In recent years many charities have adopted at least some form of digital transformation programme, but is it an approach that’s vulnerable to sophisticated cyber-attacks?
Unfortunately yes, and particularly so for charities that provide care services or collect sensitive personal data. At the moment a stolen digital care record can attract a higher price on the dark web than stolen credit card details.
If you work in charity IT, you therefore face a balancing act. You want to help your organisation be more digital and experimental, but you don’t want to leave yourself open to attack. I believe there are a few clear steps you can take that will make this balancing act work.
Get a firm grip on Agile
Digital transformation is usually underpinned by Agile development methodologies, which are used to drive digital projects and ensure new services can be developed quickly and flexibly.
Agile can be really positive, because it helps charities create innovative new services and save money. Agile is also a challenge, however, because the experimentation that it encourages can often mean good information-security governance is ignored during development. All too often, IT teams are brought in to look at the security element too late.
To help manage this, IT teams need to educate their organisations on the importance of maintaining security alongside Agile. This could mean carrying out security-awareness sessions for all non-IT staff involved in digital projects, plus regular "threat" updates that reinforce the importance of security in all services. IT teams could also help themselves by doing some training in Agile methods and communicating how their existing policies are adapting to complement continuous development. It’s also a good idea to adopt an industry-recognised secure software development lifecycle that is compatible with Agile.
Ensure security measures are proportionate
On top of improving the external-facing services, digital also aims to improve internal efficiency – for example, by removing old paper-based processes.
However, these good intentions can fall flat if digital working is "locked down" by security systems that are over-zealous. Rather than being enablers, some of these systems currently work as barriers to productivity improvements.
One of the best ways to tackle this issue is a thorough review of the risk profiles of users and of the charity overall. This will make sure security measures are proportionate, reasonable and not a block on productivity. It means a full review of data classifications to identify where security can be safely loosened, but in the long run it’s worth it.
Talk positively to get leadership backing
Charity IT leaders often complain that their security budgets are insufficient. This is often because some organisations see security as an insurance policy they’re prepared to risk not having. This often leaves IT without the resources it needs to cope with a growing list of potential threats.
To change this, charity IT teams need to alter the language they speak and highlight the positives good security practice can bring.
Consider the new General Data Protection Regulation, which will tighten up the way charities use personal data. The best way to secure more budget for security is to explain why things like the GDPR can be a good thing. It shouldn’t be seen as a regulatory hurdle that needs to be jumped. The GDPR will make organisations much more efficient in the way they manage, process and protect personal data. As some organisations, including the RNLI, have already shown, the best practice that the GDPR promotes could also help charities use data more profitably for their own ends.
Overall, communicating this kind of benefit is the best way to get everyone in the organisation (especially leadership) to understand that cyber security can actually support, rather than block, the digital transformation programmes that many charities have made a cornerstone of their future strategies.