Chapter 12
Technology & Data
A nonprofit organization’s technology and data functions may be managed by a central department, decentralized to functional divisions of the organization, or outsourced to an outside vendor. Each approach to managing and supporting your organization’s technology needs comes with its own set of risks. Largely because of cost and limits on technology funding in government contracts and foundation grants, too many nonprofit organizations depend on older hardware and multiple, dated software platforms. The drag caused by aging technology affects organization performance and the ability to generate data and reports. These elements taken together create an environment that is ripe for risk.
Nonprofits may be more prone to technology risks because of the high cost of technology and the people needed to support and manage it. Technology and the data it produces interact in ways that pose very specific risks to nonprofit organizations.
The risks for six major activities are described in this chapter:
–Staying on top of cyber continuity.
–Working with organization-wide systems and standards.
–Maintaining functional systems and standards.
–Keeping in touch with web and social media.
–Organizing hardware, networks, and devices.
–Developing and acquiring systems, data, apps, and projects.
Staying on Top of Cyber Continuity
If white papers, conferences, training seminars, and articles in the media are any indication, everyone is concerned about security in the digital world. If they are an indication, it’s a misleading one. Too often, the discussion is about a rare but catastrophic event rather than drilling deeper into the more common and ordinary events that pose potentially more damaging risks every day.
Cyber continuity is the term used to encompass all of the activities and policies that center on one simple idea: you should be able to depend on your technology resources to work tomorrow just as you do today. Interruptions and disruptions in your organization’s access to and use of necessary technology are a growing concern for nonprofit leaders and boards. Regardless of the source of the disruption – hackers, faulty hardware, user error, power outage, extreme weather or malfeasance – the impact of rendering an organization unable to access or use its technology is reason enough to have a cyber continuity plan and off-site or cloud based data storage.
What matters is keeping your technology available for use and functioning well. Once you are confident about that, you can take other steps to improve it.
What to Watch For
There are three primary considerations for cyber continuity in an organization:
–Cyber and technology asset management. Know what your technology environment and resources are. What are they, where are they, and who owns them? (This last question is very important in the age of BYOD—bring your own device.) For each device, you should know the usual inventory details (serial number, model number, and so on). Remember that software is just as much an asset as hardware. A difference is that whereas physical devices usually have a serial number apiece, when it comes to software licenses, they often apply to a certain number of devices but not to specific devices or users. (See the section later in this chapter on cyber security for specific risks.)
A plan is needed to manage software updates across your organization. Many software upgrades are in fact corrections of errors and patches for newly discovered bugs. Not updating hardware and software can open your data systems to viruses, bugs and hacking, perhaps the most common risk to cyber continuity.
Staff need to be familiar with and receive training on your organization’s technology plan and platforms, to ensure that people know what resources they have and how to use them. From sign in passwords and calendaring meetings to using shared drives and laptops, the amount of time organizations spend responding to technology complaints and user issues or fiddling with document formatting and frozen spreadsheets can be enormous.
–Contingency planning. Have procedures and a response protocol in place that are known, practiced, and taught so that regularly occurring issues can be dealt with quickly and managed in an orderly manner. Remember that the goal is continuity, which means addressing the small issues so that when an unusual event occurs, your resources can be deployed to resolve it.
–Cyber security. Knowing what your real cyber security risks are is essential to finding and mitigating them.
Note: The Year 2000 Problem is now widely considered to have been much ado about nothing. In fact, it is a wonderful example of the successful identification and remediation of a very serious problem. For its reputation now to be much ado about nothing is a textbook example of success in identifying, managing, and mitigating risk.
–Do you provide staff and others with regular training and refreshers on how to use your organization’s equipment, data systems and software?
–Do you have a formal procedure for authorizing access to organization data and technology and means to prevent sharing passwords or log-ins?
–Moving from one way of managing technology (centralized to decentralized) or from one software platform to another, can create vulnerabilities as people adjust to the new ways of working or new responsibilities. Shifting to bring your own device (BYOD) or work-at-home arrangements, means reconfiguring devices or setting up remote access. Do you incorporate time and energy for tasks associated with changing technologies?
–Do you make certain that systems and can handle required data and formats for current and potential partners and funders whose data standards and formats must be used for submission of reports and invoices for projects and grant funding.
–Implementation of systems and policy standards requires expert technology staff or pro bono volunteers. Does your organization’s budget cover the staffing costs and resources needed to support users, keep the systems running, respond to emergencies, insure the accuracy of the information and data collected and generate reports?
–Do you sanitize devices that are being discarded so that data and security credentials are not given away?
Prevention
Make certain your inventories of hardware and software functionality are up to date. These inventories should include serial numbers, current versions, and support contacts both inside the organization and at vendors. This is always difficult in a BYOD world, but being able to answer the question prompted by a news headline “Can this happen here?” can be critical.
Mitigation
The primary mitigation goal is simple: get things running again. Have procedures in place so that the analysis of what happened can proceed during and after the restoration of service. Being able to simultaneously restore service and perform necessary post-incident reviews can help move both activities forward.
Working with Organization-wide Systems and Standards
These include centralized databases, organization-wide software for activities such as budgeting, time sheets, and other operational issues. To facilitate the optimal functioning and proper use of your organization-wide systems, it is useful to have a set of operating policies and regular training and supervision of system administrators and users regarding the required protocols, formats, and devices that are used for those operations.
In short, the advantages of organization-wide systems and policy standards focus on the clarity and consistency it provides across the organization. The disadvantage is centered on the fact that standards can inhibit innovation and improvement if users become complacent about doing things in one way only.
Although there is a popular idea that technology moves rapidly and constantly, in fact, advances in technology most often occur in steps and jolts rather than continual improvement. Among the major lurches forward of the last few decades have been the rise of mobile devices, the use of the Internet (in the very late 1980s), the rise of the web (with 1995 being considered a pivotal moment for end-users to become aware of the web), new security standards for the web that enable online banking and financial transactions, and explosion of social media. It typically takes a decade or more for each of these major advances to become commonly used; to the extent that nonprofit organizations may function with very limited budgets, they may be a generation or more behind the current best practices, and that is a risk because advances since the late 1990s often have tightened up security.
Prevention
Update device and software inventories and train people in the use and maintenance of their hardware and software and platforms including BYOD (bring your own device hardware and software).
Provide a protocol for handling exceptions to the organization-wide policy standards so that they can be requested and reviewed appropriately.
Mitigation
Keep track of allowed exceptions to organization-wide standards and review them periodically to determine if the exceptions or standards need updating.
Maintaining Functional Systems and Standards
Most nonprofits use multiple data systems for different functions. For example, financial management, fundraising, client and donor relationship management, client case management and other systems needed to manage the organization’s business. Many nonprofit organizations use client relationship management or case record systems. In some organizations these systems can stand alone, while in others the client experience and organization is better served when the systems work directly with one another. It is not uncommon for different departments to use specialized data platforms. A single client or user data system or financial management platform is often used across an organization’s programs and departments. Many organizations switch back and forth between organization-wide and department systems not only over time but even in the course of routine operations. There is risk and expenses to consider switching environments and standards, but that has to be weighed against the benefits of using different systems that may have other benefits.
What to Watch For
In larger organizations, the existence of multiple systems can hinder the reassignment and transfer of staff because different areas of the organization use different systems and the skills and expertise are not shared with other members of the organization.
Prevention
Using a variety of software and data systems is commonplace in nonprofit organizations today. The ideal state is when technology works to support the business needs and operations of the organization, and, more important, it provides management and staff with useful data and reports.
Here are some challenges to watch out for.
–Make certain that the goals and objectives of the organization and each unit are in sight so that discussions are about them, not about the tools being used. It’s very easy to turn discussions that should be about business process or performance into discussions about the adequacy or inadequacy of technology tools
–As software systems and platforms evolve, their functionality is improved and new features and capacities are added so that a product that was perfect for one function yesterday, such as maintaining a mailing list, may become a full-featured relationship management product tomorrow. Designate personnel and task them with staying current on the full functionality of the software and data platforms you use and updating user training or policies as needed. These enlarged functional cores of products can easily give you unwanted duplication of functionality and technology. Before you know it that can lead to fragmentation of data as you wind up with multiple mailing lists within a single office or department. Some years ago, a task force was established in a large organization to look at the issues of data duplication and overlap. After research and conferences, it was determined that there were thirteen separate (and mostly incompatible) customer files. When the task force presented what they considered to be an alarming report to management, the vice president responsible for systems said only that she was stunned that it was only thirteen.
Keeping in Touch with Web and Social Media
Today, most nonprofits have a presence on the web. Typically that presence is a website but more and more it is a presence on social media. as critical parts of the organization’s communication strategy. The web and social media can provide you with powerful platforms to reach people and get the word out about your organization and the work you do. In addition to affording much broader reach at a significantly lower cost, they also function at a much faster pace than other communication tools (think printed flyers and brochures sent by mail). See Chapter 10, “Marketing, Communications, and Reputation” for more on the pros and cons, benefits and pitfalls of the web and social media.
What to Watch For
Web and social media resources and tools are phenomenally useful, but there are some risks to watch for. Here are some of the most common ones:
–Do not become distracted by social media tools and features (they are designed to attract attention after all). Stay focused on your organization’s goals, message and reputation so that the content of communications is consistent regardless of platform or tool used. And, have a plan in place to monitor and respond in real time to comments and feedback.
–Remember that the web can be accessed from mobile devices. If you can’t afford or just don’t want to design for multiple platforms, the web and one mobile platform is quite reasonable. It also is easily expanded and mobile devices are in broad use.
Prevention
Remember that the demographic profile and audience demographics and use rates vary from platform to platform and reliance on mobile versus desktop devices vary and change a great deal. Using a social media platform to push out content to the general public or engage users and donors requires organizations to maintain an active presence on the web and on social media and monitor regularly consumer and workforce experience, feedback and ratings on public platforms. These new media and communications functions require staff and policies and processes to maintain and monitor them.
Among the risks in the social media world is going for numbers (looking to use platforms reaching the largest audience) regardless of whether it is the right audience for your message or conversely, limiting your use of social media to only those outlets that are popular among your staff and board.
Organizing Hardware, Networks, Devices, and Technology Skills
Technology has moved away from corporate mainframes to on-site servers, mobile devices, networks (wired and wireless), and a multitude of devices have come onto the scene. This proliferation of mobile and point-of-service technology has produced new risks for organizations, as well as helping them become more effective and efficient in their operations. One of the most significant issues in technology today is the rise of BYOD (bring your own device). This allows people to bring their own mobile devices to work and be productive. It may save money because some of the cost of providing technology to people is managed outside the organization. On the other hand, you need policies and guidelines to manage all of your technology assets including BYOD.
What to Watch For
As is the case with any organization, have a technology plan for acquisition and maintenance of hardware, software, maintenance, and skills across the organization in how to maintain, train and use them. New modes of communication ranging from cellphones to social media sites have become an integral part of modern life. Deciding on the best technology solutions for your organization can be overwhelming with all of the competing products and pricing options on the market. Some organizations convene a technology committee of staff, board and pro bono or paid advisors to help with scoping and purchase of technology.
Prevention
Nonprofit organizations have some specific issues to consider that government and commercial organizations don’t have. Here are two of them:
–Donations. Nonprofit organizations may be recipients of donated hardware or mobile devices. Before accepting donations, make certain that it is functioning and has several years of useful life left. That is, it fills a gap in your technology needs and aligns with your technology strategy. Having a “want” list for technology donations may be helpful to increase the likelihood that you’ll get equipment you need. It will also provide a rationale for declining donations and limit requests for donation receipts for a tax deduction. The risk of being burdened with unusable or barely usable devices is not just the space they take up or the servicing that may be needed to use them. On top of that, such less-than-optimal devices may delay the needed acquisition of more useful equipment. Furthermore, make certain that donated equipment is sanitized so that it does not contain malware and that the donor’s data has been removed. (Make certain that donors understand that removing their data is their responsibility.)
–Grant funding of technology. Funders look carefully at the use of their funds for technology acquisition. Make certain that you follow best practices in scoping, pricing and implementation of your acquisitions. Funders may expect a rationale for the valuation of in-kind donations of technology equipment when it is used as part of a match for a grant. Also, funders may sometimes have more information and perspective on the maintenance and support costs for equipment. Not to put too fine a point on the matter, make certain that you understand why the donor is giving the equipment away. In short, be certain that your technology acquisitions with grant funding adhere to the terms of the grant.
Developing and Acquiring Systems, Data, Apps, and Projects
Developing or acquiring technology solutions is an expensive proposition. Keeping up to date with updates and new versions for both hardware and software is a significant added cost that, for many executives and boards is surprising and out of reach financially. The argument that both the initial acquisition and subsequent changes are actually cost-saving in the long term is often true, but still hard to digest which makes budgeting, securing bids and developing detailed plans for implementation and annual use critically important.
What to Watch For
Major problems can occur with integrating systems. Among the most common risks are:
–Integrating systems without doing research and due diligence on what they can and will do for the organization is a risk to watch out for. It is easy to rely on marketing documentation rather than the fine print and details of application programming interfaces (API) but the organization’s needs are likely to be addressed in the details of the APIs.
–Overvaluing the historical investment in existing (legacy) systems. It may have cost a great deal of money to implement a management system three years ago, but throwing it out today and replacing it with a different system might be a waste of money, or it may be an extremely prudent investment. As with cars, the value of investment in technology drops dramatically as soon as it is purchased and implemented.
–Ignoring or overvaluing the user aspects of systems. People grow to like (or loathe) the data systems and tools they use and they learn how to use them (or not). Avoid both extremes - balance human interest against organizational interests, recognizing that for many people, the hardware and software tools that they use turn into very personal matters.
Prevention
Preventing problems in acquiring, using and maintaining systems can be done with several basic practices. Pro bono guidance from expert volunteers and board members can be invaluable when their knowledge of the nonprofit’s needs and organization practice combine well with their technical expertise. On the other hand, their participation in implementation activities can blur the lines between board oversight and management so this kind of volunteer work should be directed by an executive director with board oversight.
Most of these problems can be reduced to one point: Make certain you (or someone in your organization or a trusted consultant) understand the problems you’re trying to solve, the technical details of the current solution, your in-house capacity to manage the technology platform, and the technical details of the proposed solution.
Particularly in organizations where in-house technical support is weak or nonexistent, remember that things will go wrong with technology—particularly in the development and acquisition of new systems. In these cases, make certain that you have backup and contingency plans.
Whether you hire consultants for the implementation of new systems, consider hiring a consultant to prepare contingency plans for the transition and switch-over. This expense should be budgeted and undertaken with the understanding that the best-case scenario will be to never need to use the contingency plans.
Summary
This chapter has highlighted some significant technology risk challenges in a broad manner. At this level of detail, board, management, and senior staff should be comfortable with the current and planned technologies for the organization and have clear expectations around what the technology can do and the kind of performance or management data it can generate.
We have addressed the various configurations of hardware and software—organization-wide standards and systems, as well as distributed standards and systems by functional areas. Today’s world of technology is diverse and rapidly changing; any organization that uses technology has to decide how to manage change and innovation in technology. Are you a cutting-edge innovator in technology, or do you rely on proven technologies? For organizations that deal with the public, what technologies do you expect your clients, patrons, staff, and users to be comfortable with?