News and analysis
February 21, 2010

A San Francisco Technology Charity Gets a Lesson in Online Security

TechSoup, a San Francisco charity that provides technology assistance and donations to nonprofit groups, had a close call with its own computer system. Hackers broke into TechSoup’s Web site, and while they did not get as far as stealing data or wreaking other havoc, their break-in disabled TechSoup’s computers for nearly three days.

In the year since the incident, the group has stepped up its security efforts and joined a growing chorus of nonprofit-technology experts warning about the vast vulnerabilities of charity Web sites and computer systems.

“Especially in the last two years, the threat has gone up exponentially as hackers have gotten more sophisticated and have a greater understanding of the value of the kinds of data they can steal,” says Richard Collins, who is in charge of cyber security at TechSoup. “The other main threat is that hackers are targeting smaller organizations and organizations with fewer resources now because many of the bigger ones have already made their systems more secure.”

Easy Targets

Mr. Collins and others who follow technology trends in the charity world say that because of a lack of time, money, expertise­—or all three—many nonprofit groups have not given computer security the attention it deserves.

“There’s a general sense that it’s not going to happen to us or we know we should be doing more, but we don’t learn our lesson until something bad happens,” says Holly Ross, executive director of the Nonprofit Technology Network, a Portland, Ore., group whose members provide technology assistance to charities. “Also, there are competing philosophies between wanting to be as open as possible across your network but wanting to be closed enough to be secure.”

Adding Filters

Charities that process donations online are a particularly attractive target for hackers looking to steal credit-card information and donors’ personal data. Organizations that don’t accept online gifts still usually have other valuable information on their computer systems, such as their employees’ Social Security numbers.

Hackers might also be interested in using charity Web sites, e-mail lists, and social-media networks to launch viruses and other infections or theft devices into other parts of the Internet.

Since the break-in, TechSoup has added sophisticated filters that look deeply into the content of the traffic that occurs in its Web applications, such as the one that the charity uses to handle transactions to distribute donated computers. Such Web applications are common for transactions charities conduct using remote computers and a Web browser: An example would be a system for processing online donations. Mr. Collins says the filters have helped identify at least a few attempted attacks.

TechSoup would not reveal how much it cost to upgrade its security, but Imperva, the company that helped the nonprofit group in this effort, says its filter-and-firewall systems for Web applications start at $15,000.

Basic Measures

Not all charities need such an in-depth fix for their computer security, nonprofit technology experts say. Organizations that use trustworthy third-party companies to process donations, for example, probably have fewer holes in their systems that need to be protected.

And not all charities store sensitive data. In those cases, more basic measures, such as virus protection, data backup, and some encryption could do the job.

The experts say that nontechnological approaches help secure computer systems, too.

“There are lots of things you can control even without a tech staff or budget,” says Peter Campbell, director of information technology at Earthjustice, an environmental-advocacy group in Oakland, Calif. Much of that protection, he says, can be accomplished through office policies and staff training. Among the measures charities can take:

Make sure employees use secure passwords. “People tend to use the same one or two passwords for everything related to their job—to turn on laptops, access online databases, access critical functions,” says Ms. Ross of the Nonprofit Technology Network. “That’s a big vulnerability.”

Remind employees not to open messages or attachments from unknown sources. “A simple policy: Don’t click,” Mr. Campbell says.

Connect with care. Impress upon employees the need to guard laptops, phones, and other portable devices that connect with office servers or that contain the organization’s data. “There’s a tendency to think of data as living at the office, but every time we download that data to a device, it’s with us and we are responsible for it,” Ms. Ross says.

Guard against human error. “You can put up all sorts of good and decent protection,” Ms. Ross says, “but you can’t forget about the people and the role they play in how secure things are.”