The Salvation Army UK is in the process of setting up a
charities' security forum withCancer Researchin an attempt to raise
end-user awareness and tackle various up-and-coming concerns such
asphishing.
The forum, which currently includes about 18 informal members of
all sizes, held its second meeting in early March and the eventual
aim, if the idea comes to fruition, is to work under the auspices
of the Charity Consortium's IT
Directors Group as a spin-off specialist interest group.
Martyn Croft, head of corporate systems at
The
Salvation Army UK, says, "There is a growing need to
specifically address information security issues, and we are all
agreed that user awareness is one of the key challenges. It is a
massive undertaking in terms of education, but in a curious way the
data leakage problems at organisations like HMRC [Her Majesty's
Revenue & Customs] have probably done us all a bit of a
favour. In the past, it was not top of the agenda, but these days
senior management are much more aware of the issues."
This is leading information security to become increasingly
ring-fenced in IT budgets as the understanding grows that it is
everyone's business.
A useful initiative that The Salvation Army UK itself has
introduced to try and raise consciousness, meanwhile, is asking its
7,000 staff to use resources such as
Bob's Business e-learning
tools.
The tools were developed by the
Mid-Yorkshire Chamber of
Commerce together with the
Department of Business Enterprise
and Regulatory Reform (formerly known as the Department of
Trade and Industry) and personnel complete a module per month.
Each module focuses on a different facet of information security
such as backing up data or phishing and personnel also receive a
desk calendar that provides hints and tips related to each month's
theme. These themes are then explicitly linked to the
organisation's acceptable-usage policy.
The most significant challenge in this context, Croft says, is
the growing use of consumer technology in the workplace. "The
biggest problem over the past few years has been the cross-over
between consumer and corporate technology. This consumerisation of
technology means that IT departments can end up with less control,
so it is important people understand that, while it may be OK to do
something at home, it is not necessarily OK to do it in the
workplace," he says.
This worry has led the organisation to standardise on the use of
corporate Blackberrys and also to provide users with USB flash
memory sticks that are controlled using
Lumension's
Sanctuary Device Control.
The software enables administrators to assign permissions in
order to ensure that no unauthorised device can be used to download
data from the network, although additional policies are likewise
enforced using such criteria as download time and data volumes.
The charity is currently also in the process of rolling out the
data-encryption element of the product, but Croft says that its
most successful initiative to date has been simply to brand memory
sticks with the Salvation Army logo on one side and its name and
telephone number on the other.
"It is about making people aware that it is the organisation's
data and not their own. So by simply putting the logo and phone
number on the side, you are starting to classify the data as yours,
which is quite important psychologically," Croft says.
By the same token, however, he does not believe that it is
possible to hold back the tide, so accommodating this kind of
technology works better than either ignoring it or allowing people
to adopt it wholesale.
A further area of concern into the future is phishing. Although
this activity is not costing charities much money at the moment,
Croft considers that, as the financial services sector continues to
tighten up on its online information security mechanisms, phishers
will begin to look for softer targets.
And there are two likely ways of exploiting people, he says. On
the one hand, phishers can simply send out spam e-mails asking the
public to give money for a good cause to see who bites. "The
problem is that this is a double-edged sword, because you are not
only defrauding that person who is giving you money, but you are
also defrauding those that could have benefited from it," Croft
says.
On the other hand, criminals can - and do already - use charity
websites to authenticate stolen credit or debit card numbers by
giving a minimal amount before using them elsewhere to undertake
larger fraudulent transactions.
Croft knows about this problem not only because it happened to
him when his cards stolen, but also because he found evidence of
such activity when looking at data from charity-donation websites
as part of his research for a masters degree course.
"The situation is real and it is there. We are not particularly
concerned about it right at the moment, but it is something that
charities need to be keeping their eye on and it ought to be on all
of their agendas. As we see phishers become increasingly
sophisticated, I really do think that it is an avenue they will be
exploiting more and more," Croft says.