Safety in Service Delivery/Client
Support by Online Volunteers
But because of the massive rise in engaging with
employees, consultants, volunteers and clients online per the
current global pandemic, I'm getting a lot of questions about
ensuring safety in online service delivery by volunteers, where
volunteers are interacting with members of the client and the
public.
The information below isn't a set of guidelines
you should follow for safety but, rather, a list of
considerations - not all of these suggestions are appropriate
for every volunteer engagement scheme. These suggestions are
written specifically for NON tech staff - instead, for the
people that manage client programs and manage volunteers, and
the people that manage IT staff, so they can come to this issue
from a human support, human management issue FIRST, rather than
a tech issue.
Current policies
If your service delivery has been onsite, with volunteers
working together face-to-face, then your nonprofit,
non-governmental organization, charity, school or government
program probably already has policies and procedures meant to
keep clients safe in their interactions with volunteers. Your
policies probably talk about social media and online
communications already and these policies have been
communicated to your volunteers already (right?). As you ramp
up your online interactions, it's a good idea to revisit these
policies and make sure they are up-to-date, and to make sure
they have been recently reiterated to your volunteers.
Options for keeping a device and
network safe
Whether you decide to make these options, recommendations or
requirements in your program is up to you - to your program
managers and maybe even to your legal counsel. How you apply
state and federal laws regarding regarding client safety also
will matter.
Note that many of these recommendations are things that
volunteers are going to need one-on-one help with to set up any
of the following. Your program should consider having an email
or phone number volunteers can call to ask IT-related questions
if you have to institute this level of tech-security:
- Volunteers and clients should set up their computers,
tablet or smart phone to require a login - a login
name and a password - to be used, and for the device to lock
after a set number of inactivity. I actually DO think this
should be a requirement of all employees, consultants and
volunteers your program engages, no matter what the mission
of your organization.
- Volunteers and clients must keep security software
up-to-date. Updates often include fixes for security
bugs and for new threats. Volunteers should be reminded that
while those "Updates available!" notifications can be easy
to postpone, DON'T IGNORE THEM.
- Encourage or require volunteers to give the computer they
will use different user accounts — or “standard”
user accounts — to help protect one user's information safe
from others, and to limit the damage any one user could do.
With a limited user account, users won’t be able to install
software or change system settings without entering an
administrator password. A standard user account won’t
shield users from all malware: a user could still download
malware and run it, infecting their own user account,
however, the malware shouldn’t be able to infect the entire
system.
- Encourage or require volunteers to
set permissions on files or folders. They can
password-protect important files or folders on their
computers by editing the permissions settings, which
control who can view or edit those items. By editing the
permissions settings of a folder the computer user can
grant or deny access to specific users that use that
computer. Here's how one site says how to do it:
-- In Windows,
right-click the folder, go to Properties, and open the
Security tab. Then click the Edit button. You can then
select a group or user name and choose to deny access to the
folder. Someone trying to access it will be required to put
in an administrator password.
-- In Mac, this works
similarly. Go to the info properties of the folder and under
Sharing & Permissions, you can set users' privilege
(read only, read & write, no access).
Also remind
volunteers that they should set up password protection on
their networks attached storage or any drives shared over
the network on their computers.
- Warn about keyloggers. These are stealth software
programs that record keystrokes. Such software runs in the
background of a computer, unknown to the user, and literally
records every single key you press, often along with every
mouse click you make. In the aggregate, a key logger can
record everything from the content of the emails you write,
to your passwords, to any personal chats you have.
Installing keyloggers on smartphones is most likely to
happen when someone is able to gain access to an unlocked
device and physically install a program. There are cases of
parents installing keyloggers on the laptops of their
children - and vice versa. It's relatively easy to do. So
remind all staff, paid and volunteer alike, to make sure
they have a setup that requires someone to login to their
computers to use it, and that they have their accounts on
the computer password protected as well, and to lock their
phones whenever they aren’t using such. If a computer seems
to lag when a user is typing things, it could be an
indication of a keylogger, although many other scenarios can
contribute to this symptom as well. On a Mac, you can check
the System Preferences to see if a key logger has been
installed - certain classes of keyloggers have to be
given/approved 'accessibility access' in order to capture
keystrokes. Under "System Preferences" on a Mac, go to
"Security & Privacy" and select "Accessibility." If you
see any weird programs that you don't recognize, you should
take the time to investigate them (and maybe deny said
programs access to control of your computer). Note: the
software Objective-See provides simple OS X security tools
free of charge. It's produced by Patrick Wardle
(@patrickwardle), who created Objective-See to publish the
personal tools that I've created to secure my Mac.Malware
and other applications may install persistent keyboard
"event taps" to intercept your keystrokes. Also, ReiKey can
scan, detect, and monitor for keyloggers.
- Don’t let a public computer remember you. When a
person logs on to an email or a social media account, there
is often a box that says, ‘Remember my ID on this computer’
or just ‘Remember me’ next to it. Same for browsers: many
browsers today ask you if you want them to remember your
login details to save you from having to sign in to your
frequently used accounts. Staff, paid and volunteer alike,
should be reminded to never use these functions on a
computer that is not fully owned by that staff (don't use
this function on a library computer, a hotel business center
computer, a friend or family's computer, etc.). Also do not
use this function on a device that you have not set up to be
password-protected. Make sure you don’t give a browser or
pop-up window permission to remember your details.
- Always sign out of accounts. This is not just
important on a device that isn't yours; you should also do
this if you are ending your time on a site. We often stay
signed in to our email and other frequently used accounts at
home. At home, walking away from your computer while you’re
signed in to an account might not be a problem, but if you
have family or room mates, no matter how much you might like
them and trust them, you should put your computer to sleep
when you step away. A good security practice on a device you
don't share with others is to set this automatically is to
set up your computer, tablet or phone to sleep after a
certain number of minutes of inactivity, requiring you to
log back into the device to resume work. If you are using a
shared computer, quit all of the applications you have been
using, including the web browser you were using, on to on a
shared computer.
- Avoid prying eyes. ‘Shoulder surfers’ sometimes
lurk in internet cafes and other public places. Shoulder
surfers are people who deliberately look for computer users
and watch their keystrokes as they enter their passwords.
Remind staff to make sure no one is sitting or standing
within view of their keyboard when they enter usernames and
passwords.
- Think twice about using your device in public regarding
your volunteer service. In public, talking with anyone
- family members, friends, clients of your company, people
you are assisting as a volunteer - presents risks, whether
its in-person, face-to-face or online. Just as you shouldn't
say out loud at a coffee shop, "Here is my credit card
number and expiration date" or "I just cashed a $1000
check!", you should think about verbal and text-based
conversations you have in public via phone or via a computer
or tablet. Sitting in the airport or library putting
keywords on photos in a nonprofit's public online archive
probably won't present any security problems. By contrast,
having a video conference with the young person you are
mentoring remotely in that same space might be
inappropriate. Pass any online activity on a public wi-fi
network through the Yelling Test: Would you yell the
information you're entering online in the public space you
are in? If not, it might be worth reassessing whether you
should postpone the activity until you're on a secure
network.
- Encourage volunteers to use a virtual private network
(VPN), an encrypted internet connection that allows
users to safely transmit sensitive data, preventing
unauthorized user access. Using a VPN is an easy way to
implement network security, while enabling data protection.
Note: the Health Insurance Portability and
Accountability Act (HIPAA) requires healthcare
entities, and their business associates, to have safeguards
in place to secure PHI identifiers - data
that can be used to identify, contact or locate an
individual, or data that can be used with other sources to
identify an individual. Implementing VPN in
healthcare-related programs provides many of the protections
necessary to be HIPAA compliant. Compliancy Group, a
for-profit consulting firm, provides this article, "Using VPN for Healthcare Data Protection."
- Encourage volunteers to encrypt their hard drives.
Many computer experts say that protecting your laptop with a
password is not enough to prevent an attacker from accessing
your files, because if your laptop is stolen or the attacker
has a lot of time, he can remove the hard drive and read the
files directly. To prevent this and to protect your data
from physical attacks, encrypt your laptop’s hard drive.
Here is how to do this on a macOS and
a Windows
PC.
The FTC has a terrific guide to
CyberSecurity. It reinforces a lot of the above and goes
into depth about some of the aforementioned topics.
Also, remind volunteers that they can use *67 to block their
numbers and on on cell phone they change settings for caller ID,
if they are going to use their device with clients or the public
(though clients will need to know they may get calls from
"caller not identified" numbers as a result.
More Meeting, Practice & Policy
Guidance
These are recommendations mostly from other organizations
regarding using tech to keep clients and their information
safe as you move to more online service delivery:
- Safety in Virtual Volunteering
(web page). Just as important as technology is practices
when it comes to keeping volunteers safe and keeping
clients safe with online volunteers. The screening and
supervision necessary for online volunteer engagement is
similar to what's required of volunteer engagement
onsite, in face-to-face settings: the kind and level of
safety measures depends on what the volunteer will be
doing, where the volunteer will be doing it, if the
volunteer will ever be alone with a client, how much
information about clients a volunteer will have access
to, etc.
- Safety
in Virtual Volunteering (video). A short video
(5:10) on why safety is important in virtual
volunteering and why you can't just give everyone access
to each other and hope for the best.
- Using Technology to
Communicate with Survivors During a Public Health
Crisis. From the The National Network to End
Domestic Violence (NNEDV). This is a list of tools that
programs might consider for communicating with survivors
remotely that we think meet current best practice
standards. Two key factors to consider in any tool are
1) encryption options where the tech company itself
cannot see the content of the files because they do not
hold the encryption key – only you do, and 2) user
access options that allow you to control user-by-user
access to the content. While NNEDV
does not endorse these tools, they recommend them as
well-suited to protect privacy as they are currently set
up.
- Remote Workplaces
During a Public Health Crisis , also from NNEDV.
-
The University of California Berkeley has compiled a list of cybersecurity resources
relating to the novel Coronavirus and telecommuting.
Some of the resources are UC specific, but much of it is
applicable to anyone. The
Best Practices for Telecommuting Securely is
particularly good.
-
8 Tips for Holding
Remote Meetings During the COVID-19 Pandemic. Tips
from TechSoup.
- Keeping Your
Nonprofit's Systems Secure During the COVID-19
Pandemic. Tips from TechSoup that talk about a
variety of security issues to train staff, volunteers
and clients on.
-
Guidelines for
Configuring Zoom at Your Nonprofit. Safety and
security tips from TechSoup. Many tips can be adapted
for other platforms as well.
- Remote Work
Policy and Agreement (doc). Information from
TechSoup about DocuSIgn, a web-based service that allows
you to upload and send documents for electronic
signature.
- Tools to Support Remote Work:
curated by TechSoup especially regarding COVID-19
physical and social distancing requirements.
If you want detailed information on addressing
online safety and reducing risk, policy development and how to
fully integrate virtual volunteering in to all of your
community engagement, including how to set up and support an
online mentoring program, see:
The Last Virtual
Volunteering Guidebook
available for purchase as
a paperback & an ebook
from Energize, Inc.
Completely revised and updated, &
includes lots more advice about microvolunteering!
Published January 2014.
Discuss
this
web page, or comment on it, here.
Quick Links
my home page
my consulting services
& my workshops &
presentations
my credentials & expertise
Affirmation that this web site is
created & managed by a human.
My book: The Last Virtual Volunteering
Guidebook
contact me or see my schedule
Free Resources: Community Outreach, With & Without
Tech
Free Resources: Technology Tips for Non-Techies
Free Resources: Nonprofit, NGO & other
mission-based management resources
Free Resources: Web Development, Maintenance,
Marketing for non-Web designers
Free Resources: Corporate philanthropy / social
responsibility programs
Free Resources: For people & groups that want
to volunteer
linking to or from my web site
The Coyote Helps Foundation
me on social media (follow
me, like me, put me in a circle, subscribe to my newsletter)
how to support my work
To know when I have developed a new
resource related to the above subjects, found a great
resource by someone else, published
a
new blog, uploaded a new
video,
or to when & where I'm training or presenting, use any
of the following social media apps to follow me on any of
these social media platforms:
Disclaimer: No guarantee of accuracy or suitability is made by
the poster/distributor of the materials on this web site.
This material is provided as is, with no expressed or implied
warranty or liability.
See my web site's privacy
policy.
Permission is granted to copy, present and/or distribute a limited
amount of material from my web site without charge if
the information is kept intact and without alteration, and is
credited to:
Otherwise, please contact me
for permission to reprint, present or distribute these materials
(for instance, in a class or book or online event for which you
intend to charge).
The art work and material on
this site was created and is copyrighted 1996-2024
by Jayne Cravens, all rights reserved
(unless noted otherwise, or the art comes from a link to
another web site).