GDPR means that data protection is a legal requirement - as well as an ethical one. Use our 2020 checklist to make sure your data is protected.
Data breaches can be hugely costly to charities, in purely financial terms and also in terms of disruptions to service delivery and in loss of trust from those whose personal data or confidential information may have been stolen.
The risk of a data breach is also very real: 25% of charities reported at least one cyber attack during a twelve-month period, according to the government’s Cyber Security Breaches Survey 2019. When these attacks lead to a data breach the financial cost alone can commonly exceed £100 per record stolen, according to IBM’s 2019 Cost of a Data Breach report.
But good data security is not just a good idea: when it comes to data about people it’s a matter of digital ethics, and it’s also the law: The General Data Protection Regulation (GDPR) which came into force in May 2018 obliges organisations including charities to take reasonable steps to protect "personal data," although it doesn’t give any specifics on how exactly data should be protected.
That’s why it is vitally important for charity leaders to keep the data they store as secure as possible from cyber attacks, and to ensure that only those that are authorised to access it can do so. Our 2020 data protection checklist highlights five important areas that should not be overlooked:
1.) Use strong authentication
Passwords provide staff with convenient secure access to all kinds of data, but it is important to ensure that they don’t provide cyber criminals with the same easy access. That means changing any default passwords that come with new hardware and software, and ensuring that all passwords in use are long and difficult to guess.
Whenever possible, passwords should be used alongside some other form of authentication such as a PIN sent to a smartphone as part of a two-factor authentication (2fa) system.
Some security experts recommend that passwords are changed regularly, and it is important to ensure that accounts and passwords are deactivated when staff or volunteers stop working for the charity.
2.) Encrypt important data stores
Valuable information such as credit card numbers, as well as personal data and other confidential records, should be encrypted to make it hard for cyber criminals to use any data that they manage to access. (The GDPR does not expressly mandate the use of encryption, although it does say that organisations should use "appropriate safeguards, which may include encryption.")
Any data which is taken outside an organisation, for example on a USB stick, should also be encrypted in case it gets mislaid or stolen as a basic data protection measure.
Operating systems including Windows 10 and MacOS have encryption systems, called Bitlocker and FileVault respectively, built into some versions.
3.) Keep cybercriminals out
Viruses and other malware may download extra "payloads" such as keyloggers which record passwords when they are typed into a computer and send them to cyber criminals. Out-of-date software running on computers may include known vulnerabilities which cyber criminals can use to break into databases and other systems.
To help prevent this, charity leaders should ensure that all computers are be running anti-virus security software. All but the smallest charities should also be running an effective firewall or security gateway which can filter out malicious internet traffic including malware and phishing emails before they reach end-users’ computers.
4.) Raise "phishing" awareness
Phishing attacks involve fraudulent emails which entice users to download malware onto their computers or to provide cyber criminals with passwords that provide access to data. Phishing is a huge problem and one that is hard to tackle. That’s because charity staff need to detect and delete every phishing email they receive to remain secure, but cyber criminals only need one phishing email to be acted on for their attack to succeed.
For that reason, charities need to take the threat of phishing emails with the utmost seriousness by making staff aware that every time they click on a link in an email that they are not expecting to receive they could cause a serious security breach.
Larger charities should consider using services such as Phishme which raise awareness by sending out simulated phishing emails to users and warning them when they click on one so they can recognise similar ones in future.
5.) Verify data in the cloud is secure
Many charities take advantage of cloud services to store large amounts of data, and in general cloud service providers have the resources and skills to ensure a very high level of data protection.
But if a security breach occurs then it is the charity and its customers, not the cloud service provider, who will suffer the most. That’s why it is the charity’s responsibility to ensure that any cloud service providers that they use are taking all the necessary security steps.
Sensible measures include ensuring that they comply with industry standards, and ensuring that their service level agreements align with their stated security processes. To comply with the GDPR it is also important to ensure that the cloud provider is storing personal data in the EU or within a jurisdiction that has similar levels of protection for data.