FREE Resources
You're welcome to help yourself to any of the information we provide. Download it, print it, eMail it, share it with anyone you like. Just make sure we get the credit!
Briefing Documents
Our briefing documents below provide a handy starting point for many of the information security issues that charities, and all organisations, regularly face. We use them as topics for presentations and awareness programs, as well as content for email briefings to staff.
email security
This briefing is a ready made document for you to download highlighting the learning points needed for good eMail security and gives some invaluable tips to keep you safe.
Whilst eMail is probably one of the oldest technologies used for communicating, it still remains the most preferred way to enable us to communicate and share information with our colleagues and friends, whether for business or private purposes. However, like most digital solutions, it increasingly poses a threat to our personal and organisational information security.
Click to download the pdf Read more...
Whilst eMail is probably one of the oldest technologies used for communicating, it still remains the most preferred way to enable us to communicate and share information with our colleagues and friends, whether for business or private purposes. However, like most digital solutions, it increasingly poses a threat to our personal and organisational information security.
Click to download the pdf Read more...
Passwords
A fundamental briefing in a self contained document on the importance of passwords and why everyone needs to be able to prove their identity.
Passwords are the most common way of proving the identity of an individual before allowing them access to private information. So, if all that stands between you and your fortune is your mother’s maiden name you may soon be parted from it. Your password may be the only way of proving you are who you say you are, which means it is a secret worth keeping.
Click to download a ready-to-go pdf Read more...
Passwords are the most common way of proving the identity of an individual before allowing them access to private information. So, if all that stands between you and your fortune is your mother’s maiden name you may soon be parted from it. Your password may be the only way of proving you are who you say you are, which means it is a secret worth keeping.
Click to download a ready-to-go pdf Read more...
Identity theft
We've talked about protecting your identity before but how do you make it even more difficult for someone to steal your identity? In this briefing we provide good advice about making it difficult for the bad guys to gather crucial information about that very important person - that's you! Click here to download our briefing note - for free.
privacy
With the amount of stuff published in the public domain one could be forgiven for thinking that society had given up the notion of ‘private’. Share and share alike seems to be the norm, to the extent that it has become tricky to determine what is to be kept private. And that which is to be kept private of course seems to have become the target for hackers in a never ending quest one supposes to make all data public domain.
I suppose it’s a point of view. In the interim before we reach this dystopia it may be worth giving a thought to what information assets your charity would like to keep private. And before anyone says “charities don’t have any private data” you might want to gather your chief execs, your trustees, your staff, and your supporters around the table and apply the “what if we left this on a train” test to carefully selected items of information. We'd be happy to guide you through the rules of the game. But don’t tell anyone.
I suppose it’s a point of view. In the interim before we reach this dystopia it may be worth giving a thought to what information assets your charity would like to keep private. And before anyone says “charities don’t have any private data” you might want to gather your chief execs, your trustees, your staff, and your supporters around the table and apply the “what if we left this on a train” test to carefully selected items of information. We'd be happy to guide you through the rules of the game. But don’t tell anyone.
FREE SERVICES
As we’ve recently found out, the price of ‘free’ isn’t the same as ‘no cost’. The price of free, often or not, is yourself. You, my friend, are the product, and the systems you sign up for as ‘free’ are a contract to your willing participation in your data being sold. Sorry for the harsh reality but folks really need to be able to differentiate between corporate and personal, and make a value judgement on what they’re prepared to sell in return for a service. As an individual it’s your choice and there are some services that I will happily use in return for being the recipient of some blatant, if ill-targeted, advertising. But that it turns out is merely the tip of the iceberg...
We should be professionally concerned with the attraction of our charity colleagues to these so-called ‘free’ services. It might be easy on the budget to sign up for a free account on a social media platform but take a moment to ponder what your supporters will think if the innermost connections between your organisation and your beneficiaries are the target of unscrupulous profiling? The urge to promote a charity’s activities on social media has been with us for a long time now, and the caution expressed by many in the information security profession has long since been overwhelmed by the tide of posts, updates, likes, and follows, that are gold dust to the giant corporations behind the social media platforms. Be careful out there. The price of free may well turn out to be your reputation.
We should be professionally concerned with the attraction of our charity colleagues to these so-called ‘free’ services. It might be easy on the budget to sign up for a free account on a social media platform but take a moment to ponder what your supporters will think if the innermost connections between your organisation and your beneficiaries are the target of unscrupulous profiling? The urge to promote a charity’s activities on social media has been with us for a long time now, and the caution expressed by many in the information security profession has long since been overwhelmed by the tide of posts, updates, likes, and follows, that are gold dust to the giant corporations behind the social media platforms. Be careful out there. The price of free may well turn out to be your reputation.
social engineering
What’s the easiest way to get someone’s password? Hack their PC? Exfiltrate the user database? Nope, in the majority of cases it's much easier. Just ask them. No matter how many times you tell support staff to never ask a user for their password, it still happens. It’s like no-one can help themselves and the urge to masquerade as an unsuspecting user is the divine right of service desk analysts everywhere. It’s not that it’s a cardinal sin (although certainly very bad practice and an indication of lazy processes), nope, it’s more that it opens the door to what becomes ‘acceptable’...
So when Mr Bad Guy calls to to say that you've a problem with your PC (yeah, right) it’s a cast iron certainty that he’ll say he’s from the IT department of some impressive or scary company before proceeding to ask for your password - and probably for your mother’s maiden name, bank card number, PIN code, and the name of your favourite film to boot.
You’d sort of hope that everyone will be so well aware of cybersecurity scams that they’ll smell a rat and simply put the phone down. And if you're trying to look out for your staff, remember that it’s your credibility as the infosec expert that’s being degraded. Your users are being exploited. Just tell 'em to say no, whoever the guy on the end of the phone may be.
So when Mr Bad Guy calls to to say that you've a problem with your PC (yeah, right) it’s a cast iron certainty that he’ll say he’s from the IT department of some impressive or scary company before proceeding to ask for your password - and probably for your mother’s maiden name, bank card number, PIN code, and the name of your favourite film to boot.
You’d sort of hope that everyone will be so well aware of cybersecurity scams that they’ll smell a rat and simply put the phone down. And if you're trying to look out for your staff, remember that it’s your credibility as the infosec expert that’s being degraded. Your users are being exploited. Just tell 'em to say no, whoever the guy on the end of the phone may be.
ethical hacking
The mysterious art of penetration testing won’t be a mystery to most information security professionals, in fact it will be a staple of any infosecurity diet, along with policies and awareness campaigns - more of which in future blogs. But for many charities the thought of paying for what is properly termed ‘ethical hacking’ is often deemed a step too far. Perhaps it’s the thought of what may be discovered, or the cost of paying for what remains an arcane art. And given the number and scale of hacks reported recently in the press it seems like anything to do with hackers is the domain of bad guys...
But as a means to seriously raise the stakes if you are worried that your external facing defences may be a little flaky, the power of the pentest can be second to none for grabbing the attention of the board. To know that your firewall isn’t properly configured will give you the chance to address that particular problem before some curious outsider makes off with a copy of your company confidentials. Getting a proper pentest carried out may cost a bob or two, but even a simple and free ‘do it yourself’ scan will give you valuable insight into what’s being revealed to the outside world. And if the results don't make much sense, we are dab hands at helping you understand the implications.
But as a means to seriously raise the stakes if you are worried that your external facing defences may be a little flaky, the power of the pentest can be second to none for grabbing the attention of the board. To know that your firewall isn’t properly configured will give you the chance to address that particular problem before some curious outsider makes off with a copy of your company confidentials. Getting a proper pentest carried out may cost a bob or two, but even a simple and free ‘do it yourself’ scan will give you valuable insight into what’s being revealed to the outside world. And if the results don't make much sense, we are dab hands at helping you understand the implications.
phishing fraud
It takes about six days for folks to realise the enormity of a problem. So imagine a disaster, say, like the tsunami in 2004, or perhaps Hurricane Katrina, or more recently Hurricane Harvey. For many charities engaged in humanitarian work the need to mobilise, and mobilise quickly, in the face of such enormous natural disasters requires funds. And the human need to support such work results in the generous and unconditional gifting of those funds.
So back to the six days. That tends to be the time period after which folks feel a need to respond and usually with monetary help. Your charity fundraisers probably know this and will gear up to expect it, but the bad guys know it too and you should also be prepared to expect a higher than usual proportion of phishing and scam emails being pumped through the internet. And to capitalise on the propensity to give there will be a spate of spoof websites mimicking the online donations page of real or invented charities. You may not see these undercover attempts to milk human kindness but you should be aware of the problem and consider how you might monitor the unscrupulous use of the good name of your organisation.
So back to the six days. That tends to be the time period after which folks feel a need to respond and usually with monetary help. Your charity fundraisers probably know this and will gear up to expect it, but the bad guys know it too and you should also be prepared to expect a higher than usual proportion of phishing and scam emails being pumped through the internet. And to capitalise on the propensity to give there will be a spate of spoof websites mimicking the online donations page of real or invented charities. You may not see these undercover attempts to milk human kindness but you should be aware of the problem and consider how you might monitor the unscrupulous use of the good name of your organisation.
online donations
When you buy stuff online do you pay with a debit card or a credit card? Me? Well I’m in the credit card camp mainly ‘cos I reckon that there’s just that little bit more protection - or shall we say less transference of risk. I may be woefully wrong but judging by the calls I get from the credit card fraud team they seem to be on my case. (Ask us about alligators sometime!) Spotting an attempt at the fraudulent use of credit card credentials has become a science and one that’s matured into preventing potential misuse before it’s too late.
Making it easy to take card payments is something that charities rely on to receive online donations from supporters, or to run their trading operations. Put a bump in the road by having the payment card processors question the validity of the transaction and, more than likely, donors will look to put their money elsewhere.
It helps to smooth the way if charities comply with PCI-DSS. And if you don't know what that acronym stands for then you’d better get googling quickly. Arguably one of the data items that truly qualifies for the ‘hot potato’ tag, is the PAN (another acronym to google) and this is one data item you do not want in your database. Or your spreadsheets. Or written on neat little piles of paper. Or in someone’s homemade website.
There’s a whole payment card industry out there (that’s a clue by the way), and a whole stack of experts who can help guide you through keeping online payments safe. But remember that when your supporters supply their payment card credentials in exchange for not much more than a warm fuzzy feeling, they and the banks expect you to take great care of what amounts to the keys to their bank account. Get in touch if you want to know more.
Making it easy to take card payments is something that charities rely on to receive online donations from supporters, or to run their trading operations. Put a bump in the road by having the payment card processors question the validity of the transaction and, more than likely, donors will look to put their money elsewhere.
It helps to smooth the way if charities comply with PCI-DSS. And if you don't know what that acronym stands for then you’d better get googling quickly. Arguably one of the data items that truly qualifies for the ‘hot potato’ tag, is the PAN (another acronym to google) and this is one data item you do not want in your database. Or your spreadsheets. Or written on neat little piles of paper. Or in someone’s homemade website.
There’s a whole payment card industry out there (that’s a clue by the way), and a whole stack of experts who can help guide you through keeping online payments safe. But remember that when your supporters supply their payment card credentials in exchange for not much more than a warm fuzzy feeling, they and the banks expect you to take great care of what amounts to the keys to their bank account. Get in touch if you want to know more.
social media
The modern world now revolves around the use of social media. Paupers and presidents alike use Twitter to make their pronouncements and innermost thoughts known to anyone who cares to listen. You know the sort of thing we’re talking about – Twitter, Facebook, Snapchat, Instagram, Pinterest… the list goes on and it’s likely that your charity too will be making it’s presence felt on these platforms to inform and to recruit supporters to the cause.
For information security professionals it’s worth stopping to think about the security aspects of these services. For some individuals social media has become a way of life and status updates take priority for many often intentionally, or unintentionally, proclaiming personal and innermost thoughts to avid followers. For charities though it should be more likely that a measured response needs to be taken when using these platforms to promote their work. Whether you think these services are intrusive probably depends on your approach to communicating in general, and social media in particular. For some folks it’s all about the reputation. And for charities that’s something worth protecting.
For information security professionals it’s worth stopping to think about the security aspects of these services. For some individuals social media has become a way of life and status updates take priority for many often intentionally, or unintentionally, proclaiming personal and innermost thoughts to avid followers. For charities though it should be more likely that a measured response needs to be taken when using these platforms to promote their work. Whether you think these services are intrusive probably depends on your approach to communicating in general, and social media in particular. For some folks it’s all about the reputation. And for charities that’s something worth protecting.
back to basics
For many charities it can be a bit daunting to get a handle on the cybersecurity issues that face them. We get asked many times “where should we start?” And since there’s barely a day goes by without the media reporting yet another cyber attack or data breach, it’s all too easy get caught up the in frenzy and end up trying to do everything at once. There are some simple steps to take that will improve the security of your information. And that’s what this is all about - ‘information security’.
How about starting with email? It’s become a ubiquitous means of communication and collaboration yet as a technology has hardly moved on from it’s inception as a means of sending messages between people using networked computers. And it’s worth bearing in mind that plainly and simply it’s not secure. We won't be the first to say that email is the electronic equivalent of writing your message on postcard - in pencil - and sticking it to a tree for the recipient to read as they wander past.
For sure it’s become very elaborate but the bottom line is that your emails can fall into the hands of anybody and everybody as easy as clicking a mouse. Think twice before clicking send, forward, or reply, especially if the content is what you might consider to be private, confidential or privileged information.
And ask whether you’d be happy to see it printed our and pinned to a tree. We’ve got a handy guide available for the asking and it’s a good start to keeping your information secure when it wings its way around the email network.
How about starting with email? It’s become a ubiquitous means of communication and collaboration yet as a technology has hardly moved on from it’s inception as a means of sending messages between people using networked computers. And it’s worth bearing in mind that plainly and simply it’s not secure. We won't be the first to say that email is the electronic equivalent of writing your message on postcard - in pencil - and sticking it to a tree for the recipient to read as they wander past.
For sure it’s become very elaborate but the bottom line is that your emails can fall into the hands of anybody and everybody as easy as clicking a mouse. Think twice before clicking send, forward, or reply, especially if the content is what you might consider to be private, confidential or privileged information.
And ask whether you’d be happy to see it printed our and pinned to a tree. We’ve got a handy guide available for the asking and it’s a good start to keeping your information secure when it wings its way around the email network.
hackers
Despite our best attempts it would seem that the hackers have free reign to plunder our most precious assets. Consider for a moment then how rigorously the information precious to your charity is protected and even if the answer is ‘very’, you might want to consider the consequences of what may be an inevitable breach.
Quietly and stealthily is the modus operandi for hackers these days. The unobtrusive exfiltration of data is the name of the game and even if your data doesn’t make it into the trophy cabinet of the hacker collective, it may be damaging enough to demonstrate that your charity doesn’t take seriously its obligation to keep safe the data with which it is entrusted.
It’s difficult enough to keep on top of the inadvertent breaches caused by careless employees or those simply seeking to ‘do good’; and those who don’t see the damage that can be caused by sharing data with anybody and everybody. With a good toe-hold on your system security, any inquisitive or malicious hacker could siphon off anything and everything from your databases - whether it has a perceived value or not. Consider your systems open until proven otherwise and know that you’re not an easy target.
Quietly and stealthily is the modus operandi for hackers these days. The unobtrusive exfiltration of data is the name of the game and even if your data doesn’t make it into the trophy cabinet of the hacker collective, it may be damaging enough to demonstrate that your charity doesn’t take seriously its obligation to keep safe the data with which it is entrusted.
It’s difficult enough to keep on top of the inadvertent breaches caused by careless employees or those simply seeking to ‘do good’; and those who don’t see the damage that can be caused by sharing data with anybody and everybody. With a good toe-hold on your system security, any inquisitive or malicious hacker could siphon off anything and everything from your databases - whether it has a perceived value or not. Consider your systems open until proven otherwise and know that you’re not an easy target.
risky business
It may be said that there are two types of info security professionals. Those who try to remove and mitigate the risk; and those who measure and advise on the impact of the risk. On the one hand we have those who can see the train coming down the track and do their best to stop it or divert it; and on the other hand we have those who calculate the likely impact and devastation the train will cause when it hits.
Both are valid approaches, and both may acknowledge the inevitable, but each requires different skills of the people who fulfil the role.
For the techie working feverishly to head off the catastrophe it will be a triumph to have averted the disaster, but not if the systems have become unusable whilst the problem was addressed.
For the risk manager the business will be able to make contingency plans in the full knowledge of the catastrophe facing them, but afterwards they may not be left with much of a business.
The ability to assess the risk and then take the appropriate action is a mix of skills to be valued highly.
Both are valid approaches, and both may acknowledge the inevitable, but each requires different skills of the people who fulfil the role.
For the techie working feverishly to head off the catastrophe it will be a triumph to have averted the disaster, but not if the systems have become unusable whilst the problem was addressed.
For the risk manager the business will be able to make contingency plans in the full knowledge of the catastrophe facing them, but afterwards they may not be left with much of a business.
The ability to assess the risk and then take the appropriate action is a mix of skills to be valued highly.
Question 13
Answer to question 13
On the Web
Is Cybersecurity a risk for fundraisers? The SC guide for charities. - Written by us and featured in SC Magazine
IT Induction and Information Security Awareness. This pocket guide written by Valerie puts forward the case for an organisation-wide, and fully supported IT Induction and Information Security Awareness Programme. Available from IT Governance Ltd
IT Induction and Information Security Awareness. This pocket guide written by Valerie puts forward the case for an organisation-wide, and fully supported IT Induction and Information Security Awareness Programme. Available from IT Governance Ltd
|
© COPYRIGHT MARTYNANDVALERIE.COM 2019. ALL RIGHTS RESERVED.
|