Brian Shorten compares the information security needs of the charity and banking sectors.
Many people think that charities would have little need for security. After all, the perception is that they have little to protect. The phrase “we’re only a charity you know, not a bank” is one I’ve heard many times. In practical terms that may be true, because charities don’t have the physical assets that banks have such as stocks, shares, cash and bullion.
However, charities have supporter information and credit and debit card information on purchases and donations. They also have one other asset that financial organisations do not have – a good reputation with the public at large and supporters.
Consider the difference in the public attitude towards banks and charities. The old idea of the banking sector as the height of conservative stability has gone for most people, and yet the banks continue to thrive and grow; it seems we cannot exist without them. I’m sure this wouldn’t be the case with the charity sector, as an impact on a charity’s reputation could have a long-term detrimental effect on its income.
So, charities have much to protect; how do they do it? The principles are basically the same – list the assets to be protected, assess the risks to the assets, decide the processes needed to mitigate the risks, introduce a process to review the complete process – and repeat.
Those assets will include supporter information, credit and debit card information on purchases and donations as previously stated, plus personal information on the staff, financial information and maybe intellectual property information.
Internal resources
One other difference compared to the banks is the internal resources that a charity can call on; they have firewalls, web monitoring, intrusion detection/protection, but may not have the budget for the latest versions or updates. They have technical staff who can use the firewalls etc, but keeping up-todate with the latest technologies requires training and that tends to be expensive.
In many cases the suppliers will help with cheap or cheaper upgrades to the technical processes, and cheap training for technical staff. They may also help with technical training.
There are other methods to cut costs; charities are very good at sharing experience and advice; plus many organisations will make arrangements with several charities who have the same equipment to share upgrade and training costs.
Brian Shorten is BCP, risk and security manager at Cancer Research UK and chair of the Charities Security Forum
