I work as the one-person "IT Department" for a small but growing wildlife conservation non-profit based in San Francisco. I find myself figuring out a lot of things through my own research, trial and error. This is my attempt to give back to the Non-Profit IT community.
As a follow up to yesterday’s post on password managers, I thought I’d go through other security considerations for non-profits these days.
First and foremost—as I mentioned yesterday—get a password manager and make everyone at the org uses it. Have them choose a strong master password and turn on 2-factor authentication. Weak passwords and poor password management (e.g. emailing around a passwords.xls file) are the #1 risk for any org.
If you are worried about people intercepting your digital communications, I recommend switching all of your email accounts over to ProtonMail or LavaBit. Use Signal or Silent Text for text messaging. Use RedPhone or Silent Phone for encrypted voice calls.
If you use Macs, turn on FileVault disk encryption. For Windows, BitLocker. Store the recovery keys in a secure location (such as in your password manager). Password protect all computers and never store the password with the computer. I recommend a slight variant of your master password.
For your web site, make sure the site software is up to date with the latest security patches, use a long, randomly-generated password for the admin console, don't put anything sensitive up on the site, and use CloudFlare or some other similar service to prevent against DDoS attacks.
For internal network protection, just make sure your router’s firewall is turned on, and keep the firmware up to date (this is why). Check at least every couple of weeks. Never use the DMZ feature. I also recommend against port forwarding. If you want to expose anything to the internet, use a separate hosting provider rather than your own internal network.
If you need anything more than this, I'd start with FireEye, and then check out related companies. Unfortunately these services tend to be aimed at for-profit businesses, so they won’t be cheap. (But do let me know if you find a good one that offers s non-profit discount.)
If you are looking for a security consulting company, I'd start with Resilient Systems just because Bruce Schneier is the CTO and in my mind he is one of the top guys in the digital security out there. Again, probably not cheap. Let me know if you get a non-profit discount.