Safety in Service Delivery/Client Support by Online Volunteers

Current policies

If your service delivery has been onsite, with volunteers working together face-to-face, then your nonprofit, non-governmental organization, charity, school or government program probably already has policies and procedures meant to keep clients safe in their interactions with volunteers. Your policies probably talk about social media and online communications already and these policies have been communicated to your volunteers already (right?). As you ramp up your online interactions, it's a good idea to revisit these policies and make sure they are up-to-date, and to make sure they have been recently reiterated to your volunteers.

Options for keeping a device and network safe

Whether you decide to make these options, recommendations or requirements in your program is up to you - to your program managers and maybe even to your legal counsel. How you apply state and federal laws regarding regarding client safety also will matter.

Note that many of these recommendations are things that volunteers are going to need one-on-one help with to set up any of the following. Your program should consider having an email or phone number volunteers can call to ask IT-related questions if you have to institute this level of tech-security: 

• Volunteers and clients should set up their computers, tablet or smart phone to require a login - a login name and a password - to be used, and for the device to lock after a set number of inactivity. I actually DO think this should be a requirement of all employees, consultants and volunteers your program engages, no matter what the mission of your organization.

• Volunteers and clients must keep security software up-to-date. Updates often include fixes for security bugs and for new threats. Volunteers should be reminded that while those "Updates available!" notifications can be easy to postpone, DON'T IGNORE THEM. 

• Encourage or require volunteers to give the computer they will use different user accounts — or “standard” user accounts — to help protect one user's information safe from others, and to limit the damage any one user could do. With a limited user account, users won’t be able to install software or change system settings without entering an administrator password.  A standard user account won’t shield users from all malware: a user could still download malware and run it, infecting their own user account, however, the malware shouldn’t be able to infect the entire system.

• Warn about keyloggers. These are stealth software programs that record keystrokes. Such software runs in the background of a computer, unknown to the user, and literally records every single key you press, often along with every mouse click you make. In the aggregate, a key logger can record everything from the content of the emails you write, to your passwords, to any personal chats you have. Installing keyloggers on smartphones is most likely to happen when someone is able to gain access to an unlocked device and physically install a program. There are cases of parents installing keyloggers on the laptops of their children - and vice versa. It's relatively easy to do. So remind all staff, paid and volunteer alike, to make sure they have a setup that requires someone to login to their computers to use it, and that they have their accounts on the computer password protected as well, and to lock their phones whenever they aren’t using such. If a computer seems to lag when a user is typing things, it could be an indication of a keylogger, although many other scenarios can contribute to this symptom as well. On a Mac, you can check the System Preferences to see if a key logger has been installed - certain classes of keyloggers have to be given/approved 'accessibility access' in order to capture keystrokes. Under "System Preferences" on a Mac, go to "Security & Privacy" and select "Accessibility." If you see any weird programs that you don't recognize, you should take the time to investigate them (and maybe deny said programs access to control of your computer). Note: the software Objective-See provides simple OS X security tools free of charge. It's produced by Patrick Wardle (@patrickwardle), who created Objective-See to publish the personal tools that I've created to secure my Mac.Malware and other applications may install persistent keyboard "event taps" to intercept your keystrokes. Also, ReiKey can scan, detect, and monitor for keyloggers.

• Don’t let a public computer remember you. When a person logs on to an email or a social media account, there is often a box that says, ‘Remember my ID on this computer’ or just ‘Remember me’ next to it. Same for browsers: many browsers today ask you if you want them to remember your login details to save you from having to sign in to your frequently used accounts. Staff, paid and volunteer alike, should be reminded to never use these functions on a computer that is not fully owned by that staff (don't use this function on a library computer, a hotel business center computer, a friend or family's computer, etc.). Also do not use this function on a device that you have not set up to be password-protected. Make sure you don’t give a browser or pop-up window permission to remember your details.

• Always sign out of accounts. This is not just important on a device that isn't yours; you should also do this if you are ending your time on a site. We often stay signed in to our email and other frequently used accounts at home. At home, walking away from your computer while you’re signed in to an account might not be a problem, but if you have family or room mates, no matter how much you might like them and trust them, you should put your computer to sleep when you step away. A good security practice on a device you don't share with others is to set this automatically is to set up your computer, tablet or phone to sleep after a certain number of minutes of inactivity, requiring you to log back into the device to resume work. If you are using a shared computer, quit all of the applications you have been using, including the web browser you were using, on to on a shared computer.

• Avoid prying eyes. ‘Shoulder surfers’ sometimes lurk in internet cafes and other public places. Shoulder surfers are people who deliberately look for computer users and watch their keystrokes as they enter their passwords. Remind staff to make sure no one is sitting or standing within view of their keyboard when they enter usernames and passwords.

• Think twice about using your device in public regarding your volunteer service. In public, talking with anyone - family members, friends, clients of your company, people you are assisting as a volunteer - presents risks, whether its in-person, face-to-face or online. Just as you shouldn't say out loud at a coffee shop, "Here is my credit card number and expiration date" or "I just cashed a $1000 check!", you should think about verbal and text-based conversations you have in public via phone or via a computer or tablet. Sitting in the airport or library putting keywords on photos in a nonprofit's public online archive probably won't present any security problems. By contrast, having a video conference with the young person you are mentoring remotely in that same space might be inappropriate. Pass any online activity on a public wi-fi network through the Yelling Test: Would you yell the information you're entering online in the public space you are in? If not, it might be worth reassessing whether you should postpone the activity until you're on a secure network.

• Encourage volunteers to use a virtual private network (VPN), an encrypted internet connection that allows users to safely transmit sensitive data, preventing unauthorized user access. Using a VPN is an easy way to implement network security, while enabling data protection. Note: the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare entities, and their business associates, to have safeguards in place to secure PHI identifiers - data that can be used to identify, contact or locate an individual, or data that can be used with other sources to identify an individual. Implementing VPN in healthcare-related programs provides many of the protections necessary to be HIPAA compliant. Compliancy Group, a for-profit consulting firm, provides this article, "Using VPN for Healthcare Data Protection."

• Encourage volunteers to encrypt their hard drives. Many computer experts say that protecting your laptop with a password is not enough to prevent an attacker from accessing your files, because if your laptop is stolen or the attacker has a lot of time, he can remove the hard drive and read the files directly. To prevent this and to protect your data from physical attacks, encrypt your laptop’s hard drive. Here is how to do this on a macOS and a Windows PC.

The FTC has a terrific guide to CyberSecurity. It reinforces a lot of the above and goes into depth about some of the aforementioned topics.

More Meeting, Practice & Policy Guidance

These are recommendations mostly from other organizations regarding using tech to keep clients and their information safe as you move to more online service delivery:

If you want detailed information on addressing online safety and reducing risk, policy development and how to fully integrate virtual volunteering in to all of your community engagement, including how to set up and support an online mentoring program, see:

The Last Virtual Volunteering Guidebook

available for purchase as a paperback & an ebook

from Energize, Inc.
Completely revised and updated, & includes lots more advice about microvolunteering!
Published January 2014.

  Discuss this web page, or comment on it, here.

---

  Quick Links 

---

  my home page
 
my consulting services  &  my workshops & presentations
 
my credentials & expertise

Affirmation that this is web site is created & managed by a human.
 
My book: The Last Virtual Volunteering Guidebook

contact me   or   see my schedule
 
Free Resources: Community Outreach, With & Without Tech

Free Resources: Technology Tips for Non-Techies

Free Resources: Nonprofit, NGO & other mission-based management resources

Free Resources: Web Development, Maintenance, Marketing for non-Web designers

Free Resources: Corporate philanthropy / social responsibility programs

Free Resources: For people & groups that want to volunteer
 
linking to or from my web site
 
The Coyote Helps Foundation
 
me on social media (follow me, like me, put me in a circle, subscribe to my newsletter)

how to support my work

To know when I have developed a new resource related to the above subjects, found a great resource by someone else, published a new blog, uploaded a new video,
or to when & where I'm training or presenting, use any of the following social media apps to follow me on any of these social media platforms:

                 

---

Disclaimer: No guarantee of accuracy or suitability is made by the poster/distributor of the materials on this web site.
This material is provided as is, with no expressed or implied warranty or liability.

See my web site's privacy policy.

Permission is granted to copy, present and/or distribute a limited amount of material from my web site without charge if the information is kept intact and without alteration, and is credited to:

Otherwise, please contact me for permission to reprint, present or distribute these materials (for instance, in a class or book or online event for which you intend to charge).

The art work and material on this site was created and is copyrighted 1996-2024
by Jayne Cravens, all rights reserved
(unless noted otherwise, or the art comes from a link to another web site).