Cyber security is a top priority for foundations and for-profits alike; stories of ransomware targeting foundations and hospitals proliferate across both Canada and the United States, while (a little too close to home) the Toronto Public Library also reported an incident late last year. Whether it’s employee, donor, client, or grantee information at risk, it is crucial to adhere to the highest possible standards of security and privacy. At Grantbook, our consulting philosophy is to explore challenges through the lens of people, process, and technology; we’ve collected our top recommendations with those areas of focus. Please note that while there are many applicable tips below for all organizations and systems, those using Fluxx as their grants management system will find some system-specific processes and functionalities that they can implement.
People
We would like to preface this article by encouraging you to speak with whomever at your organization is responsible for your information technology and security—your chief security officer, perhaps, or a designated IT manager. This person should be well-versed in industry best practices, and may already have processes and guidelines in place. You can work together to develop comprehensive training programs and procedures for ongoing evaluation of your systems, as well as for the learning and development of your team and grantees. You may also consider organizing a one-time (or regular) evaluation of your team’s understanding of cybersecurity risks and realities, and how your foundation is actively safeguarding against them.
Process
Related to the section above, ensure you have a process defined for identifying whom at your foundation is allowed to handle different types of support requests such as: resetting passwords, resetting MFA, assigning administrator privileges, linking users to organizations, etc. Many foundations who adopt Fluxx default to making every internal user (or staff member) an administrator, leaving you open to phishing attempts and causing more confusion than clarity when it comes to ownership of key security processes. We would recommend:
- Running a regular user audit
- Review user accounts to see what profiles and roles are assigned, what permissions those profiles have, and who has an admin account
- Fluxx data reports can facilitate this, as can a User Profile/Role dashboard
- Setting and enforcing strict security processes
- The ability to assign admin rights, reset user passwords and MFA should be limited to a select few
- Create a verification process before creating or resetting a user account (e.g. requiring a phone call or Zoom meeting to verify the user’s identity)
- Reviewing sensitive information storage
- Bank accounts should be locked and restricted from regular editing and viewing access
- Payment details should be subject to verification
- Core details like email address, organization name, tax ID, and physical address should not be changeable without a review
- Running a Fluxx system audit
- Ensure you are regularly reviewing your Fluxx instance to identify any gaps in your processes or opportunities to clean up your forms and data collection.
*Integrations and APIs can help minimize sensitive information stored in Fluxx (such as Bill.com)
Technology
- Set strong password requirements
This may seem straightforward—who among us hasn’t been through the song and dance of incorporating numbers, special characters, and a healthy amount of upper and lower case letters—and it is for precisely this reason that setting strong password requirements can be so easily overlooked as an effective tool for securing your Fluxx instance. When setting the attributes for acceptable passwords, you can not only include those basic considerations, but you can also limit the number of failed login attempts, or ensure the user’s password has not been recycled and previously used.
This may surprise you, but simply using password expiration (where you get a prompt every 60 or 90 days reminding you that it’s time to update your password) is no longer effective—and actually does more harm than good. As hacking methods become increasingly sophisticated and automated, it is ineffective to put the onus on users to continually create new passwords which are, more likely than not, going to resemble their most recent one for the sake of their memory and sanity. Luckily, the next section can alleviate that pain point.
- Use a password manager
A browser extension or app can completely eliminate the stress of creating and remembering passwords. While this is of course helpful for any individual user, it has the added benefit of acting as a repository for shared passwords as well (i.e. team/organization-owned accounts and memberships), and is especially useful for Fluxx admins who manage multiple accounts (e.g. test grantee, test reviewer). At Grantbook, we use LastPass and have enabled the browser extension for ease of use; as an added bonus, for MFA-enabled accounts, it eliminates the annoyance of needing to grab your phone to verify your identity, as LastPass will generate a TOTP (time-based one-time password) that you can simply copy and paste directly from the plug-in.
- Turn on MFA
Look, we get it: needing to verify your identity, sometimes across multiple devices, when you log in to a service you use daily is a pain. It can feel time-consuming, inefficient, clunky. But there is a reason why your account is 99.9% less likely to be compromised if you use multi-factor authentication, according to Microsoft’s Director of Identity Security, Alex Weinert: it adds an extra layer of security to your data and acts as a final line of defence against hackers. By asking for something you know (password), something you have (a one-time code via app or text), and something you are (face scan or fingerprint), tech systems and services are setting the bar high to confirm your identity.
If you’re using Fluxx, speak to your CSM (or reach out to [email protected]) and read the knowledge base article on what changes are required on your User form.
We would also advise you to have a rollout plan for your grantees as you inform them of this change, when they can expect it to take effect, and why you are implementing it. The ideal time to share this information is during implementation; the second best time is now.
- Export emails from Fluxx to announce the rollout plan and timeline.
- Create a guide and support documents for your grantees: a link to which app or extension they need to install, and screenshots of the set up and use cases.
- Set up a help desk email/phone number, record a video, or run a webinar to walk them through the process step by step; remember that while many of us may accept MFA as matter of fact by now, your grantees may be experiencing this for the first time and will require extra support as they adjust to this new process.
- Better yet, enable SSO
Single sign-on enables you to automatically sign in to different websites and platforms using your organizational credentials (email/password/MFA) to save time. Speak to your IT team about this option to understand any security and tech requirements you may already have in place; with their expertise, you can explore SSO solutions such as Google, Microsoft Azure, Okta, or Ping Identity (aka PingOne).
It can be daunting to begin to tackle your organization’s cyber security needs; however, it is a basic courtesy and responsibility that you owe to your own team and your grantees, so they can safely perform both grantmaking and changemaking. Fluxx prioritizes security for all its users, and so do we at Grantbook. Reach out today to learn more about how we can help you implement the people, process and tech solutions above.