Author Archives: csforum

Conference Season

There’s a definite conference season when it comes to information security and for those tasked with organising events it can be a proverbial nightmare to find a date, a venue, and a compelling programme that will suit the majority of delegates.  And along with the programme of infosec events comes the inevitable deluge of emails advertising, encouraging, and promoting each event.  It’s great to feel wanted but how do you verify the genuine from the ingenuous?  The scams and spams from the silver-plated invitations to the must-attend events?

Sometimes it’s easy to differentiate and a good line-up of top-flight speakers will help ensure that there is something to learn and some insights to be gained.  For infosec pros working in charities it’s sometimes difficult to justify the cost of a ticket to a conference but the cost needs to be balanced against the speed and depth of knowledge that expert speakers can impart to their audience.  Choose wisely, minimise the cost, and learn lots. And keep your eyes open for CSF events which are always reasonably priced and targeted specifically for you!

CSF Christmas Dinner 2016

I was very pleased to host a Christmas dinner on Thursday (8th December) for 20 members of the Charities Security Forum to mark the 9th year of the Charities Security Forum.

As is our custom for CSF meetings, we had several charities attending their first meeting – and what a meeting it was

 The venue was good (Four Seasons hotel, Park  Lane), the food delicious, the wine flowed, sponsors (Trend Micro, e92, Heat Software, Secon Cyber Security and Bottomline Technology) generous, and the company delightful.

So the wine flowed and the diners chatted. What were the topics under discussion?

The first was how charities secure personal information.

Like any company in the UK, charities must comply with the 8 principles of the Data Protection Act (DPA).

From 25 May 2018 the EU General Data Protection Regulation (GDPR) will affect every organisation that processes EU residents’ personally identifiable information (PII).

At first glance GDPR seems draconian, particularly the requirement to report breaches to the ICO in a much more timely fashion and the fine for non-compliance (4% of global gross income) – but only at first glance. If you are compliant with DPA you need only to improve your processes to provide more transparency and openness to the public.

And BREXIT will make no difference.


Rik Ferguson of Trend Micro took up the discussion to talk about the vulnerabilities of 2016, in particular, the rise of ransomware and the dangers of being personally targeted by social engineers who use information from sites such as LinkedIn and Facebook to find the link that will intrigue you into clicking rather than deleting the email.

Both topics developed into discussions around the table that lasted after dinner was fin0shed and the table cleared.

Many attendees said at the end and by email since, how much they enjoyed the evening.  

If this is how the ninth year ends the tenth year promises great things.


 Brian Shorten – Chairman, Charities Security Forum

12 take-aways from the Charities Security Forum: Part One

Threats, awareness & data protection strategies : by Beverley Stonehouse

The charity sector has been under fire recently for poor data handling and privacy processes following the death of an elderly charity donor. The delegates at the 3rd Annual Charities Security Forum last week left with a clear mandate to safeguard client and donor personal information despite the inevitable overheads to their organsiations.

Part one of the CSF agenda considered threats, awareness & data protection strategies.

Stories start with a victim

Geoff White, technology producer at Channel 4 News opened with a lively keynote that reflected on last year’s Talk Talk data breach. At the time of the incident headlines focused on the number of client records extracted by hackers, but Geoff proposed that the subsequent fraud story has wider consequences. Cyber-criminals have been able to exploit the stolen data to defraud Talk Talk customers of thousands of pounds. Describing one customer’s story, he detailed how combining customer telephone numbers with previously acquired account information enabled fraudsters to carry out convincing and lucrative scams. Three workers at Talk Talk’s outsourced servicing company, Wipro, have since been accused of stealing customers’ data and using it to con them out of thousands. This development also highlights the risks of using 3rd party suppliers, where access to sensitive personal information is involved. If you have not seen it, Geoff’s Channel 4 News report is worth watching.

Take-away #1: Charities have a stack of goodwill and are therefore more vulnerable to brand damage if something goes wrong.

Position yourself as the hero
All too often information security departments are seen as a blocker, stopping the agility of the organization by saying “No!” said Richard Norman, Director of Information Governance & Risk Management of The British Council. However, if senior management only perceives IT as a cost centre, providing little or no value to the organization, funding will inevitably be restricted. He encouraged security professionals to talk in the language of business – defining information security risks, as business risks that have an underlying technology risk. When senior management better understand the business consequences of info-security risks they are much more likely to engage and fund information security projects. This helps IT security and risk professionals to achieve a more permanent level of assurance, rather than a mad scramble for short-term compliance every time an audit takes place.

Take-away #2: Learn to communicate information security risks in terms executive management understands.

Villains are out there
Detective Chief Inspector Jason Tunn of the Metropolitan Police Crime Unit talked about the evolving threats his team are coming across in the field. He listed the top four cyber threats as: Bank Trojans, Angler Exploit Kits, Network Intrusions and Ransomware. He described how ransomware-as-a-service is hitting America and that the trend is likely to spread into Europe. Cybercriminals no longer need to be technical as there are ‘hackers for hire’ and ‘rent a bot-net’ sites available on the internet. The trend toward high yield low risk cyber crime is less risky than armed robbery! The threat to national security from these cyber attacks is real and growing. The DCI encouraged charities to sign up to The Cyber-security Information Sharing Partnership (CiSP) to share cyber threat and vulnerability information.

Take-away #3: Be prepared to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and better protect your charity.

Resistance is futile

On first hearing, Star Trek fans may have been disheartened with this reference to the Borg, suggesting cyber security incidents can’t be stopped. However the point that Bob Darcy, Director of Information Services at Barnados, makes is one that is gaining ground among many information security professionals.  Of course it is still critical to put layered defenses in place to protect your most valuable assets, but it has become unrealistic to assume that an organization can always be 100% secure.  Bob notes that core IT services are moving to the edge and privacy has to be balanced with transparency. It used to be relatively easy to defend everything on the network behind the perimeter wall. While advances in the industry including the Cloud, mobile devices, the Internet of Things and greater 3rd party collaboration are increasing business opportunities, they have also increased the risks. Charities need to determine where they are or want to be on this model’s axis and then identify the possible incident scenarios they may arise. Only by planning for the worst can charities be prepared and agile enough to bounce back from security incidents.

Take-away #4: Target resources at areas of highest risk and meticulously plan and test responses to potential incident scenarios.

Part one was rounded up with a threats panel session. It was noted that if the worst happens and a charity has been seen to skimp on security it will not play out well as a news story.

In a sector where charities live and fall on brand reputation that may have taken years to build, it is vital that trustees, employees and volunteers all understand the part they play in protecting personal information.

Our Conference

For information security professionals, especially those working in charities, it can be difficult to justify the cost of a ticket to attend the many conferences and events that crowd the calendar at this time of year.  As an investment though, a day spent at a conference can be the quickest, most cost-effective way, to bring yourself up-to-date with what has become a fast moving subject and the depth of knowledge that expert speakers can impart to their audience becomes priceless.  For the majority of delegates a good line-up of top-flight speakers will help to ensure that there is something to learn and some insights to be gained, but it’s important to ensure that as the target audience, or demographic in today’s media driven world, you are getting focused, relevant, and topical content. It’s great to feel wanted but verifying the scams, spams, and sales pitches from the silver-plated invitations can be difficult.  That’s why we have the CSF Annual Conference on the 13th May.  It’s designed especially for you so come and join us, minimise the cost, and learn lots.  See you there!

Identity Theft

They say that imitation is the sincerest form of flattery.  Well, I’d say that identity theft is taking that a step too far.  The urge to masquerade as someone else may have deep roots in the human psyche but as usual the ‘bad guys’ have put a more sinister spin on things and are only too ready to exploit an alter-ego given half a chance.  Bogus passports, fraudulent bank loans, even online relationships, are all the province of those hiding behind the ‘front’ that the anonymity of the internet can purvey.

For charities dealing with the most human of interactions, taking their operations online is a challenge in establishing not only a verifiable identity but also establishing the trust that must ensue to ensure they can be trusted with that most precious collection of information which makes up that thing we call our identity.

Identifying the precious attributes that define your benefactors will help you to identify which information assets your information security controls should be protecting.  Keep ‘em safe.