Jenny McTiernan, COO, ProTech (a MemberWise Recognised Supplier) asks Martyn Croft, co-founder of the Charities Security Forum and CIO at The Salvation Army UK Territory, for his thoughts on avoiding some of today’s key cybersecurity threats. With security high on the agenda the Salvation Army chose ProTech’s Government ‘OFFICIAL’ Security accredited CRM solution as the foundation of its Annual Appeal.
JMcT: What do you see as the weakest link within the cybersecurity defences of today’s Not for Profit (NFPs) and Charitable organisations?
MC: It could be firewalls feeling their age, antivirus solutions not updating as often as they should, but even if these organisations are surrounded by a ring of cyber steel, the reality is that it’s the folks on the inside who will wind down the drawbridge and let the bad guys in.
JMcT: So near the top of the list for information security officers should be the so-called ‘insider threat’?
MC: Yes, the potential threat from your own staff – that is not to say they are all bad guys. In fact, the number of cybersecurity incidents perpetrated by malicious insiders remains low, although the recent case at Sage (http://www.bbc.co.uk/news/business-37112870) illustrates that it’s still a very real risk.
Charities and NFPs need to widen the definition of staff and include not only employees but volunteers, contractors, vendors, and of course, members. Insider threats rooted in the actions of well-meaning or naïve staff may potentially be the biggest source of incidents so it is crucial that organisations make it easy for staff to do the ‘right’ thing, and difficult to do the ‘wrong’ thing, jeopardising your data security.
JMcT: With phishing emails as prevalent as ever, do you agree that the need to monitor email flowing into an organisation is increasingly important?
MC: Absolutely. Phishing is still favoured by the bad guys as an easy way of gaining access to information, obtaining user credentials, or infecting your systems with malware.
Filtering out the spam reduces the junk email, but it only takes a few to get through, and coupled with the ‘clicky-itis’ that afflicts most users, it becomes likely that one of these malicious emails will succeed in eliciting usernames and passwords, or even infecting critical systems.
The recent rise in the strain of malware known as ‘ransomware’ is high on the threat agenda. Distributed through email it relies on the recipient clicking on an attachment to launch an attack from inside an organisation’s defences, resulting in the malware encrypting every file it can find. With all files becoming unusable the choice is to restore from backups, or pay the ransom to get the decryption key.
JMcT: The prize asset of member organisations is their member database. What should organisations be considering as the key threats to the security of that data?
MC: With member databases hopefully, held on a segregated part of the network with strict access control for designated individuals, what could possibly go wrong? A lot!
Most of the data making its way out of an organisation will be taking the email motorway to the wild blue yonder that is the internet, and when it comes to transferring data out of systems, email is often the lowest common denominator.
So exposing members’ data is more likely to occur via a database export emailed to a vendor; to a colleague; emailed home for the weekend; or inadvertently cc’d to a mailing list.
In this scenario, it does not take a hacker to break through the defences and pilfer data; it has been given away for free! Add to the mix file sharing services and USB devices and suddenly there is huge potential for precious data to be spread around in the name of convenience rather than compromise.
JMcT: Thank you Martyn for your insight. I am sure that for those NFPs and Charitable organisations who may still be struggling to come to grips with cybersecurity, your answers will be extremely valuable.
For those organisations already successfully implementing processes to avoid security breaches, it is always good to have a reminder of the key issues. Especially with regard to the threat from the ‘inside’.
It may well be worth checking exactly what security processes are in place within your organisation to ensure that everyone that has access to your data, including your members, are aware of what they should and should not be doing!
For those who have found the above Q&A valuable, I suggest you read the very interesting interview with Martyn that recently appeared on Computing entitled: An evangelist in the truest sense. You will need to be registered and to log in.
Jenny McTiernan, COO of ProTech
For more than 20 years ProTech (a MemberWise Recognised Supplier) has been delivering specialist CRM software and change management services to the Not for Profit (NFP) sector. Its Pro-8 CRM software operates in a Microsoft environment and delivers easily configurable specialist NFP modules.
Martyn Croft, co-founder of the Charities Security Forum, a group of information security people working for charities and not for profits and CIO at The Salvation Army UK Territory, a Christian organisation and part of the universal Christian Church.