Safety in Service Delivery/Client Support by
Online Volunteers
But because of the massive rise in engaging with
employees, consultants, volunteers and clients online per the current
global pandemic, I'm getting a lot of questions about ensuring safety in
online service delivery by volunteers, where volunteers are interacting
with members of the client and the public.
The information below isn't a set of guidelines you
should follow for safety but, rather, a list of considerations - not all
of these suggestions are appropriate for every volunteer engagement
scheme. These suggestions are written specifically for NON tech staff -
instead, for the people that manage client programs and manage
volunteers, and the people that manage IT staff, so they can come to
this issue from a human support, human management issue FIRST, rather
than a tech issue.
Current policies
If your service delivery has been onsite, with volunteers working
together face-to-face, then your nonprofit, non-governmental
organization, charity, school or government program probably already
has policies and procedures meant to keep clients safe in their
interactions with volunteers. Your policies probably talk about social
media and online communications already and these policies have been
communicated to your volunteers already (right?). As you ramp up your
online interactions, it's a good idea to revisit these policies and
make sure they are up-to-date, and to make sure they have been
recently reiterated to your volunteers.
Options for keeping a device and network
safe
Whether you decide to make these options, recommendations or
requirements in your program is up to you - to your program managers and
maybe even to your legal counsel. How you apply state and federal laws
regarding regarding client safety also will matter.
Note that many of these recommendations are things that volunteers
are going to need one-on-one help with to set up any of the following.
Your program should consider having an email or phone number volunteers
can call to ask IT-related questions if you have to institute this level
of tech-security:
- Volunteers and clients should set up their computers, tablet or
smart phone to require a login - a login name and a password
- to be used, and for the device to lock after a set number of
inactivity. I actually DO think this should be a requirement of all
employees, consultants and volunteers your program engages, no
matter what the mission of your organization.
- Volunteers and clients must keep security software up-to-date.
Updates often include fixes for security bugs and for new threats.
Volunteers should be reminded that while those "Updates available!"
notifications can be easy to postpone, DON'T IGNORE THEM.
- Encourage or require volunteers to give the computer they will use
different user accounts — or “standard” user accounts — to
help protect one user's information safe from others, and to limit
the damage any one user could do. With a limited user account, users
won’t be able to install software or change system settings without
entering an administrator password. A standard user account
won’t shield users from all malware: a user could still download
malware and run it, infecting their own user account, however, the
malware shouldn’t be able to infect the entire system.
- Encourage or require volunteers to set
permissions on files or folders. They can password-protect
important files or folders on their computers by editing the
permissions settings, which control who can view or edit those
items. By editing the permissions settings of a folder the
computer user can grant or deny access to specific users that use
that computer. Here's how one site says how to do it:
-- In Windows, right-click the
folder, go to Properties, and open the Security tab. Then click the
Edit button. You can then select a group or user name and choose to
deny access to the folder. Someone trying to access it will be
required to put in an administrator password.
-- In Mac, this works
similarly. Go to the info properties of the folder and under Sharing
& Permissions, you can set users' privilege (read only, read
& write, no access).
Also remind
volunteers that they should set up password protection on their
networks attached storage or any drives shared over the network on
their computers.
- Warn about keyloggers. These are stealth software programs
that record keystrokes. Such software runs in the background of a
computer, unknown to the user, and literally records every single
key you press, often along with every mouse click you make. In the
aggregate, a key logger can record everything from the content of
the emails you write, to your passwords, to any personal chats you
have. Installing keyloggers on smartphones is most likely to happen
when someone is able to gain access to an unlocked device and
physically install a program. There are cases of parents installing
keyloggers on the laptops of their children - and vice versa. It's
relatively easy to do. So remind all staff, paid and volunteer
alike, to make sure they have a setup that requires someone to login
to their computers to use it, and that they have their accounts on
the computer password protected as well, and to lock their phones
whenever they aren’t using such. If a computer seems to lag when a
user is typing things, it could be an indication of a keylogger,
although many other scenarios can contribute to this symptom as
well. On a Mac, you can check the System Preferences to see if a key
logger has been installed - certain classes of keyloggers have to be
given/approved 'accessibility access' in order to capture
keystrokes. Under "System Preferences" on a Mac, go to "Security
& Privacy" and select "Accessibility." If you see any weird
programs that you don't recognize, you should take the time to
investigate them (and maybe deny said programs access to control of
your computer). Note: the software Objective-See provides simple OS
X security tools free of charge. It's produced by Patrick Wardle
(@patrickwardle), who created Objective-See to publish the personal
tools that I've created to secure my Mac.Malware and other
applications may install persistent keyboard "event taps" to
intercept your keystrokes. Also, ReiKey can scan, detect, and
monitor for keyloggers.
- Don’t let a public computer remember you. When a person
logs on to an email or a social media account, there is often a box
that says, ‘Remember my ID on this computer’ or just ‘Remember me’
next to it. Same for browsers: many browsers today ask you if you
want them to remember your login details to save you from having to
sign in to your frequently used accounts. Staff, paid and volunteer
alike, should be reminded to never use these functions on a computer
that is not fully owned by that staff (don't use this function on a
library computer, a hotel business center computer, a friend or
family's computer, etc.). Also do not use this function on a device
that you have not set up to be password-protected. Make sure you
don’t give a browser or pop-up window permission to remember your
details.
- Always sign out of accounts. This is not just important on
a device that isn't yours; you should also do this if you are ending
your time on a site. We often stay signed in to our email and other
frequently used accounts at home. At home, walking away from your
computer while you’re signed in to an account might not be a
problem, but if you have family or room mates, no matter how much
you might like them and trust them, you should put your computer to
sleep when you step away. A good security practice on a device you
don't share with others is to set this automatically is to set up
your computer, tablet or phone to sleep after a certain number of
minutes of inactivity, requiring you to log back into the device to
resume work. If you are using a shared computer, quit all of the
applications you have been using, including the web browser you were
using, on to on a shared computer.
- Avoid prying eyes. ‘Shoulder surfers’ sometimes lurk in
internet cafes and other public places. Shoulder surfers are people
who deliberately look for computer users and watch their keystrokes
as they enter their passwords. Remind staff to make sure no one is
sitting or standing within view of their keyboard when they enter
usernames and passwords.
- Think twice about using your device in public regarding your
volunteer service. In public, talking with anyone - family
members, friends, clients of your company, people you are assisting
as a volunteer - presents risks, whether its in-person, face-to-face
or online. Just as you shouldn't say out loud at a coffee shop,
"Here is my credit card number and expiration date" or "I just
cashed a $1000 check!", you should think about verbal and text-based
conversations you have in public via phone or via a computer or
tablet. Sitting in the airport or library putting keywords on photos
in a nonprofit's public online archive probably won't present any
security problems. By contrast, having a video conference with the
young person you are mentoring remotely in that same space might be
inappropriate. Pass any online activity on a public wi-fi network
through the Yelling Test: Would you yell the information you're
entering online in the public space you are in? If not, it might be
worth reassessing whether you should postpone the activity until
you're on a secure network.
- Encourage volunteers to use a virtual private network (VPN),
an encrypted internet connection that allows users to safely
transmit sensitive data, preventing unauthorized user access. Using
a VPN is an easy way to implement network security, while enabling
data protection. Note: the Health Insurance
Portability and Accountability Act (HIPAA) requires
healthcare entities, and their business associates, to have
safeguards in place to secure PHI identifiers - data
that can be used to identify, contact or locate an individual, or
data that can be used with other sources to identify an
individual. Implementing VPN in healthcare-related
programs provides many of the protections necessary to be HIPAA
compliant. Compliancy Group, a for-profit consulting firm, provides
this article, "Using
VPN for Healthcare Data Protection."
- Encourage volunteers to encrypt their hard drives. Many
computer experts say that protecting your laptop with a password is
not enough to prevent an attacker from accessing your files, because
if your laptop is stolen or the attacker has a lot of time, he can
remove the hard drive and read the files directly. To prevent this
and to protect your data from physical attacks, encrypt your
laptop’s hard drive. Here is how to do this on a macOS and
a Windows
PC.
The
FTC has a terrific guide to CyberSecurity. It reinforces a lot
of the above and goes into depth about some of the aforementioned
topics.
Also, remind volunteers that they can use *67 to block their numbers
and on on cell phone they change settings for caller ID, if they are
going to use their device with clients or the public (though clients
will need to know they may get calls from "caller not identified"
numbers as a result.
More Meeting, Practice & Policy Guidance
These are recommendations mostly from other organizations regarding
using tech to keep clients and their information safe as you move to
more online service delivery:
- Safety
in Virtual Volunteering (web page). Just as important as
technology is practices when it comes to keeping volunteers safe
and keeping clients safe with online volunteers. The screening
and supervision necessary for online volunteer engagement is
similar to what's required of volunteer engagement onsite, in
face-to-face settings: the kind and level of safety measures
depends on what the volunteer will be doing, where the volunteer
will be doing it, if the volunteer will ever be alone with a
client, how much information about clients a volunteer will have
access to, etc.
- Safety
in Virtual Volunteering (video). A short video (5:10) on
why safety is important in virtual volunteering and why you
can't just give everyone access to each other and hope for the
best.
- Using
Technology to Communicate with Survivors During a Public
Health Crisis. From the The National Network to End
Domestic Violence (NNEDV). This is a list of tools that programs
might consider for communicating with survivors remotely that we
think meet current best practice standards. Two key factors to
consider in any tool are 1) encryption options where the tech
company itself cannot see the content of the files because they
do not hold the encryption key – only you do, and 2) user access
options that allow you to control user-by-user access to the
content. While NNEDV does not endorse
these tools, they recommend them as well-suited to protect
privacy as they are currently set up.
- Remote
Workplaces During a Public Health Crisis , also from
NNEDV.
- The
University of California Berkeley has compiled
a list of cybersecurity resources relating to the novel
Coronavirus and telecommuting. Some of the resources are
UC specific, but much of it is applicable to anyone. The
Best Practices for Telecommuting Securely is particularly
good.
- 8
Tips for Holding Remote Meetings During the COVID-19 Pandemic.
Tips from TechSoup.
- Keeping
Your Nonprofit's Systems Secure During the COVID-19 Pandemic.
Tips from TechSoup that talk about a variety of security issues
to train staff, volunteers and clients on.
- Guidelines
for Configuring Zoom at Your Nonprofit. Safety and
security tips from TechSoup. Many tips can be adapted for other
platforms as well.
- Remote
Work Policy and Agreement (doc). Information from TechSoup
about DocuSIgn, a web-based service that allows you to upload
and send documents for electronic signature.
- Tools
to Support Remote Work: curated by TechSoup especially
regarding COVID-19 physical and social distancing requirements.
If you want detailed information on addressing online
safety and reducing risk, policy development and how to fully
integrate virtual volunteering in to all of your community engagement,
including how to set up and support an online mentoring program, see:
The
Last Virtual
Volunteering Guidebook
available
for purchase as a paperback & an ebook
from Energize,
Inc.
Completely revised and updated, &
includes lots more advice about microvolunteering!
Published January 2014.
Discuss
this
web page, or comment on it, here.
Quick Links
my home
page
my
consulting services & my workshops
& presentations
my
credentials & expertise
My book: The
Last Virtual
Volunteering Guidebook
contact me
or see my
schedule
Free Resources: Community Outreach, With & Without Tech
Free Resources: On
Community Engagement, Volunteering & Volunteerism
Free Resources: Technology
Tips for Non-Techies
Free Resources:
Nonprofit, NGO & other mission-based management resources
Free Resources: Web
Development, Maintenance, Marketing for non-Web designers
Free Resources: Corporate
philanthropy / social responsibility programs
Free Resources: For people
& groups that want to volunteer
linking to
or from my web site
The
Coyote Helps Foundation
me on
social media (follow me, like me, put me in a circle,
subscribe to my newsletter)
how to
support my work
To know when I have developed a new
resource related to the above subjects, found a great
resource by someone else, published
a
new blog or a new Tech4Impact email newsletter,
uploaded a new
video,
or to when & where I'm training or presenting, use any
of the following social media apps to follow me on any of
these social media platforms:
Disclaimer: No guarantee of accuracy or suitability is made by
the poster/distributor of the materials on this web site.
This material is provided as is, with no expressed or implied
warranty or liability.
See my web site's privacy
policy.
Permission is granted to copy, present and/or distribute a limited
amount of material from my web site without charge if
the information is kept intact and without alteration, and is
credited to:
Otherwise, please contact me
for permission to reprint, present or distribute these materials
(for instance, in a class or book or online event for which you
intend to charge).
The art work and material on
this site was created and is copyrighted 1996-2023
by Jayne Cravens, all rights reserved
(unless noted otherwise, or the art comes from a link to
another web site).