When you buy stuff online do you pay with a debit card or a credit card? Me? Well I’m in the credit card camp mainly ‘cos I reckon that there’s just that little bit more protection – or shall we say less transference of risk. I may be woefully wrong. But whichever camp you feel happiest with, it’s likely that your charity will be taking online donations, and possibility running some sort of trading operation. With each of these activities comes the requirement to comply with PCI-DSS. And if you don’t know what that acronym stands for then you’d better get googling quickly.
Arguably one of the data items that truly qualifies for the ‘hot potato’ tag, the PAN (another acronym to google) is one data item you do not want in your database. Or your spreadsheets. Or written on neat little piles of paper. Or in someone’s homemade website. There’s a whole payment card industry out there (that’s a clue by the way), and a whole stack of experts (some of whom are CSF members) who can help guide us through this morass. But remember that when your supporters supply their payment card credentials in exchange for a warm fuzzy feeling they expect you to take great care of what amounts to the keys to their bank account.
There’s a definite conference season when it comes to infosec and for those tasked with organising events it can be a proverbial nightmare to find a date, a venue, and a compelling programme that will suit the majority of delegates. And along with the seasons programme of infosec events comes the inevitable deluge of emails advertising, encouraging, and promoting each event. It’s great to feel wanted but how do you verify the genuine from the ingenuous? The scams and spams from the silver-plated invitations to the must-attend events? Sometimes it’s easy to differentiate and a good line-up of top-flight speakers will help ensure that there is something to learn and some insights to be gained. For infosec pros working in charities it’s sometimes difficult to justify the cost of a ticket to conferences and events but the cost needs to be balanced against the speed and depth of knowledge that expert speakers can impart to their audience. Choose wisely, minimise the cost, and learn lots.
Do you filter the content that comes flooding down your internet pipe and straight to the desktops of your users, or maybe to the devices of your beneficiaries? If not then you might want to consider ensuring that at least your bit of the internet is ‘safe to surf’. Perhaps your charity has a particular stance on, say, gambling, so it would be rather ironic if your users were spending their lunch hour in a virtual casino. Of course the other side of this coin, so to speak, is the company-imposed censorship and the lock-down of liberty experienced by hardworking staff. After all the internet is just a bit of fun right? Wrong. The internet, and all that it contains, good and bad, is the very fabric of business these days. Go down the wrong road and your staff may find themselves in a part of town that’s not very friendly. Maybe it’s better to guide and signpost, and yes, to bar access to certain parts of the cyberworld in which we operate.
The mysterious art of penetration testing shouldn’t be a mystery to us information security professionals, in fact it should be a staple of our infosec diet along with policies and awareness campaigns. Yet for many charities the thought of paying for what is properly termed ‘ethical hacking’ is often deemed a step too far. Perhaps it’s the thought of what will appear on the invoice, or what will appear in the report and need fixing. For some, ignorance may be preferable to bliss. But as a means to seriously raise the stakes when you know that your external facing defences may be a little flaky, the power of the pentest can be second to none. To know that your firewall isn’t properly configured will give you the chance to address that particular problem before some curious outsider makes off with a copy of your company confidentials. Getting a proper pentest carried out may cost a bob or two, but even a simple and free ‘do it yourself’ scan will give you valuable insight into how you appear to the outside world. And if the results don’t make much sense, your colleagues in the CSF are dab hands at translating and interpreting the contents into an action plan. Or helping you celebrate the security of your organisation!
It seems that the modern world now revolves around the use of social media. You know the sort of thing we’re talking about – Twitter, Facebook, Snapchat, Instagram, Pinterest… the list goes on. And it’s likely that your charity will be making it’s presence felt on these platforms to rally supporters to the cause. But as an infosec professional it’s worth stopping to think about the information security aspects of these services. For an individual, it’s probably not a good idea to live your life online through these platforms but many do and mainly get by, despite often intentionally, or unintentionally, revealing their personal and innermost thoughts. For charities though it’s likely that a more measured response needs to be taken when using these platforms to promote their work. Whether you think these service are intrusive probably depends on your approach to social media. For some folks it’s all about the reputation. And for charities that’s something worth protecting.