1. Homepage
  2. Voices
  3. Data security: Awareness, not education, is the key

Data security: Awareness, not education, is the key

10 Dec 2015 Voices

Brian Shorten argues that a new approach to security training is needed if charities are to stay safe.

Brian Shorten

Brian Shorten argues that a new approach to security training is needed if charities are to stay safe.

You have installed your security defences. You have a firewall, hardened servers, an intrusion detection/protection system, and an anti-malware system. You also have policies and processes in place.

All of this has been recommended by vendors and approved by the auditors. It should protect you from anything bad happening to your information assets, your physical assets and your personnel.

Yet you still have problems. There are viruses and malware on the systems, and staff are opening phishing emails and sharing passwords. Fire doors are being propped open, papers are being left on desks overnight, and information is being lost or stolen.

So was all that technology a waste of time and money? If your only, or main, expenditure is on hardware and software, I would say it was. The problem is not technology, but people. Don’t buy hardware and software and expect staff to use it blindly; work on an area that will produce great benefits – your staff.

Training is boring

When we talk about staff, we tend to use words like “training” and “education”. In my opinion, this terminology is wrong. Training is boring and education is what you received at school. I prefer “raising awareness” – you want staff to do the right (secure) thing because they know it is the right thing.

Don’t arrange a training session where you tell staff: “Clear your desk of company equipment and information at the end of the day, don’t allow tailgating at the door, don’t put comments on Facebook, pick a secure password. It’s all in the policies, just read them.”

There is no way staff will pay sufficient attention to remember all this ten minutes after they have left the classroom. Far better to make staff aware of all the dangers involved, and help them to translate that into their work life and private use.

And don’t forget that your policies and processes only cover behaviour and use of equipment and information in the office. It is difficult/impossible to expect staff to apply the policies and processes to a smartphone in a lunch break or using a laptop at home over the weekend.

The personal approach

My proposed method is to make each point personal to the listener. For example:

  • If we lose information it may lead to adverse publicity in the media which will have an impact on the charity’s reputation and therefore on your job. An example is that the share price for TalkTalk dropped by 10 per cent following its recent data breach. In this case it recovered after a culprit was charged with the hack, but that doesn’t always happen;
  • Equipment left out overnight may be stolen. Replacing this will have a direct effect on the charity’s finances and therefore your salary;
  • Adverse comments on Facebook about the charity, even on your personal page, will affect how other people regard the charity and our ability to secure funding;
  • If you permit strangers to come into the offices and wander around without being challenged, don’t complain if your purse/ wallet/laptop/iPad is stolen from your desk;
  • Passwords are annoying to remember, but are important for keeping your information away from others. If you share it with others, they will be able to access that information as if they were you;
  • Pick a password others can’t guess, at least 10 alpha/numeric characters plus a special character. If you select the same password for every application you use and someone guesses it, then they will have access to ALL your applications;
  • If you wedge open a fire door for a smoking break, you will allow unauthorised people to wander in without going through security.

Each of my points (and I would write more to encompass all the various issues required), covers the charity’s requirements and also the personal use of equipment by staff away from the office, so that the correct way to act becomes automatic. You still need policies and processes, but these need to be written in the context of raising awareness rather than based on the office and full of “you must not”.

Brian Shorten is chair of the Charity Security Forum

*The February 2016 edition of Charity Finance is our IT special, and will contain a host of features about IT.  Subscribe now to receive your copy.

More on

Brian Shorten

5 articles

Browse

Topics

Communications

Communications_453x250px.jpg 2299 Matching articles

Finance

5546 Matching articles

Fundraising

Fundraising_453x250px.jpg 3984 Matching articles

Governance & Leadership

Governance_and_Regulation_453x250px_v2.jpg 7364 Matching articles

Policy & politics

Policy_and_Politics_453x250px.jpg 2687 Matching articles

Technology

Technology_453x250px.jpg 1274 Matching articles

The Charity Awards

awards copy.jpg 63 Matching articles