Until recently the information held on a charity’s IT systems remained mostly within the physical boundaries of the organisation. Servers were located at HQ, and the computers used to access data were static and located on-site. This made data security relatively simple and easy to manage.
Today, the devices that can access this information have become far more diverse and portable. Staff can now connect to systems from anywhere with an internet connection. What began with laptops, provided and controlled by the organisation, has evolved as staff have acquired ever more powerful portable technology of their own.
But as information becomes more easily accessible from outside the four walls, the risk of it falling into the wrong hands has also increased. Portable devices are also losable devices.
Some believe that because of the work that NGOs perform they are less likely to be the target of cyber-crime than businesses. Even the largest charities in the UK spend far less on IT security than comparable commercial organisations, and many don’t have a dedicated IT security function.
But lax controls can make hackers regard them as an easy target. So what can charities do to protect their IT systems and their sensitive data?
The primary IT risk for charities hasn’t changed: it’s not technology, but the behaviour of the people using it. And because so many charity staff now have access to powerful portable devices, it’s become even more important that they are aware of their responsibilities.
Education is key. There should be no excuse for people to claim ignorance about technology use.
Every charity must have a regularly reviewed IT security policy led by an executive and with disciplinary consequences for those who fail to abide by it.
The rules need to be understood from day one by everyone who is granted access to systems. Giving someone an IT induction months after they join (if at all) simply won’t do any more.
And the person given overall responsibility for IT security should report directly to the board.
Here are some basic security rules every charity should follow:
- Never share passwords
- Change passwords regularly
- Disable leaver accounts immediately
- Put security on all portable devices
- Don’t pass sensitive information across public systems unless it’s encrypted
- Beware using public wi-fi when connecting to the charity’s systems
- Make sure that every layer of your IT has the latest malware protection
- Employ independent third parties to test your security measures regularly.
The Data Protection Act places clear responsibilities on organisations that hold information on people. Rules have been introduced for organisations that take payment through bank or credit cards. As a charity’s information becomes more widely accessible, the risk of breaching these regulations increases.
The good news is that there is a highly collaborative NGO IT community, and the Charities Security Forum exists to help members understand the issues and share good practice.
It’s free to take part. If your organisation isn’t a member already – join now.
Andrew Brenson is an IT consultant for the charity IT specialists itlab