Cyber security for charities 5: Clear rules required

A good induction for new staff is vital, writes Martyn Croft

Occasionally things get a bit closer to home, and it’s not unknown for information to be spirited away on purpose. The "insider threat" shouldn’t be taken lightly because if it happens to you it wouldn’t be the first time that staff acting alone or in concert have helped themselves to what is your data, not theirs. Donor data, for example, should be safe and sound in your supporter database and not being carried out of the front door on a USB drive.

Making things clear and unambiguous is a good way to ensure that staff know what’s acceptable and what’s not. Good policies are the cornerstone of information security and the user-access policy should be at the top of the list. Enacted by standard procedures, it’s something that can easily be checked and audited for compliance. An account for each and every user, coupled with password complexity and expiry rules, goes a long way towards establishing the basis of a secure organisation.

With the tightening of data protections laws in the General Data Protection Regulation, due to come into force next year, it doesn't pay to let personal information be leaked, either from malicious actions or inadvertent disclosure. It’s all too easy for employees, volunteers or even chief executives to accidentally email all and sundry with information that should have been treated as confidential. Charities are not above the law and this type of incident alone will attract censure and hefty fines from the Information Commissioner’s Office. It would be wise to ensure that a request for that spreadsheet of personal data is legitimate and, better still, to ensure that it never gets mailed to anyone as an attachment. Once it has left the safety of your servers, it’s difficult to protect data in transit as it wings its way across the internet, and end-to-end email encryption that would secure the content is rarely the norm, though increasingly required.

It could be argued that everyone knows how to use computers. That might be the case, but do they know how they are expected to use them at work? Everyone uses email, and social media is a breeze – for some it’s a way of life. But it’s doubtful, even though they might have every bit of consumer tech available, that they are aware of the systems, procedures, policies and good practice that are demanded of professional organisations. An IT induction, preferably delivered online and before someone starts the job, can ensure that staff become well versed in what’s expected before they get the keys to the crown jewels. It’s not about IT competency: the purpose of good IT induction is to inform and educate, not only on the appropriate use and governance of internal services, but also on external regulation, compliance and risks.  At the very least it should be made clear that it’s not all right to post confidential information on social media.

Read next: 6 Beware of bringing your own tech

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in