3 security strategies for charities that are more secure than passwords
Passwords alone are no longer fit for purpose in an organisation that handles sensitive data – here are three security strategies that can provide extra peace of mind.
This article is sponsored by Okta – a secure cloud identity solution that is the a complete access management platform for workforce and customers, securing all critical resource from cloud to the ground. Eligible charities can recieve 25 free licenses by validating through Charity Digital Exchange.
The history of the humble password for data security goes all the way back to the birth of modern computing in the early 1960s. It’s safe to say that, although the basic need to keep data and systems from falling into the wrong hands remains the same, a lot has changed since then.
For one thing, almost every organisation has important data to protect, and almost all of them are connected to the internet. Charities in particular often handle and store sensitive personal data about service users and donors – the kind of data that represents big business for the vast cyber criminal underworld that now exists. It’s for this reason that the responsibility of charities to keep data protected under GDPR is no joke, and can result in crippling financial and reputational damage.
Secondly, a weak password is something that a cyber criminal or malicious party can easy exploit, and these kind of credentials can be obtained through phishing, social engineering or a data hack, or any number of increasingly sophisticated, automated methods.
> See also: Top 10 cyber security resources for charities
Hackers even have lists of commonly used passwords, such as this one published by the NCSC, they can run though automated bots and use to crack open accounts. An amazing amount of people (over 32m) still think ‘123456’ is an acceptable password, and probably get hacked as a result. Other offending ‘passwords’ include names of children/partners, favourite football teams, bands or superheroes.
For a password to work, it need to be strong and unique each time – not an easy task considering the average computer user in an organisation has to keep track of hundreds of passwords for various different systems, from HR to marketing, CRM, finance systems, websites, productivity suites, email and collaboration, calendars, file sharing and more.
Tech experts have been hailing the ‘death of the password’ for years now, and the fact is that in 2019 passwords are simply just not all that secure (or practical) on their own anymore. All the way back in 2013, Eric Grosse, VP of security engineering at Google, stated that “passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe.”
Identity and access management is a huge challenge that can’t be solved by simply giving out passwords – as NCSC (National Cyber Security Centre) guidance would attest. Proper user permission management policies and tools are not hard to implement and needn’t break the bank for the average charity, but are becoming an essential requirement.
Nowadays, organisations are increasingly embracing the security and authentication management methods below to ensure that only the right users are accessing the right systems and data, and that they’re able to do so efficiently.
Multi-factor or two-factor authentication (2FA) is now commonplace – although not completely infallible, having it set up on your accounts means there is an extra barrier there for potential hackers to get through.
As well as a password, users are required to authenticate their identity through the use of another device, usually in the form of a code that is texted to them or sent over an app. Other forms of 2FA include using a second, trusted account or a security token.
The con is that it’s an extra security step for users, and can sometimes involve them downloading an app, such as the Google Authenticator app, onto their mobile devices. It can also present an issue if they’re unable to get to their device for any reason. However, the simple extra step could be an essential extra protection for situations when data must be kept safe at all costs, and policies can be put in place to allow administrators to support users should one element of the system fail.
The NCSC (National Cyber Security Centre) provides detailed advice for organisations around when and how to set up multi-factor authentication on their accounts.
A single sign-on system
Many organisations use a single sign-on system – they’ve been common in the public sector for a while, allowing users to access all the apps and platforms they need inside a bespoke environment, usually accessed by an internet browser. These systems enable users to only use and remember only one login credentials for all the apps they need, eliminating the use of multiple, weak or forgotten passwords.
These sort of systems are now readily available on the market and include vendors such as Okta and OneLogin (take a look at a few of them here). Okta has free licenses available for charities – eligible organisations can find out more about getting validated through Charity Digital Exchange here.
The big advantage of a single sign-on system is the convenience that comes with it. They are especially useful for organisations that offer flexible working, as all the apps that a user needs can easily be accessed from anywhere. It’s quick and efficient to sign in and easy for IT admin to control and manage, and works well for organisations that have multiple temporary staff and volunteers using its computer systems.
The downside is that if that one login is compromised, it compromises all the apps in a user’s system. However, it’s easy for IT admin to cut off a user or change the password if anything goes wrong, and two-factor authentication is usually an option for extra security.
Mobile device management
Mobile Device Management (MDM) is security software that enables IT departments to manage, monitor and secure mobile devices, laptops and tablets.
Unfortunately, as more and more organisations allow staff to use their own, personal devices for work (whether to save on precious IT budgets or for users’ convenience) this can represent a security risk. The big advantage of this system is that it allows organisations to skip the cost of providing devices to staff, while retaining control of things from a security perspective.
When flexible working is involved, IT admins can use MDM to create a secure environment for data and apps. If a device is lost or stolen, or a password compromised, they can easily wipe the data from the device and lock the handset from use remotely, stopping confidential or sensitive information from getting into the wrong hands.
On top of passwords and PINs, data can be encrypted and any unusual activity (like multiple wrong password attempts or using the device from an unusual location) tracked and monitored by the organisation.
The main con is that IT teams will need to take the time to define a strategy when it comes to MDM management, as organisations have to balance security and control with the ability for users to be productive and use their apps however they need – here are some tips.