Online Security

Preventing theft, fraud and sabotage underpins the majority of online security trends. However, it's a highly changeable and perpetually fluid environment. This is compounded by both the increasing number of tasks, processes and transactions we now rely on the internet for and also because the nature and characteristics of the threats involved is constantly morphing and changing. The increasing adoption of broadband access - both fixed and mobile - and efforts to reduce the number of people who are 'digitally excluded' raises the potential risk involved by increasing the number of people online, the amount of time they spend there and the range of activities they engage in.

The ever increasing volume of potential threats will continue, indeed, research in 2009 suggested that 85%+ of all email were spam and over 35,000 new forms of malicious software (viruses, worms and Trojans) were believed to be appearing globally every day.

We'll also see a greater level of sophistication in the tools and methods of attack - viewing hackers as troublesome kids is still a common assumption - but we know those responsible for a great deal of the problem are in fact highly organised, well resourced teams of IT professionals strongly motivated by the prospect of direct and easy financial gain.

Likewise, the types of threat emerging will become more problematic, especially those using 'social engineering' techniques. Simply put, these methods try and exploit common human attitudes and online behaviours in order to trick people into engaging in risky activity. These include 'piggy-backing' off breaking news stories or high-profile events to expose people to malicious websites (for example, the World Cup) or using social networks (see online communities) as the means of attack by impersonating people we could know and so exploiting our willingness to trust our peers (see online trust) and also by hiding threats within reputable sites which we'd normally assume were safe for us to use.

We also expect a number of risks to become more widespread in the future. These include:

  • Smaller more targeted email attacks aimed at particular individuals within an organisation and designed with “the ultimate aim of gaining access to specific sensitive data, corporate intellectual property or access to confidential internal systems.” [1]
  • Exploiting link or URL shortening services to take unsuspecting users to malicious websites. This is particularly relevant given the importance of these services to some of the largest social networks.
  • Exploiting a mobile or distributed workforce. Mobile workers can be particularly vulnerable to security threats as they may access key information or applications from a number of different locations and devices.
  • Digital currency fraud is also expected to increase aimed at exploiting the ‘virtual currencies’ being introduced by a number of social networks (eg, Facebook Credits [2]). This may have implications for future online fundraising (see online revenue).

What are the implications?

  • Any organisation that works online should consider itself 'at risk'. The network characteristics of the internet mean no one is immune and this will become a continuous issue going forward.
  • The threats involved may not necessarily be designed to act or become visible immediately. A compromised PC can be controlled 'invisibly' over long periods by an external party and used to perform tasks without your knowledge. Never assume because there is no obvious evidence of a threat that none - in fact - exists.
  • If you have an online presence – is it safe? Increasingly, legitimate websites are being used to ‘trap’ users into interacting with malicious content or software without their knowledge. How are you securing your own website from such threats?
  • If your organisation's core data was stolen or changed it would compromise your ability to operate (see data management).
  • A security breach could also impact on: wider public relations, stakeholder relationships, volunteer participation, fund-raisers confidence or the level of trust your users currently have in what you do (see trust in charities).
  • If a security breach occurred, how would you answer the following question: "did the organisation do what is reasonable under the circumstances to secure its information? Issues of legal culpability or professional negligence could be involved depending on the data in question or the kinds of 'harm' created by its fraudulent use.

Moving forward

Stay in touch with this issue; who is responsible in your organisation for ICT / online / information security issues? How are they monitoring this environment and how can they help you more fully understand this area and any implications specific to your organisation?

Online security is normally seen as a three-pronged issue involving people, policy and technology. All should be considered in order for you to develop a comprehensive response:

People

  • Are your staff or volunteers aware of online security issues and the actions and processes your organisation intends (or has already) put in place to address them? Consider conducting ongoing awareness training to help. Remember, the threats won't stay the same so neither should your training.
  • From the above, make sure any security processes are included in your new staff or volunteer induction material.
  • Do your staff or volunteers know what kind of data is important to your organisation and how it should be handled, stored or protected? Do they actually understand why the data is important? Different types of data may need different approaches and levels of training.
  • Consider the 'work-home' equation - are there any actions or behaviours your staff may undertake personally at home which may subsequently compromise your organisation's security?
  • Also consider how 'mobile' staff may need to be supported and protected?

Policy

  • Irrespective of your organisation's size, do you have a written security policy? Simply put, you need to make sure that everyone in your organisation knows "what's OK and what's not OK". Be prepared to enforce the policy.
  • Don't forget the data. Do you have a data management policy and associated processes in place?
  • Always assume your security WILL be breached or compromised at some point. Do you have a contingency plan in place to help you respond quickly if this happens?
  • What online data, content and privacy policies are in place? If you trade or engage in ecommerce do you also need formal terms and conditions? Each should have considered the effect of collecting, storing and reusing sensitive data and personally identifiable information. Where are the risks for your organisation?
  • Do you need to consider acceptable online or personal usage policies for your staff or volunteers? Are there websites, services or other online activities you feel may place the organisation at risk? Would such policies effect HR or the process by which you recruit volunteers?
  • Do you share IT resources, data or personnel with other businesses, institutions or third-sector organisations? Is each party aware of what they may share and how? Is there agreement on ownership, responsibility and usage? Are your partners secure? Would they comply with your own organisations security policy?
  • How might your organisation need to approach emerging trends in this area such as Open Data

Technology

  • Do you have an 'appropriate' level of technology in place? This covers both hardware and software and asks you to consider whether your ICT systems are suitable for supporting the tasks your organisation undertakes and the types of data it uses.
  • Is your ICT up-to-date with the latest versions of the applications you may use? This can be especially important if you're a smaller organisation using limited resources. Try and assess where you could be most at risk.
  • Does your organisation have any network monitoring in place? Do you currently block websites or filter content? Do you need to consider doing so and what would the implications and costs be?
  • Don't forget the physical aspects of security! Is your ICT equipment secured? Do you use memory-sticks or other forms of removable media? Do you need to consider encrypting them?

This driver was written for NCVO Third Sector Foresight by Guy Yeomans

Want to know more?

Get Safe Online

Published by: Getsafeonline.org

Date: 2005

Format: Web

What is it? Get Safe Online is a web resource providing simple, practical guidelines on online security for both individuals and small-to-medium sized business and organisations.

It is a cross-sector, joint-initiative between HM Government, the National Hi-Tech Crime Unit, part of the National Crime Squad and private sector sponsors from the worlds of technology, retail and finance.

How useful is this? If you're unsure about online security this is a great place to start. It's both comprehensive while being easy to understand and will help you identify the key actions you should take immediately.

Three out of four web users still not security savvy

Published by:  PCTools

Date: 2009

Format: Web

What is it? A useful report - based on a range of research - that highlights how prepared UK users are in relation to online security.

How useful is this? It's a good 'snapshot' of our collective awareness and readiness in relation to this issue. Also it offers some specific information and examples of the social engineering threats mentioned in the main driver.

9 Dirty Tricks: Social Engineers' Favorite Pick-Up Lines

Published by: Security & Risk Magazine

Date: 2009

Format: Web

What is it? A summary of 9 examples of ways in which hackers and malicious parties have tricked people into either directly surrendering sensitive data or - by default - enabled their IT systems or the organisation itself to be compromised.

How useful is it? A useful reminder that our own behaviours - both online and off - can actually constitute the greatest source of vulnerability. While you may not feel each of the examples is directly applicable to your organisation, they nonethless can help you think about how - if someone was seeking to compromise your organisation and its data - they might try and approach your staff and volunteers.

Seven Deadly Sins of Social Networking Security

Published by: Security & Risk Magazine

Date: June, 2009

Format: Web

What is it? A summary of 7 examples describing how 'social engineering' techniques are being used within online social networks to create security vulnerabilities and the potential for data loss.

How useful is it? Web 2.0 and social media - offering low cost, widely distributed networking, content generation and collaboration tools - offer significant opportunities to third-sector organisations, especially in the fields of public relations, relationship management, campaigning, fund-raising and membership recruitment. However, those very same qualities are also increasingly attracting hackers intent on no good! This article highlights how our own - seemingly innocuous actions - can leave more than the individual actually doing the networking at risk.

MessageLabs Intelligence: 2010 Annual Security Report

Published by: MessageLabs

Date: 2010

Format: PDF and Podcast

What is it? This is a comprehensive analysis of the ‘state’ of online security in 2010 and reports on the key threats identified.

How useful is it? This would be useful reading for anyone looking for a detailed understanding of some of the issues involved. Caveat: it is produced by a commercial company and so has numerous references to the ‘success’ of its own products and also it can be quite technical. However, get your ICT people involved in the conversation and ask them help ‘translate’ some of the jargon used.

References

  1. Message Labs Intelligence: 2010 Annual Security Report (p. 6) - Symantec Hosted Services [back]
  2. Facebook Credits: About Facebook Credits - Facebook [back]
Last updated at 12:03 Thu 24/Feb/11.

Discuss

How will this affect your organisation? Have you considered it during your strategic planning? Can you share any interesting relevant links?

Log in or join for free to comment.

Funded by Capacity Builders and Improving Support