good place to start is with social media software, such as a Facebook or LinkedIn page.
• Separate the functions of web design and content. They require different skills. To the greatest extent possible, make it easy for non-technical people to add and modify the website content.

Interactive and eCommerce websites

• Unauthorized brand use, e.g. a well-meaning person creates a site with your name and logo on a new social media platform or a malicious person mimics your web site for fraudulent solicitation.
• Theft or unintentional release of personal information.
• Deliberate attack.

• Hire professional staff on an employment or consulting basis. If you go with an external web developer, view it as an ongoing relationship rather than a short-term project.  Make sure the site is regularly reviewed to ensure that all controls continue to function.
• Have the communications committee sweep the internet looking for where and how the organization’s name is being used. Where a web page has been set up in your name, claim it from the organization running it. You may decide that it can continue to be run by the person who took the initiative as long as your security policies are being followed.
• Understand the impact of privacy legislation on your organization. Physically isolate the servers running your web site from the ones with sensitive information, possibly by outsourcing your web operations.
• Analyze what sorts of attack you are vulnerable to and hire a security consultant to assess your response.

Of course, there are general risk mitigation strategies that you should always employ. These would include recruiting technical professionals to your Board, putting the organization’s policies in writing and keeping your insurance agent and coverage up-to-date with your activities.

Finally, recognize that you can have the most secure web site and still be attacked. For example, a national charity received hundreds of $5 donations through their web site. A few days later, rejection notices from credit card companies started pouring in. Upon investigation, it was determined that someone was putting through the donations to test which (stolen) credit card numbers were still valid. To make matters worse, the credit card processing company charged a fee for each rejected credit card. To address the problem, they made arrangements with the credit card company not to process small, repetitive transactions until they were investigated. They also took their online donations page offline for a week so that the perpetrators would move on.

All in all, it is best to review your website through a risk management lens. Depending on the type of website that you have, there are strategies to choose from that will suit your needs—and protect you from security vulnerabilities like the Heartbleed bug.

Bill Kennedy is a Toronto based Chartered Accountant with Energized Accounting, focusing on financial and reporting systems in the charitable sector. He blogs at www.EnergizedAccounting.ca/blog/. Find out more at www.EnergizedAccounting.ca; follow Bill @Energized