Charities must focus on IT security
This article is about IT security for charities, both computer security and information security. To achieve good security can be quite demanding for charities and there are instances when they will have to go quite a few steps further than they might have envisaged, e.g. vetting software vendors to see if they are truly and adequately committed to security within their own organisations. This is not as far-fetched a requirement as may be thought - you only have to think back about some big security scares involving top IT and web company names to realise how important this is.
However, there is much for charities to do themselves before even considering the security commitment of software vendors. So let's start with the IT security responsibilities and priorities for charities themselves. There are two main misconceptions around charities:
The first misconception, shared by many, both in and outside the charity sector, is that the information and security regulations and legislation that apply to companies do not apply to charities. To be clear, charities are subject to all information and security regulations and legislation that apply to companies. The principles of the Data Protection Act, and the need to report a breach or loss of data, apply to charities, and the Information Commissioner will levy fines on a charity as promptly as for a bank or merchant.
The PCI DSS requirements to secure credit/debit card details still apply and any non-compliance penalties will be levied as readily as for an online supplier.
The second misconception is based on the dual ideas that charities have no assets to protect, and that nobody would attack a charity because everyone knows they are the good guys. Unfortunately, some people see the good guys as a soft touch.
Like every company, charities have assets that must be protected – supporters lists, financial records, HR records, bank records, credit/debit card numbers, details of drug trials, details of vulnerable adults and children. The difference is that most companies have the necessary resources to protect their assets, while charities need to do the best with what they have and make effective use of scarce resources.
There is one other difference between companies and charities – the latter have more to lose. While many companies and organisations can survive a data breach and even malpractice by staff, charities remain the last bastion of integrity in the UK. Loss of reputation will severely impact on their continued existence and good work.
The first and last line of defence is the training of your employees. However, when you look at the range of training, you have everything from the protocols used by military organisations to the training given to an employee at a petrol station franchise. The nature of the organisation dictates the depth of training required for the employees, but the mere fact that an organisation is a charity doesn't mean it can opt automatically for a lower level of training for employees. In other words, charity employees do need proper IT security training.
Challenging issue
When it comes to cyber security, this is a challenging issue in that most organisations do not have a security culture built from the ground up (such as military organisations). How do we train our call centre employees to protect the information they are supposed to protect while still providing the customer service that they need to provide? How do we ensure that our employees follow basic security practices related to the computers and services they use?
There are important aspects which apply to charities. First, it is important to split protocols and practices for sharing information related to interacting with end customers from the best practices for using computers and mobile devices internally.
When it comes to interacting with customers/beneficiaries and people outside the organisation, charity employees need to have clear guidelines to follow and very explicit instructions on how to handle conflicts and requests above and beyond what is appropriate.
The most visible example of a poor implementation and execution of these guidelines was the compromise of the personal information of Mat Honan, which was due to the mechanisms that Apple and Amazon used to handle customer service. Having clear, well thought through guidelines that are part of the fundamental training of the employees, and complementing this with blind testing, is a critical first step to ensuring that your employees are not being social engineered (i.e. their vulnerability is not being exploited to breach security).
Similar method
When it comes to the use of computers and the best practices within the charity, a similar method of enforce, train and test is required. For those things that can be enforced by the computers they should be: password policy should be enforced, and web browsing should be monitored when possible. The final line is training related to phishing - your security team should phish your employees before the hackers do. There are a number of internal security teams and small companies which will help along these lines.
The main ways the hackers use to exploit humans is through social engineering, finding flaws in policies or appealing to human emotion in order to reveal more information than appropriate. The other is to attempt to "phish" or use an email or a "watering hole" (a commonly visited website for the employee) to get them to click on a link which will then cause them to install malware.
Considerable process
Judging the security of a vendor can be a process lasting months, evaluating every aspect of development and delivery of the product. Software quality/vendor security is something the industry in general has had a very hard time setting a standard for. As there is no "gold standard" for measuring security, it is hard to require such proof from a vendor.
The trick that can be used (one that is used by major companies) is to simply ask the vendor to talk with their security team. If they can respond, provide a contact and that contact can provide a reasonable overview of the security precautions they take then you can be reasonably well assured that the vendor takes security seriously. Things to look for when talking with the vendor's security team include:
• Employee training - do they train developers and operational staff about security concerns.
• Basic security practices - if they are distributing software are they providing checksums for the download (to detect errors which may have been made during transmission or storage), if hosting a website, are they using SSL (Security Sockets Layer protection for transmitting private documents)?
• Secure development - do they have any practices related to ensuring the secure development of their software? Look for at the very least some sort of automated analysis.
• Secure operations - do they have a vulnerability assessment program? Do they hold themselves to an internal Service Level Agreement for patching known issues?
• Responsible disclosure process - do they have an established process to allow security researchers to disclose vulnerabilities found in their software or website?
This is not complete, but your purpose is not to establish if they are perfect at security, but rather to determine if they are serious about it. We will all make mis-steps, the question is whether the vendor is prepared and equipped to recover and improve. You need to establish that they have taken security seriously enough to establish a security team and that security team has the support to establish the basic practices within the organisation.
Don't be daunted by the task of checking on your vendor's commitment to security - it needn't be as fearsome as you might think. You will be surprised at how keen many software vendors are keen to demonstrate that commitment - and anyway, an unhelpful vendor should automatically cutting themselves out of being considered further. Also, how they do things may give you some interesting thoughts as to your own charity's security.
Top tips
Here are some "Top 10" tips for charities to think about when it comes to maintaining their own IT security:
1. Write an understandable security policy that spells out who is responsible for what. This doesn’t have to be War and Peace, just 10 or 12 items; probably the most important being to establish that staff should be open and professional in all communications.
2. Make it clear who owns the data. It belongs to the charity and irrespective of roles it should remain safe and secure under the (ultimate) control of a good governance framework, with the appropriate controls being put in place to ensure that this remains the case. Information security awareness is paramount. All staff should understand that the charity’s data has a value and must be treated appropriately.
3. Make it easy for users to do the right thing, and difficult to do the wrong thing when it comes to keeping information secure.
4. Tell staff how you expect them to handle and process your data before you allow access to it. Good induction for new starters is probably the best chance you'll get.
5. Don't let suppliers treat security as an optional extra. Security must be built into systems by design from the start, not added as an afterthought.
6. Be prepared to invest in information security. A good CISO (chief information officer) is a worthwhile expense, especially when compared to the cost of a fine.
7. The trustees need to understand their responsibilities and should be asking for a regular report of potential weaknesses. Even a simple penetration test of the network will highlight deficiencies and demonstrate a responsible attitude to information security. Another aspect is that this is all part of being ultimately compliant with SORP, particularly if you are a larger charity.
8. Don’t rely on contracts with third party suppliers of software and equipment. Carry out due diligence of suppliers before placing the contract and during the life of the contract. Don’t assume that everyone shares your high security standards.
9. Trustees must be aware of the regulations and laws relevant to all charities in the UK, and the impact on the charity in the event of failure to comply with these. The biggest impact of all will be adverse media attention.
10. The most important tip - use the free service and benefits of the Charities Security Forum. Membership is free and it promotes best practice across the sector, and gives advice and support to security personnel in charities of any size, sector or location.
