Opinion: password management in the charity sector » Charity Digital News

Opinion: password management in the charity sector

Top down view of keyboard with the words change your password

The recent WannaCry epidemic showed what can happen if you keep legacy systems that haven’t been patched for security issues as they arise, but more often than not, the real killer is human error.

This isn’t always as simple as someone leaving an unencrypted memory stick on a train or printing off sensitive data and leaving a bag somewhere; commonly it’s a case of having a password that offers next-to-no protection from simple hacking techniques.

The reason people set simple passwords is that they have so many to remember. According to an Intel Security survey, the average person has 27 accounts that require a password.

That’s realistically too many to remember if you want to set secure passwords of special characters, lower and upper-case letters and numbers (unless you write them all down somewhere), which leads to the temptation to set something simple and re-use it.

The problem is, even if you’re sensible and secure yourself, it only takes one other person in the charity to have a weak password and let the floodgates open. As an organisation, you really are only as strong as your weakest link.

So then, how can charities effectively manage password security? Especially as charities have a higher-than-average turnover of staff and often use Bring-Your-Own-Device policies, it’s tricky to enforce one course of action.

There are options. For a smaller charity with few staff accessing sensitive data or files, it’s possible to go around and insist that everyone use a password management platform like LastPass, Dashlane or Keeper, which each offer free individual versions. Beyond that, even Google Chrome’s SmartLock password manager is better than it used to be, although it doesn’t have the option to generate strong passwords for you, which means you might still have one person in the charity setting something weak and hackable. (Also it doesn’t work on non-Android mobiles.)

LastPass, DashLane and Keeper, as well as other paid password-management platforms like Okta (which we use at Tech Trust) offer enterprise-level versions for larger organisations, which can cost around £20 per user per year. This allows one security officer to manage passwords across an organisation. It means that you can revoke access to individuals and even enforce password strengths depending on the platform.

There’s a good comparison of the features of different password management tools that you can see here and another here.

It’s worth seriously considering going for the paid plan if your charity does work with volunteers who need access to files remotely. It might not always come cheap, but the cost of being hacked and leaking data is much greater.

Just as a final note – whichever option you go for, it’s worth sending them a message and asking if there’s any chance that they offer charity pricing before you sign up – oftentimes companies won’t advertise it, but are happy to offer some discount if they can.

Related reading