How safe are charity IT systems?

How safe are your IT systems?

If you don’t have proper security in place, hackers could access donors’ personal details or disrupt your systems, Tatum Anderson reports.

When criminals hacked into the website of charity Aid to the Church in Need (UK), they stole the identities of 2,800 people who had used credit cards to make donations and buy gifts on the website.

Soon the fraudsters began to pose as charity workers, ringing those whose identities they had stolen and asking for donations.

Are you safe from hackers?

"This attack took place with illegal software uploaded and attached leech-like to the secure server. Password changes and security were therefore circumvented – as any changes we made were immediately recognized," says Neville Kyrke-Smith, national director of Aid to the Church in Need (UK). "If you think you are secure you are probably not!" he adds.

Hacking is one threat of many. The most pernicious is malicious software, or malware, which can harm IT systems or steal sensitive information.

Malicious software

Every week hackers infect 9,500 web pages worldwide – even those run by highly reputable companies – with malware. There are 250,000 known pieces of malware in existence with 8,000 new ones appearing every month. Such threats are becoming increasingly common as more unscrupulous criminals use the internet to infiltrate organisations.

Your data at risk

According to security experts, despite the threats, many charities do not secure themselves properly, putting donations, donors’ personal details and the smooth running of their organisation at risk.

"Many charities don’t take security very seriously because they are under the impression they don’t have any sensitive data," says Adrian Goodhead, technical services manager at NTA Monitor, which publishes annual security reports detailing the risks to charities and other organisations. "There’s also a lot of money in the charity industry and that is the target for hackers."

There is a bewildering array of malicious software: from worms and spyware to Trojans and phishing (masquerading as a trustworthy entity to acquire sensitive information). So the average charity could be forgiven for wanting to shut up shop and unplug its computers.

Security solutions

Goodhead says charities just need to know what they’re up against. The solutions are not necessarily expensive and they should observe best practice: "How do you make people understand the risk without making them scared? You don’t want to sell fear," he adds.

Some years ago, threats came from teenagers trying to disrupt machines. Today they are more insidious. Hackers are now being paid by unscrupulous companies to hijack machines and use them to launch spam, as a form of advertising. Others are paid to launch ‘denial of service’ attacks, which are concerted efforts to crash databases and websites. They are also paid to develop software that tracks how people use websites for advertising purposes, or to steal personal information.

Hackers will hide malware inside HTML emails, downloads and even reputable websites. Malware has even been spotted in instant messaging (e.g. online chat) software.

They will look for any vulnerabilities in software so they can hijack machines. Often, any information on the software that organisation uses – such as press releases – helps them to work out what vulnerabilities exist.

The Samaritans said it even changed its security software after the huge publicity it received when it opted for a particular security solution. The charity refused to confirm whether it felt the publicity might have informed hackers, leaving it vulnerable to attack.

Help is at hand

But help is at hand. The security industry is like an arms race. As hackers find loopholes and exploit them, the IT industry creates security patches, pieces of software that fix the holes or fight the threats.

Essential security measures

Graham Cluley, senior technology consultant at Sophos, which makes security software used by organisations like War Child and Farm Africa, says every charity should have the holy trinity of preventative measures – an anti-spyware/virus software suite, firewall and security patches – as standard.

Anti-spam, anti-virus, anti-spyware software is sold by a number of vendors such as Sophos and Symantec, which makes Norton-branded software. Surprisingly, many organisations still don’t use them all. The Information Security Breaches Survey 2006, carried out by the DTI and PricewaterhouseCoopers, report-ed that a quarter of UK businesses are not protected against spyware.

Firewalls

Firewalls also prevent threats from reaching PCs. This prevents software installed on a PC from communicating with the internet unless specifically allowed to. This stops software containing malware from broadcasting personal information to hackers over the internet.

Firewalls come in two flavours: hardware, that might be incorporated into a router or modem, and software. Experts recommend running both because some laptops can be used away from the office hardware firewall.

Update your software

Finally, software companies regularly release security patches that fix the vulnerabilities in software once hackers have found them. Microsoft, for instance, releases patches through www.windowsupdate.com, although many computers can be set to automatically download patches as they become available.

And it is true that most malware is aimed at Microsoft software – web browsers, office software and operating systems. Open source alternatives and Macs are not targeted as frequently, although attacks are on the increase.

But installing the ‘holy trinity’ in a charity setting is easier said than done. For one thing, malware is generated so quickly that often software companies haven’t spotted it or created patches. Experts therefore recommend that users accept text (not HTML) emails and do not click on email links because this might direct them to a fake website where they will be watched when they key in personal details.

Charities have a lot less to spend on IT than corporates. They are often running older computers and software that means security patches may not work as well, or are not released at all.

Working from home

In addition, many have volunteers, employees working from home or out in the field, whose computers are much harder to protect from hackers and malware. User-names and passwords are easy to steal and laptops are now the largest source of computer theft in the UK. Experts advise organisations to choose a solution that handles remote workers and a variety of operating systems, old and new. Small security updates will also reduce the costs of downloading from a satellite in the field.

Peter Gleadell, sales manager at Acutec, which installs security software for Mencap and Age Concern, says some organisations issue employees with a key, a key ring or card which displays a security number that changes every 60 seconds on an electronic display. As well as entering a password and username, a remote user must submit that security number to verify that they are the person who should be logging in.

For those with software but ongoing problems, there are plenty of ways to improve the existing infrastructure.

Many charities can set their anti-virus or spyware software to scan the internet more frequently – hourly in some cases – for new threats, or download security patches more regularly. Others set their anti-virus software to protect their web gateways, often forgotten, as well as email.

For charities that have installed individual anti-virus packages on a number of PCs, a single business package will be cheaper and more effective at monitoring threats if they have at least 10 computers, says Acutec’s Gleadell.

Websites should not allow an unlimited number of attempts to enter usernames and passwords or special characters like angle brackets < > because they can be used to control the website.

And finally:

Aid to the Church in Need (UK) has now fixed its website but says there were ramifications: ‘Our benefactors were outstanding and understanding but a small number of people blamed us for not having an absolutely secure system – which is, as we explained, quite impossible to have,’ says Kyrke-Smith.