‘Tis the Season to Think about Your Institution’s Online Giving Security
November 15, 2022
The season of giving is upon us! Which means your institution is about to see a sharp uptick in the processing of monetary donations between now and the end of the year. Between #GivingTuesday activity, the end of the year annual giving flurry, and your constituents taking advantage of the tax deductions on their institutional donations, it is incredibly important to ensure you are taking appropriate measures to safeguard the incoming financial data and position your institution for success this season.
But the unfortunate reality is cybersecurity threats continue to plague higher education and security teams are bracing themselves to see another spike in malicious activity this holiday season as cybercriminals try to capitalize on charitable giving scams. Once, almost immune to cyber threats, higher education has now become just as susceptible and vulnerable as large financial organizations and government agencies.
Higher education institutions share many of the same components as the financial industry with how each handles Title IV funding and repositories of a wide array of PII and CUI data. This places colleges and universities in the same category as financial institutions where they are required to follow federal laws and regulations regarding security (GLBA, PCI, HIPAA, GDPR, etc.).
The differentiating challenge, however, is in technology. Many higher education institutions lack the funding for security tools and technology platforms to safeguard their institution. As higher education security experts, we’re here to help you navigate your institution’s security surrounding financial processing this season.
No matter if you have a sophisticated online giving platform in place, or you are managing a low-profile processing solution, here are some things to consider as you move into this season of giving.
- Collaborate with your Alumni Association, Endowment Office, and others to properly vet the security of your institution’s selected online giving partner
- Ensure that any short-term landing pages or microsites built for collecting gifts for #GivingTuesday or your Day of Giving are secure and aligned with your institution’s domain and branding
- Confirm the proper and secure use of all online giving forms and any integrations with third-party processing vendors, including PayPal, Venmo, TouchNet, and more
- Ensure that all incoming financial data is encrypted
- If you do not have secure means for receiving private financial information, work with your Technology Department to provide you with an acceptable service or solution
- Only send giving campaigns to constituents through official institutional email channels
- Never send or accept regulatory protected information via unencrypted or unsecured email
- Be wary of receiving email correspondence from internal and external individuals when communicating details of the campaign and verify that the person communicating to you is who they say they are
- Never initiate campaigns that request credit card numbers or bank accounts to be sent via unsecured/unencrypted email; always use a secure online platform
- If you receive proprietary information via email, redirect the sender to utilize secure methods for future communications
- If accepting gifts through a phone center, be sure to securely save and protect any incoming private data, and follow your institution’s documented Retention Policy and/or shred upon completion of processing
Additional Security Best Practices
- Never release any confidential information to unknown and unverified people
- Do not use unencrypted USB or External Drives to store institutional data or private information, including a constituent’s giving history
- Avoid clicking links contained in email correspondence and instead open a browser and directly navigate to the site you are attempting to access
- Never share passwords or write passwords down for safekeeping, instead use a password management tool
- Refrain from utilizing account credentials (username and password) from your work accounts with personal subscriptions & services (i.e., LinkedIn, Facebook, etc.)
- Take advantage of Multi-Factor Authentication when possible
- Keep your computer up to date with operating system patches and anti-virus programs
- Enable screen saver locking mechanism that requires a password when you leave your workspace unattended
- Be mindful of physical theft and loss and always secure computer equipment when not in use
- Understand your institutional policies regarding the classification and safe handling of customer information
- Practice Clean Desk procedures to ensure paper copies and documents are never left unattended
- If you notice or observe something suspicious or when in doubt, reach out to your Technology Department for assistance
Your institution’s relationship with alumni and other constituents are critical in keeping the doors open as their support provides scholarships, funds for on-campus projects, and other operating needs. Providing them with a safe and secure online environment to support their alma mater will not only build trust but also instill pride.
Even if you do not have best-of-breed technology and highly secure systems and services at your campus, you must still take certain actions and maintain best practices to ensure your online giving and engagement efforts are safe and secure. Keeping your constituent’s data safe must remain one of your highest priorities in today’s cybersecurity battleground and any department that works with fundraising and receiving gifts should share in the institution’s obligation to protect this data and incoming digital assets.
Interested in discussing with our security experts to set your institution up for success this holiday season? Let us know.
About the Author
The majority of Brian Cornell’s 20-year technology and cybersecurity leadership career has been spent supporting Higher Education Institutions to develop and mature their information security programs. He has extensive experience providing policy guidance, risk assessments, and strategic planning aimed to protect and secure institutional assets. As Chief Information Security Officer at OculusIT, Brian’s deep knowledge of security frameworks and compliance requirements supports our clients in the improvement and advancement of their security goals and initiatives.
OculusIT is a global, all-inclusive managed IT, security, and cloud services company dedicated to serving the education industry. Our strategy is to offer the most cost-effective and responsive partnership that provides flexibility and nimbleness in response to economic changes and directly contributes to higher education’s ability to provide and maintain the highest quality IT services. Learn more at www.oculusIT.com.