Charities being able to adopt the necessary IT security
Whether your charity handles its IT, and data and information security – and backups – in-house, or has outsourced it all to the cloud, a basic truth is as follows: ironically, improvements in anti-virus software - provided the software is regularly updated - mean that, 99% of the time, charities are not exposed to viruses and as a result are taken by surprise when receiving a malicious attachment.
Viruses and associated ransomware are as insidious and tenacious as ever, though, and there is no lack of malicious attempts to use them, but good gatekeeping can keep the majority at bay.
Then there are Distributed Denial of Service [DDoS] attacks, which can cause mayhem to websites and computer networks. More about those later in this article.
Gatekeeping is not only about technology. It also involves human behaviour, which, if undisciplined, can result in a potentially dangerous virus infection or, in the case of ransomware, the complete shutdown of a computer unless a ransom is paid.
Not taking security for granted
To explain that differently, staff, volunteers and interns in a charity shouldn’t get too comfortable with their online activities and take security for granted. In order to protect themselves to a greater extent, charities should remain vigilant and train their people not to open unknown emails or visit suspicious – “phishing” - websites.
The latter can have as serious a consequence as opening a malicious attachment, because the sites can download malware and other threats, or take you to a web page that, for example, looks like your bank’s home page but isn’t. By logging in to what you believe to be your account, through giving your log-in details, you are at risk of ID theft as well as financial loss. The same applies to fake PayPal and similar websites.
Individuals working for a charity can be tricked by a phishing website, thereby putting themselves or the charity at huge risk.
Regular data backups essential
Let’s not forget the vital role that data backups play in good gatekeeping. Backups are not only useful in the event of a hard disk crash or theft of computers, or damage caused by fire or flood. In all those cases they can enable rapid business continuity through data/information restoration.
They also come in handy where ransomware demands are made, by enabling the demand to be ignored because the most recent backup can be put on to another computer.
Backups are most effective when a disciplined regime of making them is followed. Real time backups are ideal, but not always practical, especially in a small organisation. Making frequent backups, however, is viable but does depend on a level of discipline or selecting automated, scheduled, backups.
Bear in mind that any backups made locally, i.e. not online but in the office, whether on NAS [Network Attached Storage] devices, or even USB drives, do need to be stored safely off-site until being used again. Many smaller organisations don’t do that, adding to the risks they face from data breaches or loss of data - and subsequent fines by the Information Commissioner.
Charities which suffer data breaches face the wrath of the Commissioner. Breaches can come from the theft of office based data backups, computers, tablets or smartphones. It can come from insecure coding on a charity’s website or software applications, resulting in websites being hacked into and information – the names and contact details of donors, or details of children or the elderly or other vulnerable groups of people, for example – stolen.
Charities should therefore ensure that website developers they use meet minimum but acceptable standards at least. The same goes for software applications they buy in or borrow; or build on their own, perhaps with the help of a freelance software developer - another risk, however well intentioned the developer might be!
On the subject of external support, there is a risk to data from the practice of charities relying on outworkers, whose work devices might be exposed to information and data loss for a variety of reasons including theft.
Another reason is bad practice - this ranging from allowing friends or associates to use the devices to relying on inadequate or out of date anti-virus and anti- malware tools, visiting phishing websites and using Wi-Fi hotspots. Even “secure” hotspots pose security threats.
Safeguarding sensitive data is high on the agenda of charities, but with many being run on a shoestring, others with resources stretched to the limit, they are not always adequately prepared for the risks their data and information face.
An alternative approach to security
Charities with 10 or more people working for them have an affordable answer to issues regarding cyber security and backups – and threats posed by inadequately written applications: the hosted desktops element of cloud computing.
Where hosted desktops are deployed, all data and information processing is carried out in a secure data centre rather than an in-house server or individual desktop, laptop or tablet. Backups are therefore also made in the data centre, by the hosted desktops provider.
If the provider is ISO 27001 certified, charities can be sure that every action taken in the centre is in compliance with what is the international gold standard in information security management.
ISO 27001 accreditation means that backup regimes are strictly adhered to, allowing business continuity to be optimised should it ever be required. Secure storage of backups is no problem. A second secure data centre ensures that in the unlikely event of the primary centre being affected by a “disaster”, the service offered by the hosted desktops provider continues.
Hosted desktops - or Desktop as a Service [DaaS] - also relieve a charity of all concerns about purchase and support of IT. And, crucially, with cloud computing being device independent, hosted desktops cannot pose a security threat. That is, staff can work on their own devices without compromising the charity’s security policies because they are only using the devices as hardware to access their work.
Distributed Denial of Service attacks
Recent research by security company Imperva concluded that the UK is now the second most targeted country after the US when it comes to DDoS attacks, which are designed to bring websites down and make computer networks unworkable. The number of attacks was up 200% in the past year, according to the firm, with some being directed by former workers disgruntled at their employer.
These disgruntled workers paid as little as a few pounds sterling to buy an attack by a DDoS provider, highlighting the dangers that can come from within.
The smaller a charity the less likely it is to have the resources to combat, or at least be prepared for, a DDoS attack. If its computer network has been outsourced to the cloud, as is increasingly happening, the cloud services provider should have the capability to stop an attack on the network or make it as brief and ineffectual as possible.
Small charities and security
The hosted desktops approach to cloud computing enables even small charities to benefit from the sort of cyber security they may have envied until now: corporate level online tools that provide robust firewalls, web filtering, optional encryption of sent emails and management of all the access devices.
Other tools in the provider’s arsenal control and enforce acceptable use policies, block access to inappropriate websites and other sites the charity wants to exclude from staff access, and generally reduce misuse of the internet by a charity’s workers.
The fact that charities rely on volunteers/outworkers and interns for some or much of their day to day functioning exposes them to risks that have to be considered.
The risks can be countered through a combination of good practice and basic tools that the charity can use itself, if its IT hasn’t been outsourced to the cloud or a traditional IT company, and it therefore doesn’t have access to the high level, enterprise quality tools used by a cloud services provider.
However, and critically for many charities, those tools are now affordable to them because the costs are shared with other customers of the provider. Also shared is the cost of high end, enterprise grade software applications, massively reducing, effectively to nothing, at a stroke, risks posed by insecure coding of applications.
Dual factor authentication, or 2FA, is an option offered by some providers. It helps prevent unauthorised access to information and data, by enforcing the identification of individuals through a combination of user name, password and information known only to them.
However, 2FA that uses SMS has now been declared insecure by the National Institute of Standards and Technology [NIST], ensuring there will be an impact at some point for users of the 2FA that is utilised by Gmail, Apple, etc.
Making the security decision
Charities can go it alone with cyber security and data backups or outsource the management of them.
Going it alone, combined with good gatekeeping, will reduce risks. Many smaller charities may have thought, until now, that that is the only option open to them. They would be wrong because of the much lower costs made possible by cloud computing; costs that include safeguarding of computer networks to standards formerly enjoyed only by the biggest charities and companies.
Charities have the opportunity to make a break from past practices and bad habits and look at how cloud computing can meet their data and information security needs while delivering superior built and better performing software applications.