Threats, awareness & data protection strategies : by Beverley Stonehouse
The charity sector has been under fire recently for poor data handling and privacy processes following the death of an elderly charity donor. The delegates at the 3rd Annual Charities Security Forum last week left with a clear mandate to safeguard client and donor personal information despite the inevitable overheads to their organsiations.
Part one of the CSF agenda considered threats, awareness & data protection strategies.
Stories start with a victim
Geoff White, technology producer at Channel 4 News opened with a lively keynote that reflected on last year’s Talk Talk data breach. At the time of the incident headlines focused on the number of client records extracted by hackers, but Geoff proposed that the subsequent fraud story has wider consequences. Cyber-criminals have been able to exploit the stolen data to defraud Talk Talk customers of thousands of pounds. Describing one customer’s story, he detailed how combining customer telephone numbers with previously acquired account information enabled fraudsters to carry out convincing and lucrative scams. Three workers at Talk Talk’s outsourced servicing company, Wipro, have since been accused of stealing customers’ data and using it to con them out of thousands. This development also highlights the risks of using 3rd party suppliers, where access to sensitive personal information is involved. If you have not seen it, Geoff’s Channel 4 News report is worth watching.
Take-away #1: Charities have a stack of goodwill and are therefore more vulnerable to brand damage if something goes wrong.
Position yourself as the hero
All too often information security departments are seen as a blocker, stopping the agility of the organization by saying “No!” said Richard Norman, Director of Information Governance & Risk Management of The British Council. However, if senior management only perceives IT as a cost centre, providing little or no value to the organization, funding will inevitably be restricted. He encouraged security professionals to talk in the language of business – defining information security risks, as business risks that have an underlying technology risk. When senior management better understand the business consequences of info-security risks they are much more likely to engage and fund information security projects. This helps IT security and risk professionals to achieve a more permanent level of assurance, rather than a mad scramble for short-term compliance every time an audit takes place.
Take-away #2: Learn to communicate information security risks in terms executive management understands.
Villains are out there
Detective Chief Inspector Jason Tunn of the Metropolitan Police Crime Unit talked about the evolving threats his team are coming across in the field. He listed the top four cyber threats as: Bank Trojans, Angler Exploit Kits, Network Intrusions and Ransomware. He described how ransomware-as-a-service is hitting America and that the trend is likely to spread into Europe. Cybercriminals no longer need to be technical as there are ‘hackers for hire’ and ‘rent a bot-net’ sites available on the internet. The trend toward high yield low risk cyber crime is less risky than armed robbery! The threat to national security from these cyber attacks is real and growing. The DCI encouraged charities to sign up to The Cyber-security Information Sharing Partnership (CiSP) to share cyber threat and vulnerability information.
Take-away #3: Be prepared to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and better protect your charity.
Resistance is futile
On first hearing, Star Trek fans may have been disheartened with this reference to the Borg, suggesting cyber security incidents can’t be stopped. However the point that Bob Darcy, Director of Information Services at Barnados, makes is one that is gaining ground among many information security professionals. Of course it is still critical to put layered defenses in place to protect your most valuable assets, but it has become unrealistic to assume that an organization can always be 100% secure. Bob notes that core IT services are moving to the edge and privacy has to be balanced with transparency. It used to be relatively easy to defend everything on the network behind the perimeter wall. While advances in the industry including the Cloud, mobile devices, the Internet of Things and greater 3rd party collaboration are increasing business opportunities, they have also increased the risks. Charities need to determine where they are or want to be on this model’s axis and then identify the possible incident scenarios they may arise. Only by planning for the worst can charities be prepared and agile enough to bounce back from security incidents.
Take-away #4: Target resources at areas of highest risk and meticulously plan and test responses to potential incident scenarios.
Part one was rounded up with a threats panel session. It was noted that if the worst happens and a charity has been seen to skimp on security it will not play out well as a news story.
In a sector where charities live and fall on brand reputation that may have taken years to build, it is vital that trustees, employees and volunteers all understand the part they play in protecting personal information.