- Security TWENTY
- Women in Security Awards
Charities may have a different, volunteer ethos from businesses – but they’re the same as companies in that they have assets to protect. So the recent Cloud Expo Europe heard from a charity’s risk and security manager.
Brian Shorten, risk and security manager for Cancer Research UK, began his talk by asking, what does a charity have to secure? Anything? “I have been with the charity about seven years, and I can still remember people saying to me, when I first started, ‘but we are only a charity, why do we need security?’ And that was within the charity. Well, we have everything that a business has. We are a business, at the end of the day.” Assets to protect might not be tangible: such as financial information, of who gave money; and where those donations are kept. There are the names and addresses of personnel, and credit card data, that need to be kept safe to meet PCI DSS (Payment Card Industry Data Security Standard), quite apart from compliance with the Data Protection Act. Brian Shorten described credit card donations as ‘the lifeblood of what we do’, and for other charities.
The charity besides has many specialised assets that a lot of businesses do not have; such as personal information about supporters. In Cancer Research UK cases, it may include the families of cancer sufferers, and cancer patients who have agreed to take part in drug trials; for other charities, it may be vulnerable adults and children. To stay with the cancer charity, the progress of the drug trials is highly sensitive; and even if the data (anonymised) is not stolen, it has to stay unchanged, else the results may not be valid. In this field, charities are regulated by the Medicines and Healthcare products Regulatory Agency (MHRA). A business might lose customers, and go out of business, as a result of a security breach; Brian Shorten argued that a charity had more to lose: its reputation.
Cancer Research besides has a physical presence on the high street, with its charity shops, staffed by thousands of supporters. How to mitigate those risks? On the IT side, Brian gave the standard list of IT security: anti-malware, anti-virus, intruder detection software, processes to prevent data loss, and standards and policies for IT users to follow. As for computing in the Cloud, the topic of the two-day event at London Olympia, he described how the charity moved offices, and replaced its desktop computers with ‘virtual desktops’. This produced a saving on computer licences; and ‘from a security point of view it’s been great,’ he said. He spoke of the charity – as a body relying on donations, where for every £1 donated, 80 pence is available to spend on its work to beat cancer – trying to do ‘more with less’. How to do that? “We are looking at our risk assessment processes,” he said. This can mean prioritising of risks, and partnering with ‘public spirited companies’, and liaising with other charities for good practice. “We do a lot of work in terms of getting a really good deal.” A charity will seek to be really good at driving price down, because any money not spent on services is money that can be spent on research. As he admitted, a business cannot make the same appeal to suppliers as a charity can. That said, if necessary the charity can become a ‘reference site’ for a vendor, ready to talk to a potential buyer on experience of the product or service. “That’s something I am more than happy to do,” Brian said.
On liaison between charities, Brian is a member of the Charities Security Forum. “For many charities, there isn’t the competitive nature of companies, so what we often do is liaise with each other, and talk about products.” The forum has run since 2007, starting with a few charities and now numbering 120. He summed up: “I don’t think we do anything that’s different to companies.” Like any business, he will look to save money, and will prioritise, between what needs to be done, and what needs to be done, now.
About the man: Brian Shorten is a founder and chairman of the Charities Security Forum and has a background in banking and data security. He holds the Certified Information Systems Security Professional (CISSP) qualification. While Brian has a MSc in information security, from Royal Holloway London, his job covers physical besides IT security.