Community and Data Security

Starting a conversation that I’m not an expert in, but one that I’d like to at least be more confident in from a surface level perspective.

warning: long post, and maybe a bit of rambling
topic: data security and community
tldr: how are we keeping our community members’ data safe?

Heya Rosieland friends,

I attended the community chat today, and we talked about some very interesting things. In particular, two items we discussed were community tools and customer integrations in the broader context of engagement pains.

As I listened to other participants, I realized that one of my pain points of engagement is data security. We talk about the hundreds of different tools available to us as community members, but I sometimes feel like a missing part of the conversation is - how secure is the tool? How much data are we giving away for access to the said tool? With the scarcity of time, I don’t have the time to really look into this tool (nor do I feel like the expert). At the same time, my company is a small-ish non-profit, and our bandwidth is already minimal regarding technology integration; many times, I’ve been waiting for ages to get any movement.

I don’t know how much our members care, but maybe they do? However, I know internally, this is a huge focus for us at my organization. We service almost 3,000 higher education institutions across the US, which are already highly vulnerable to data security threats.

When considering this, not putting my member’s data or information in more compromised positions makes me cautious of third-party integrations. We are currently using Slack right now for our community, but I agree with some of the posts that I’ve been reading lately by Rosie and others that community integration is probably the wave of the future.

This way, I can create the data engagement reports that I need, we can build it in a way that is secure (and we feel confident that it is), and create more value. However, custom integration is costly and timely, which is why we are currently on Slack because we still decided that we had to do something and couldn’t wait on more resources.

Anyways, this was a long wind-up to starting a discussion about data security and communities.Here are some questions on my mind:

• Are you thinking about data security?
• How are you keeping your community’s data safe?
• Do you know what the ToS or data security rights you agreed to are for your third-party apps?
• Fun one: What’s one of the weirdest security data agreement prompts you’ve been asked to give?

@maggiot the community I help run most definitely is concerned with member data security, and I agree with your sentiments about third party tools. Many of the third party community data tools are quite new to the market, so having a little bit of skepticism is healthy – especially if you’re working with data security sensitive membership.

The company I work for has strong controls in place already (which helps), but probably the biggest thing we do is keep the data in enterprise-level tools (think CRM & business intelligence). I know it’s not affordable for many companies to go this route, but for our needs it’s imperative.

Another key data security point is custom development. Are you customizing your platform? Do you run any third-party plugins/solutions to transfer data custom built for you? It’s really important to make sure customizations are thought through and rigorously tested for security purposes if this matters to your community.

For some communities, leaking a few emails might not be a big deal; for others it’s an effort-ending event.

I almost signed up to a service (not community specific, more no-code), but halted my actions as the requirement was for them have access to all of my Google Drive. Yes there were work around, but it just put me off.

It would have also been really yes to just ‘accept’ the terms and I’m sure many people have without thinking about it.

I’m sure bigger companies are stricter rules in place, but for smaller ones I feel it is too easy to sign up to something you don’t know the inner workings of.

Well, if anything, I’m glad that the topic is finally surfacing in community spaces. I write and talk about data handling a lot. I’m not an expert in infosec but I consider my work in community “infosec adjacent” because the reality is that the greatest risks to data security are: (1) people and (2) access.

What are communities? People + access. This is why we should be talking about this more and learning more about the principles and best practices. In lieu of primary expertise, though, we have to depend on other experts. This is generally when IT policy comes into play. If you don’t have a dedicated IT staff, do you outsource to a firm? Who handles security for other parts of the business? Ultimately, you should consider putting some basic requirements in place, like SOC2 certification, which essentially hands off checking into the data handling practices of a third party to the certification body instead of trying to figure it out yourself.

When in doubt, ask the experts.

I agree wholeheartedly. While it might be unrealistic for some community programs to get SOC2 certified, I think it should be table stakes for any B2B community data vendor to be SOC2, if not ISO27001.