| Contents | Previous | 2. Needs Analysis | Next |
The scope of this document is to evaluate the needs of the Horizon Foundation with regards to the Security Breach which occurred in 2019:
The organization has suffered greatly from the Security Breach last year, which resulted in a loss of trust and recurring donations, and degraded its public image.
This type of threat has become much more common, with attacks getting more and more sophisticated and going well beyond the obvious spam messages received in the past. Typical employees rely on their personal experience and a one-time training when they joined the organization. They are not aware that the tricks of dedicated scammers can now fool anyone, taking even an otherwise cautious person by surprise in a moment of distraction.
Some employees may feel overconfident in their technical skills, but few can tell the difference between scams and spams. Their knowledge seems more theoretical than practical. The likeliness of employees to fall prey to or correctly ignore or discard scams has not been evaluated.
It is of the utmost importance to prevent future security attacks from succeeding in stealing data or money from the organization.
This requires to put a number of barriers in place. None of these barriers alone would catch all the threats, but the combination of these different layers should be able to do so, demonstrably.
Information and know-how are not sufficient to fight these threats. A change in attitude towards security is required, leading to a change in behavior and an interest to learn more. Regular practice is required to evaluate the defense mechanisms and keep them up-to-date against ever-evolving threats.
Access to sensitive information should be valued more. While new procedures are put in place and the security skills of the organization is growing, access to sensitive systems should be highly restricted and conditioned to a need to know. In a way similar to handling of confidential information in armed forces, higher levels of security and controls shall be expected when interacting with the most sensitive information, notably a time limit. No-one needs to access all of the information all the time. This will naturally lead to friction with people who need the information to do their job, which will help to recognize the people and tasks who need access to specific information and financial tools. Where possible, hot, live data shall be replaced with colder data exports, filtered and aggregated or anonymized.
Raising the bar to access sensitive information can also create a motivation to develop security skills. People who demonstrate their capability to recognize threats may then be granted longer or higher level access to sensitive information.
The best way to develop the skills of the employees and the organization as a whole against email security threats is to test them on the job at regular interval, in the course of reading and interacting with other emails. The training should not be perceived as a separate time, in a different realm of reality.
The training itself could take the form of different kinds of email threats, leading anyone who falls prey to them to discover relevant information on how to avoid this attack, instead of exposing the organization to the threat. This would ensure that the training targets in priority the employees who need it the most. With emails sent to different persons at randomized times and dates, it may be deployed gradually to target all members of the organization, including both employees and volunteers, and may be repeated with different kinds of threats over the years.
It is important to communicate on the importance given to the topic by the organization and its empathy towards anyone who has falling prey to one of these attacks, to allow anyone who suspects being a potential victim to come forward and ask for help. Reporting a test threat should be valued and estimated as well, giving further encouragement to report real threats.
| Contents | Previous | 2. Needs Analysis | Next |