The new NAR “Organizational Alignment Core Standards” for associations passed in May of 2014, include having an interactive website. The website is essential for member access to critical professional information, as well as calls to action. But what if the websites many associations have today aren’t usable by many members because they can’t access the websites easily on the devices they normally use to browse the web? And what if merely visiting the association website is a somewhat risky thing for a member to do? That’s exactly the situation today.
|From “Organizational Alignment Core Standards”:V. Technology|
A. Every association must have an interactive website (defined as the ability to move between websites and create active links), post access to professional standards and arbitration filing processes on the website and create a link to the websites of the other levels of the association for promotion of member programs, products and services.
B. Every association must utilize an email and/or internet based means for member communication.
Clareity Consulting visited the top 100 association websites (by size) to evaluate them on two criteria – mobile friendliness, and the security of the web server platform. Our findings follow.
Mobile Association Websites
Almost all agents are mobile. According to NAR’s “2013-14 REALTOR® Technology Survey Report,” 94% use a mobile device to communicate with their clients. That means when they receive an email call to action from their association while “mobile” and click through to the association website, if the website is impossible or hard to use on a mobile device, the call to action will not be answered. If an association does not have a website that uses “responsive design” so that it works well on a phone or tablet, members are not going to read what the association has to say. A 2013 NAR study says that 65% of consumers on mobile who come to a mobile-unfriendly site will simply leave. Agents are likely not different from the rest of consumers in that respect.
Following is a more general consumer web-browsing comparison of desktop, mobile and tablet usage in 2013:
One can see how quickly desktop use is declining while mobile – especially phone use – is increasing. So it’s with some dismay that we present the results of our research: 61% of the top 100 real estate member-facing association websites are not mobile friendly.
The member’s situation is slightly different from that of the consumer in the following respect: when a consumer comes to a public-facing website, he or she likely has someplace else to go for information. A member, on the other hand, has no alternative but to use his or her association’s website to look up information, engage in an association-initiated call to action, or pay dues. When one forces a member to use a site to which his or her device is not suited, one is making interacting with your organization into a painful experience, one which the member will avoid if at all possible.
Remember – this research was conducted on the top 100 associations by size – ones that should have the resources to field a mobile-friendly website. So, it seems likely that the numbers could look even worse if this research was performed for all associations. The question about mobile that I want to leave you with is this: if your website is one of the 61% that isn’t very usable for most (or at least a significant number) of your members, are you really meeting Core Standards?
Mobile-friendly association website examples:
Miami Association of REALTORS®
Wilmington Regional Association of REALTORS®
Platform: Rapattoni Corporation
Association Web Server Security
I’ve gotten a number of calls in recent years about state and local association websites that had been hacked and were serving up viruses to visiting members. There were many reasons why the sites were vulnerable to hacking: unpatched web server software, unpatched platform (i.e. WordPress or Joomla) software, platform misconfiguration, insecurely written web application software, and more. Web servers are constantly being probed and tested by third parties who are interested in seeing whether the servers’ security can be compromised.
Now, I can’t run most of those tests outside of the context of performing a security audit, where I have formal permission to run the tests. But one thing I can easily do is to check whether the web server software itself has been patched to the latest version without known vulnerabilities. I can do this without formal permission because every time anyone requests a web page, most web servers send back information about what version of web server software they are running. This isn’t displayed in the browser, but it’s easy enough to view using any number of tools or browser plugins.
Clareity Consulting visited the top 100 associations’ websites, and noted the version information the web servers volunteered. In some cases, the web server’s version was secure, at least from a web server platform perspective. In other cases, the web server was an early enough version to have known vulnerabilities, and was insecure. In still other cases, the web server either did not report or concealed its version; whether or not the server platform was secure is not known. In a very small number of cases, the server was not the latest version, but was only somewhat insecure.
The results are as follows:
- 30% were insecure (26% very, 4% somewhat)
- 33% were known to be a secure version of web server platform
- 37% had unknown security – these servers did not report a full version number back to the browser
It’s important to realize that many of those with “unknown” security may still be vulnerable, especially if the distribution of versions is similar to what we observed in similar web server software where the version was not hidden. It’s just not possible to assess that one way or the other without running tests that require permission to run as part of a security audit.
Why I run two types of anti-virus when performing this research…
It is unacceptable that 30% of associations tested fail to keep web servers patched to versions without known vulnerabilities, and that the percentage of associations with serious security risk may turn out to be much, much higher if the “unknown” web server versions, along with platform patching, configuration, and web applications, are probed and evaluated. In my opinion, running an operation that takes reasonable care to not put members at risk via its website should be considered a core member service, even though NAR has not formally made it so.
Running an interactive website is important part of the new NAR Core Standards, and, for many associations, it has been an important part of providing services for at least fifteen years. I understand that associations’ resources are limited, and that upgrading a website to be mobile friendly can be a significant project. But it’s one that I strongly recommend for 2015. As for web server security, I know that not every association (certainly not the smallest of them) can afford to hire me for a full security audit to help manage the bigger risks, but keeping up with security patches doesn’t cost money – it should just be a part of what you do, or what you contract for with your website provider.
I will take another benchmark of association websites next year and, when I do, I hope that all those that I visit are mobile-friendly and have taken at least some reasonable steps to lower member and other visitors’ risk. Once these basics are in place, perhaps we can have a more in-depth online discussion regarding association website functionality and interface – but, first things first – let’s make sure the foundation is solid before we turn our attention to what has been built on top of it.
Share this post: