Why charities need to protect their data
Jason Ashley, Senior Partner at IT security company BEW Global, explains why charities need to focus even more on protecting their data. He offers suggestions on how to protect data in motion and data at rest.
The rise in data security breaches and trade secret piracy over the past year is a wake-up call for executives – network security is not enough for charities. Incredibly, 1 in 400 messages leaving a company contains confidential data, and one in 50 files on open share (a folder where anyone on the network can add, delete or change files, without needing a username and password) is exposed.
I believe that the threat poised internally is just as great as at the perimeter.
Advertisement
Over the last few years we have seen an increasing number of internal network threats in the industry. These range from specific spear phishing attacks, disgruntled employees or mismanagement in a ‘get the job done’ approach, right down to intellectual property going out on a device attached to the network.
Spear phishing attacks are particularly prevalent within the industry. Spear phishers send e-mails that appear genuine to employees or members within the company, organisation, or group. The message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources, or the person who manages the computer systems. It could include requests for user names or passwords.
The truth is that the e-mail sender information has been faked or “spoofed.” Whereas traditional phishing scams are designed to steal information from individuals, spear phishing scams work to gain access to the group’s entire computer system. Any employee that responds with a user name or password, or clicks links, or opens attachments in a spear phishing e-mail, pop-up window, or Web site, risks becoming a victim of identity theft which puts them and the company at risk.
Internal staff still believe that the use of the network and data is theirs to use indiscriminately. Of course any organisation needs to allow its people the flexibility to enjoy their roles, but with access control monitor and blocking of the company data. It’s important to remember that this is the responsibility of the organisation itself.
Let’s look at data and how you can protect it in more detail.
Data in motion
Charities need more than network security and access control to guard confidential data. Donor and member lists, financial information and personal details are particularly sensitive. The organisation must protect the data itself.
A good start would be to look at the three key elements of data visibility and control – namely:
• Where is your confidential data?
• Where is the data going?
• What do you do once you find exposed confidential data?
Look at solutions that offer encryption visibility and control. This will secure ad-hoc intellectual property and business communication, such as account details, using an encrypted email system. It gives you the ability to conduct business electronically while ensuring compliance with regulations such as the EU Data Protection Directive and GLBA.
With encryption visibility and control you will know exactly where your confidential data is going. I have worked with many organisations to help them deal with this problem. I always recommend secure messaging integration to provide encryption visibility and control in four areas:
• Monitor and prevent information sent over encrypted email and web channels;
• Automate and enforce policies for information that must be sent encrypted;
• Detect unauthorized use of desktop encryption.
• Safeguard Employee Privacy. You must comply with international monitoring and prevention by protecting the privacy of your employees.
Data at rest – protect your brand and reputation
Charities need to reduce the frequency and severity of both inadvertent and malicious data loss incidents to protect brand and reputation, safeguard data, protect intellectual property, and demonstrate compliance.
IT security is evolving and solutions are becoming much more sophisticated. To manage data at rest, choose a solution that discovers exposed customer data residing on shared file servers, web servers, and desktops. Make sure the solution automatically quarantines or deletes this information.
Just as important, however, is the prevention of customer data leaving the network. For example, when an employee planning to work at home attempts to send a customer data file to their Yahoo! mail account. Make sure you can block the transmission, unless the individual is authorised to do so.
Remember, data is your property. It is your responsibility to protect it and manage it well.
About BEW Global
BEW Global has developed a holistic approach to assist organizations with its information protection and network security solutions. Centred on ISO 27001, an internationally recognized security standard, BEW Global provides a framework which includes services and relevant products to help organizations achieve regulatory, compliance and security initiatives.
With offices in the major regional commercial markets including Europe North America, and the Pacific Rim, BEW Global provides a truly integrated global perspective on data protection and network security.