Don't be the next charity case, says ASI's Niroo Rad
Howard Lake | 17 March 2006 | News
The Internet might have created a valuable fundraising channel, but watch out it doesn’t provide a backdoor to hackers, warns Niroo Rad, managing director of ebusiness software provider, ASI.
Unfortunately the UK Christian charity, Aid to the Church in Need (ACN), made the headlines for all the wrong reasons at the end of last year. Despite being the season of goodwill, the ACN’S IT system was hacked by criminals, who stole the personal details of more than 2,000 donors and then tried to extort money from them.
It emerged that the hackers were able to obtain donors’ names, addresses and credit card details by breaking industry-standard security features including encryptions and passwords. As well as contacting benefactors, ACN took the unusual step of publicising the attack to demonstrate that such attacks can – and will – happen.
Advertisement
This very unfortunate incident revealed that the goals of hackers are not just to attack ecommerce systems or deface an organisation’s website; they are also intent on stealing confidential data located in back-office databases, which poses an altogether different security threat. The unfortunate reality of operating online today is that any organisation without an enterprise IT system is more likely to be at risk.
Given that there was no immediate noticeable damage to ACN’s website, there was probably a time lag before they knew their systems had been compromised. During that period, donors could have lost money to hackers and more details could have been siphoned from ACN.
Non-enterprise systems are not designed to give administrators detailed information about who logged on last and what changes they made to the system, which can make understanding – and solving a threat – an even harder task.
Furthermore, the make-up of not-for-profit organisations, and their need to rely on legions of volunteers, makes it difficult to enforce a tight security structure since new campaigns can be launching simultaneously and people log onto the systems for limited periods of time.
As fundraising organisations transfer greater amounts of information online to speed up and automate the fundraising process, they open the door to more security threats. Worryingly, the end result might not just be stolen details or funds, but could also have legal and financial consequences if regulations, such as the Data Protection Act, are breached. This makes it an issue not only for IT managers, but also senior management.
It is widely recognised that investment in IT does not often top fundraing organisation’s senior management agendas, hence why many organisations under-invest in IT systems, despite the potential long-term improvements it can bring to working practices and the overall success of the organisation. This lack of investment and senior management direction is often why fundraising organisations opt for non-enterprise and bespoke systems, which might initially appear more cost-effective, but ultimately result in the creation of multiple databases and silos of information. They also tend to rely on a linear security system using simple password and log-on information, which can be bypassed.
By contrast, enterprise business management systems have sophisticated controls for data across all departments, which makes it easier to protect confidential information. Crucially, they have a multi-layered security system, which might take longer to install but is ultimately harder to compromise.
This type of business management system, combined with a layered security approach and a policy management strategy, is critical to ensuring confidential information stays that way.
By nature, hackers are devious, but this doesn’t mean your organisation has to be their next victim. Start by undertaking an immediate audit of the number of databases and the information it contains. Next, find out who has access to these databases and their purpose, as systems often grow over time but not the records that details who uses the data and why. Finally, review the security controls for each database to find out whether any vulnerability exists.
The bottom line is that whenever an organisation exposes itself through the Internet, there are inherent risks and security procedures can be undermined. It is far easier to take remedial action from a position of attack, than it is once systems have been compromised. Now is the time to take care of some important housekeeping, before it’s too late.
Niroo started his career at a start-up software company developing and implementing financial management systems. Following the sale of the business in 1985, he started an Apple Macintosh dealership that quickly became the UK’s second largest Macintosh reseller. Niroo then joined Blyth Software where he led the company’s expansion into seven European countries and the US and was one of the driving forces behind its successful floatation on the NASDAQ market in 1989.
Niroo then went on to found Caspian in 1990 where he successfully developed and implemented the Caspian suite of CRM software in UK. The relationship between ASI Inc and Caspian began in 1996 and culminated with ASI acquiring Caspian in April 2004, as part of its global expansion programme.
About Howard Lake
Howard Lake is consultant editor of UK Fundraising. He founded the site in 1994 and successfully sold it in 2022. As director of Giving X Ltd he is exploring growing giving on a massive scale.
He is the founder of Fundraising Camp and co-founder of GoodJobs.