Salvation Army to set up security forum for charity sector

The Salvation Army UK is in the process of setting up a charities' security forum with Cancer Research in an attempt to raise end-user awareness and tackle various up-and-coming concerns such as phishing.

The Salvation Army UK is in the process of setting up a charities' security forum with Cancer Research in an attempt to raise end-user awareness and tackle various up-and-coming concerns such as phishing.

The forum, which currently includes about 18 informal members of all sizes, held its second meeting in early March and the eventual aim, if the idea comes to fruition, is to work under the auspices of the Charity Consortium's IT Directors Group as a spin-off specialist interest group.

Martyn Croft, head of corporate systems at The Salvation Army UK, says, "There is a growing need to specifically address information security issues, and we are all agreed that user awareness is one of the key challenges. It is a massive undertaking in terms of education, but in a curious way the data leakage problems at organisations like HMRC [Her Majesty's Revenue & Customs] have probably done us all a bit of a favour. In the past, it was not top of the agenda, but these days senior management are much more aware of the issues."

This is leading information security to become increasingly ring-fenced in IT budgets as the understanding grows that it is everyone's business.

A useful initiative that The Salvation Army UK itself has introduced to try and raise consciousness, meanwhile, is asking its 7,000 staff to use resources such as Bob's Business e-learning tools.

The tools were developed by the Mid-Yorkshire Chamber of Commerce together with the Department of Business Enterprise and Regulatory Reform (formerly known as the Department of Trade and Industry) and personnel complete a module per month.

Each module focuses on a different facet of information security such as backing up data or phishing and personnel also receive a desk calendar that provides hints and tips related to each month's theme. These themes are then explicitly linked to the organisation's acceptable-usage policy.

The most significant challenge in this context, Croft says, is the growing use of consumer technology in the workplace. "The biggest problem over the past few years has been the cross-over between consumer and corporate technology. This consumerisation of technology means that IT departments can end up with less control, so it is important people understand that, while it may be OK to do something at home, it is not necessarily OK to do it in the workplace," he says.

This worry has led the organisation to standardise on the use of corporate Blackberrys and also to provide users with USB flash memory sticks that are controlled using Lumension's Sanctuary Device Control.

The software enables administrators to assign permissions in order to ensure that no unauthorised device can be used to download data from the network, although additional policies are likewise enforced using such criteria as download time and data volumes.

The charity is currently also in the process of rolling out the data-encryption element of the product, but Croft says that its most successful initiative to date has been simply to brand memory sticks with the Salvation Army logo on one side and its name and telephone number on the other.

"It is about making people aware that it is the organisation's data and not their own. So by simply putting the logo and phone number on the side, you are starting to classify the data as yours, which is quite important psychologically," Croft says.

By the same token, however, he does not believe that it is possible to hold back the tide, so accommodating this kind of technology works better than either ignoring it or allowing people to adopt it wholesale.

A further area of concern into the future is phishing. Although this activity is not costing charities much money at the moment, Croft considers that, as the financial services sector continues to tighten up on its online information security mechanisms, phishers will begin to look for softer targets.

And there are two likely ways of exploiting people, he says. On the one hand, phishers can simply send out spam e-mails asking the public to give money for a good cause to see who bites. "The problem is that this is a double-edged sword, because you are not only defrauding that person who is giving you money, but you are also defrauding those that could have benefited from it," Croft says.

On the other hand, criminals can - and do already - use charity websites to authenticate stolen credit or debit card numbers by giving a minimal amount before using them elsewhere to undertake larger fraudulent transactions.

Croft knows about this problem not only because it happened to him when his cards stolen, but also because he found evidence of such activity when looking at data from charity-donation websites as part of his research for a masters degree course.

"The situation is real and it is there. We are not particularly concerned about it right at the moment, but it is something that charities need to be keeping their eye on and it ought to be on all of their agendas. As we see phishers become increasingly sophisticated, I really do think that it is an avenue they will be exploiting more and more," Croft says.

Read more on Hackers and cybercrime prevention