Data security should be a priority for every charity. Make sure you have not missed out any important security measures to keep your data out of the hands of hackers
A data security breach can cost a charity dearly: both in financial terms, and through the harm that it does to the charity’s reputation. But there are compelling reasons why charities collect data about their constituents. These include helping with service delivery and fundraising, enabling a data-driven approach to operations, and to allowing marketing teams to personalise their communications.
But in order to benefit from this vital data, charities must be able to keep it secure. Under GDPR regulations, people have a lot of control over how their data is shared. They won’t want to share it with organisations that they do not trust to keep it safe.
That’s why data security is so important, and why your charity should be taking the following ten measures to help secure its data:
If your data is encrypted then it remains secure even if it falls into the hands of cyber criminals. That’s because without the decryption key it is practically impossible for them to read the data.
You can encrypt data on laptops and desktop machines using the encryption systems built in o some versions of Windows 10 and MacOS, or with Microsoft’s BitLocker program, or third party software such as VeraCrypt. Many endpoint protection software products also include encryption capabilities. Programs like BitLocker and VeraCrypt can also encrypt external drives and USB memory sticks.
Most encryption systems require users to enter a password before their data can be decrypted so that it can actually be used. That means that encryption only provides security if the password is a secure one. In practice, that means a password that is long (at least 12 characters), hard to guess, and which includes a mix of upper and lower case letters, numbers, and special characters.
You can check how secure any password is using the Kaspersky Password Checker.
The most secure passwords are made up of a random sequence of these characters which can be hard to remember, so it is a good idea to use a password manager such as LastPass or DashLane to store them.
You can make it harder for hackers or other unauthorised people to access these accounts and the data they contain by enabling two-factor authentication (2FA) if it is available. All good cloud-based services should offer 2FA, and 2FA can usually be implemented on in-house systems.
2FA systems add a step to the logon process by requiring users to enter an access code sent to their phone or a biometric measure such as a fingerprint in addition to a password.
Phishing attacks are designed to trick people into providing their login name and password at fake websites, or to download software which records these details surreptitiously when they are entered. The cyber criminal then harvests those login details and uses them later.
Phishing attacks are very dangerous, so it is important that all charity workers are trained not to visit websites or download software via links in emails. Software such as PhishMe can be helpful in maintaining awareness of the threat of phishing attacks
Social engineering involves convincing charity staff to reveal their passwords or provide access to confidential data by posing as someone else. For example, a common practice is to call up a staff member posing as someone from the IT department and ask them for their password under some pretext.
The best way to protect against social engineering attacks is to make it clear to staff that there are no circumstances under which they should reveal confidential information such as a password over the phone or via email.
Encryption protects data "at rest" – when it is stored on a computer disk or memory stick. But when charity staff access data over the internet – for example when connecting to office systems from home - then that data also needs to be encrypted "in flight" as it travels over the internet.
The best way to do this is by using virtual private network (VPN) software which encrypts the data at the beginning of its journey over the internet, and decrypts it when it leaves the internet.
VPN software is often included in larger charities’ internet routers, while smaller charities can use a VPN appliance or a security appliance which includes VPN software such as Cisco’s AnyConnect Apex VPN.
Ensuring that data is backed up regularly is important to protect against the possibility of data loss, for example in the event of a ransomware attack.
But backup data needs to be kept just as secure as the original data.
That means that encryption should be activated on backup systems, whether they are located locally or in the cloud.
Many password retrieval systems ask for personal information such as "mother’s maiden name" or "name of pet" before allowing users to reset a password. This information is supposed to be impossible for anyone else to know, but often it is available for anyone to see on Facebook or other social networks.
Hackers know this and collect many types of personal information about people to use during hacking attempts. For that reason, it is important not to share personal information on social networks that you have used when signing up to online accounts.
It is not always possible to keep hackers out of computer systems, but a data loss prevention (DLP) system makes it hard to steal data when they do break in. A DLP system works by recognising certain types of data such as credit card numbers, or particular file types such as spreadsheets, and blocking any unusual attempts to download large amounts of that type of data from your charity.
DLP software, which is often included in endpoint security systems as well as security appliances, can be very effective at limiting the damage that a hacker can cause
If you throw away an old computer or disk drive, then you never know who might retrieve it and what data they may be able to steal from it. So before you discard any computer or storage device make sure that you have deleted its contents securely. Simply deleting the files or reformatting the disk is not sufficient as data can still be retrieved after these actions.
The best way to delete the data from a hard disk drive securely is to use a program such as the free open-source DBAN hard drive eraser and data clearing utility which overwrites data multiple times to ensure that it can never be retrieved.
Solid state drives (SSDs) require a slightly different treatment: most SSD manufacturers offer free utilities which include a Secure Erase function which deletes all data securely.
For USB drives, the simplest option is to format the drive and then to destroy it with a hammer.