September 2011

In April 2011, Idealware asked a diverse set of nonprofits using Facebook how many people were on their email list, and how many Facebook fans they had. To find out how the two numbers related, we took the results from each of the 477 organizations that answered and plotted them visually.

Wondering how your organization stacks up? Check out the graphic here, and tell us what you think.

For the past decade, the bulk of unlawful web-based activities have been profit-motivated: phishing, spam, "Nigerian" money scams, and hacking to get credit cards. This year has seen a rise in politically motivated crimes, most widely exemplified by the loosely-knit group of hackers known as "Anonymous".  Anonymous hackers attack the websites of organizations, be they government, corporate or otherwise that they deem to be repressive or unethical.  In addition to defacing the sites, they've also routinely exposed confidential user information, such as login names, passwords and addresses.  If we are now entering the age where political cybercrime is commonplace, what does that mean for nonprofits?  How can we defend oursleves when we already struggle with basic security on tight budgets and limited resources? 

Two high profile victims were Sony, the gigantic electronics and entertainment conglomerate, and BART, the Bay Area Rapid Transit commuter service.

• Sony was initially a target for Anonymous after they took legal action against a computer geek named George Holtz, who figured out how to reprogram a Playstation game device in order to play blocked third-party games on it.  This violated the Sony license, but the hacking and gaming communities felt that the license restriction wasn't very fair in the first place. They considered the action against Holtz unwarranted and severe.  Sony also, famously, installed a hacker's rootkit, themselves, on a number of music CDs with interactive computer features, and were sued for that crime.,  Could it be that the hackers were particularly annoyed that this mega-corporation will stoop to their tactics, but sue them for similar actions?
• BART was targeted for more visceral actions.  Their internal police force shot Oscar Grant, an unarmed youth, in the back a few years ago, and then, again, recently, fired on a homeless man holding a knife, killing him. These actions drew the attention of the community and resulted in protests, some violent.  But BART only drew the attention of Anonymous when they took the step of blocking cell phone service at their four downtown San Francisco stations in order to quell communication about a planned protest.  This action is under investigation by the FCC and has been decried by the ACLU; it was quite likely illegal. Then it was revealed that, at a press conference to discuss the protests, they seeded the audience with BART proponents coached in what to ask and say.  
•  

Anonymous hacked a dozen or more Sony Websites and three BART websites in protest/retaliation for what they consider to be corporate crime. Here's how easy it was for them: one of the Sony servers containing hundreds of thousands of user account records was running on an old, unpatched version of Apache with no encryption. The initial attack was simply accomplished using a hack (SQL Injection) that is ridiculously easy to block (by updating to a current software version, in most cases). The Administrator password to get into the BART police site was "admin123".  The "hacker" who broke into that site reported that she'd never hacked a web site in her life, she just did a bit of googling and got right in.

These were corporate web sites, run by companies that take in vast amounts of consumer dollars every day, and they couldn't be bothered to do even the minimum amount of safeguarding of their customer's data.  They might not be the criminals, but is it wild to suggest that they were criminally negligent? This isn't a matter of them not having the money, resources or available expertise to protect our data.  It was a matter of them not taking the responsibility to protect it.  

What can nonprofit organizations, that aren't obsessed with bottom lines, do to avoid the problems that BART and Sony have faced?

• First and foremost, we need to protect constituent data.  If your NPO doesn't have the weherewithal to do that internally, than your online data should be hosted with companies that have strong commitments to security and privacy of customer data. 
• Second, should breaches occur (and they do), your primary goal should be timely, open communication with the victims of the data breach.  We're getting past the point where our constituents are naive about all of this (Sony has done a great job of prepping them for us).  So your first response to exposed constituent data should be to tell the constituents exacty what was exposed.
• One uncomfortable situation like this won't kill your credibility, but a history of bad or callous relationships will amplify it.  This is one of the reasons why good social media policies are critical -- the people who can support or sink you when something like a data breach occurs are on Twitter and Facebook, and they'll feed the media stream with support or slander, depending on how well you relate to them.
• We promote causes online, but we admit faults there, too.  We don't engage customers by lying to them, hiding things that impact them, or dictating the terms of our relationships with them.
• Our supporters are people, and they have their motivations for supporting us (or not) and their ideas about how they should be doing it.  Their motivations and reasoning might be quite different from what we assume. Accordingly, we should be basing our assumptions -- and campaigns -- on the best feedback that we can coax out of them.  Long-held industry assumptions are suspect simply because they're long-held, in a world where technology, and how we interact with it, is constantly changing.

If we ever needed reverse primers in how to manage constituent relationships, the Sony and BART fiascos are prime ones.  They are victims of illegal and unethical behaviour.  But by viewing their customers and constituents as threats, with callous regard for the people who keep them in business in the first place, they've created a public relationship that did nothing to stem the attacks. Sony has put far more money and effort into attacking and dehumanizing their customers with lawsuits and invasive, annoying copyright protection schemes than they have in listening, or trying to understand the needs and desires of their constituents.  BART has tried to block their ears so tightly to shut out public criticism of their violent, shoot first police force that they've crossed constitutional lines of conduct. We -- nonprofits -- know better. It's a two way relationship, not a dictatorial relationship with our supporters, that will serve as our most effective firewall.

Idealware has social media on the brain lately. Over the past year, we've done a lot of work around social media, and based on the eager response from our audience, have no plans to stop anytime soon. Not only are we updating our Nonprofit Social Media Decision Guide for October 2011, but we're also planning a new Social Media Policy Workbook to be released in the first quarter of 2012.

And both of these publications will include a directory of the consultants who can help organizations define and execute social media strategies. The nonprofits using our resources ask us over and over again for recommendations of consultants - purchase an affordable listing in the directory to make sure you're on their radar!

Our Nonprofit Social Media Decision Guide earned us a lot of praise when we published it last July, and we're updating it for an October release this year. But we also received feedback from organizations seeking more guidance and instruction as they began to take social media more seriously. To answer those concerns, we're working with a partner organization to create a second publication that addresses the next stage of social media activity. The Social Media Policy Workbook, to be released in the first quarter of 2012, will walk nonprofits of all sizes through the step-by-step process of creating an internal social media policy and formal documentation to meet the specific needs of their organizations.

Used in conjunction with one another, these publications will map the way for nonprofits to develop comprehensive strategies for external social media practice and internal policy. And both will include the Social Media Consultant Directory to allow them to find consultants who can help in the process.

The benefits to constituents are obvious. The benefits to consultants include getting your name out twice to those specifically thinking about social media strategy - once in October and again in early 2012, in both publications. And the directory is priced to make listings accessible to all--a basic listing starts at just $45.

Make sure nonprofits can find you when they're looking for a social media consultant by buying a listing in our Social Media Directory. Read more or purchase a listing at http://www.idealware.org/social-media-consultant-directory-2011

 I saw this Harvard Business Review stat that claims one in six IT projects are money pits, going on average 200 percent overbudget and taking 70 percent longer than planned.  I wonder what would happen if we could see only nonprofit IT project performance--what would that look like?  I suspect not much better, and possibly even worse on the scheduling side, as that's certainly been my experience. It makes me think that nonprofit organizations have a tendency to want to bite off more than they can chew when starting a new technology project, and this adversely affects the project.  This may be because the organization doesn't really know what's involved in--for example, setting up a new fundraising database or redesigning their website--or it may be that organizations simply don't allocate staff time for people who aren't "directly involved" on the project.  

Regardless of whether an internal IT person or consultant is assigned one of these projects, it's their responsiblity to make it very clear assistance is required from the rest of the organization, both in terms of staff time required and skills required.  I really enjoyed this post by David Geilhufe on the NTEN Discuss List (of course, you're an NTEN member, right? Right?!) which talks about a few of these issues.

One of the main responsiblities of the IT staff (or consultant) will be to divide the project into easily digestible chunks.  This work entails dividing the project into phases, defining clear business goals, assigning people to the project, and other steps.  Often this simply isn't done, or is hurriedly rushed through because "we need that website live next week!"  This is not a strategy for success, and then the organization gets into a downward spiral of "we need A, but it's taking too long to get, so we'll just assume B, and move on to the next item: C," which ends with no one being satisfied because what was created was not what was expected.

The attitude that "the technology will save us" seems to somehow prevent many organizations from doing much of this up-front work (planning, defining clear goals, process mapping, assigning people to the project, breaking projects down into pieces) required to have these technology projects be succesful.  You wouldn't roll out a new Homeless Prevention Initiative without doing up-front planning, so why would you think IT is any different?

Thoughts from the field?  How are projects handled at your org?  Are you biting off more than you can chew?