At first glance, it might seem that the information security problems faced by charities are pretty much the same as those faced by everyone else. They must comply with the same data protection laws, and meet PCI compliance for credit card information. They are threatened by the same malware and denial-of-service attacks. They are also as much at risk of having laptops stolen as any commercial organisation.
“In many ways it is the same as any other company”, agrees Brian Shorten, the risk and security manager for Cancer Research UK. “Every company has assets that need to be protected, so you’re always working out the risks and how to mitigate them. The difference is what the assets are.”
When Shorten was working for Standard Bank, the most important asset he had to protect was physical money. When he was working for MCI Worldcom, it was the usage of telecommunications services. “With charities, it’s reputation and donors’ trust.”
|"All the cardholder data is held exclusively by us and isn’t passed to charities unless the donor opts into communication by the charity"|
|Charlie Arnott, JustGiving|
In his own case, he says, “One in three people are affected by cancer at some point in their lives. Cancer Research UK has a reputation that could easily be lost.” It’s not like banks and politicians, he says, who can still carry on even though their reputation may be challenged. “We can’t do without them.” By contrast, “I’m not sure our reputation would take a hit and rise back again.” Understandably, he doesn’t want to find out: “I do not want to be the first charity to be fined half a million pounds by the Information Commissioner.”
Reputation is everything
The most obvious issue for charities is supporter data, which includes – but is not limited to – credit/debit card details. Shorten believes that a charity is subject to more significant reputational risk than an ordinary company.
“Our reputation is worth more to us than to a bank”, claims Shorten. “People don’t have to give money to us. They could give it to Marie Curie and it would still help cancer.” A breach would mean bad press and the attention of the purchasing cards industry – who could potentially impose a fine, require an audit, or even pull the organisation’s card authorisation until its systems have been remediated. None of these are things a charity could recover from easily.
|"The resources non-profits have for infosecurity are very scarce, to be conservative"|
|Amichai Shulman, Imperva|
The complexity of charities is quite different from comparably sized commercial organisations. Cancer Research UK has 500 to 700 shops – “more than Sainsbury’s” – each with a complement of assistants and helpers, many of them volunteers, which in itself makes for an unexpected set of issues.
“I was once told that we have area managers who would not go into shops carrying a laptop because some of the people in the shops would consider that it was a waste of the money they were collecting in the shops”, Shorten says. “How you would run an organisation the size of Cancer Research without electronic help I could never find out.”
That sort of attitude is part of a complex of expectations that do not apply outside the non-profit sector: people want to give money to charities to further a particular cause, and often judge the effectiveness of a particular charity by looking at the percentage of donors’ money that gets spent on administration and overhead.
Spending money on information security therefore can, unfortunately and ironically, make the charity less appealing to donors. On top of that is, of course, the well-known fact that charities have fewer resources to spend on infosecurity to begin with than a comparably sized company.
“The resources non-profits have for infosecurity are very scarce, to be conservative”, admits Amichai Shulman, co-founder and chief technology officer of the Israeli company Imperva. The fact that people judge charities by how little they spend on overheads, he says, “makes charities very challenging in terms of infosecurity.”
|"I do not want to be the first charity to be fined half a million pounds by the Information Commissioner"|
|Brian Shorten, Cancer Research UK|
Imperva sells software and services to protect web servers. Among his customer charities, Shulman says, is one that approached him after an intensive attack campaign. “Luckily for them it was not successful, but they were alarmed to the point that they decided to go on and invest in our technology.”
While the types of attack are the same, Shulman notes that what adds to the security challenge for non-profits is that their fewer resources often also attract less skilled staff. His answer: outsourcing.
“It’s sales propaganda”, Shulman says frankly, “but given the fact that non-profits have very little resources they should look for the kinds of solutions that require less effort to manage and configure. One of the things we are best at is providing web security and database security with minimal management and configuration effort because we have a technology that automatically learns the user interface or database usage pattern and uses that knowledge as a baseline whitelist for detecting attacks.”
Many charities do outsource at least a portion of their activities, including fundraising. The ten-year-old website JustGiving has built its business on just that principle, that the rules regarding PCI compliance and data protection are complex enough to make it logical to let a specialist bear the burden.
“All the cardholder data is held exclusively by us and isn’t passed to charities unless the donor opts into communication by the charity”, says Charlie Arnott, JustGiving’s operations manager. Like Shorten, Arnott says that trust is the greatest asset for both JustGiving and the charities it serves. “We have to make sure our brand is trusted. Otherwise people won’t trust the whole transaction chain.”
An easy target
Like everyone, JustGiving has had to deal with fraudulent ‘test’ donations on stolen cards. More curious are situations where, for example, one member of a couple that’s splitting up will donate money using the soon-to-be former spouse’s card – so the spouse is either out of pocket or made to look bad by asking for it back.
In addition, the company must be careful to ensure that pages set up to collect funds are from bona fide registered charities. “Because if they can get it through, it would be a way for them to siphon money from stolen cards.” Arnott is aware of a couple of attempts, none successful.
But even removing that portion of charities’ security issues is only a partial solution. As Shorten says, charities are more complex than people realise.
"The rules regarding PCI compliance and data protection are complex enough to make it logical to let a specialist bear the burden"
In one sense, Action for Blind People sounds like it ought to have quite a simple life. It no longer does its own fundraising; instead, under a partnership arrangement, the Royal National Institute for the Blind does all of the traditional fundraising and Action gets a percentage of that budget over the next five years. The upshot is that Action doesn’t have donor information anymore and no longer has to worry about protecting it.
What it does have, however, says Gabe Chomic, ICT security and training manager for the charity, is data pertaining to the people it helps to find employment or buy assistive devices. These are vulnerable children and adults whose information is especially sensitive. Any of the staff or volunteers who come in contact with that information has to go through CRB checks.
The big complication, however, is that Action also runs four hotels around the UK for blind people. Unlike its other services, where straightforward payments are made at the point of sale, hotel rooms may be booked well in advance through a multitude of third parties. In addition, therefore, to having to be PCI compliant for taking payments, Action also must comply with a number of regulatory standards laid down for contractors by the Department for Work and Pensions.
“What I found in talking to others in the Charities Security Forum and certainly within Action is that the charity situation isn’t nearly as neatly pigeonholed or categorised”, says Chomic. “The core point is that you can’t just say this is how to secure charities, or this is how they do business.”
Set up in 2007 by Brian Shorten and Salvation Army CIO Martyn Croft, the Charities Security Forum aims to bring together information security personnel in the non-profit sector from across the UK.
The forum’s 80 members include organisations of all sizes, from Oxfam and the Red Cross down to small hospices; the group runs a mentoring programme, quarterly meetings with speakers, and an active LinkedIn group.
“We felt it was needed because we couldn’t find anybody to talk to about security matters in charities”, says Shorten. In his previous jobs with MCI Worldcom and Standard Bank, he says, there was always a network – “other people you could ring and say, what can I do, what do you think?” At MCI, for example, along with all the other telcos, Shorten was part of the Telecom Users UK Fraud Forum, which issued bulletins and allowed members to talk freely. When he arrived at Cancer Research, however, he found there was nothing comparable for the non-profit sector.
He names, as an example of the reason the forum is needed, an issue that’s becoming frequent: the practice among credit card thieves of testing the cards they’ve stolen by making a small online donation to a charity site. Countering this kind of common problem requires collaboration.