| Contents | Previous | 2.4 Answers from the Interviews | Next |
The answers come from different interviews lead with Horizon employees. They have been grouped by topic and reworded to preserve anonymity.
It was just a single incident last year, but this was a disaster, not only from the donors impacted by increased credit card risk, but also for the Horizon Foundation, which was put in a very bad light and lost future donations and goodwill from those affected and other potential donors.
This event is affecting the trust in the organization, which is, at its core, the foundation for all of its charity work. The organization needs to work hard to do a better job of protecting its donors and regain the public trust.
Phishing attacks and security threats in general targeting similar NGOs have increased dramatically over the past few years. Most donations are now handled over the Internet, with donor details tracked in large databases, instead of using cheques sent by mail and paper records traditionally. Knowing that the donors are naturally generous, and susceptible to give to the causes that they empathize with, makes their contact details especially attractive to scammers.
An aggravating factor is that an increasing portion of the organization is now working remotely as a consequence of the pandemic. A lot of employees and volunteers alike require access to sensitive information, because understanding our donors is at the heart of all of the fundraising efforts. Each additional remote access is a potential entry point for hackers, which must be secured under the shared responsibility of the individual and the organization.
Some of these attacks are particularly insidious, because they masquerade as a familiar person or computer system to take advantage of members of the organization to extract information or make them perform actions unwittingly. The organization is entrusted with the personal information and money of the donors to serve its charitable purpose. This requires extra care and awareness of the potential threats.
Email is the primary communication channel within the organization and between the organization and its partners. Sensitive information is usually discussed over the phone, but it is not always convenient due to the differences in time zones.
Employees have widely different levels of mastery of technology. Why the youngest employees or those with a higher level of education are very familiar with digital tools and somewhat aware of the security threats, this is not the case of the majority of the workforce.
Employees need to recognize phishing emails and other security threats. They need to follow security procedures to keep their passwords and other credentials safe. They need to recognize when a prompt for their password is expected and normal from when it is unexpected or suspicious. They need to pay attention to changes in the Web pages and IT systems they interact with, and report unexpected events to the technical team for analysis. They need to detect inconsistencies in emails. They need to check URLs before and after they click on a link in an email, and before they enter any password in a Web page. They need to recognize relevant parts of a URL, notably where the domain name starts and ends.
They need to confirm any request for sensitive information or money transfer through two different channels, e.g. email and phone or texts.
Employees follow a mandatory security training during their onboarding. It lasts for 30 minutes and is evaluated with a final quiz.
The IT teams has procedures in place for password management and expected email usage. It has also issued guidelines with best practices on how to recognize different kinds of scam messages.
The IT department has identified weaknesses in the network security, which have been corrected. Security software has been deployed and existing applications have been upgraded to apply latest security patches.
New email filters will be deployed, taking advantage of machine learning to detect potential phishing attacks and prevent them from reaching members of the organization in the first place.
The stakeholders of the project is a joint task force of IT and HR, associated with a team of enthusiastic employees from Operations willing to take part in a pilot.
The training should prevent future breaches and help to detect them faster. The end goal is to avoid leaks of personal information and loss of money and goodwill through scams and loss of public trust.
The training should start in priority with the employees with the highest security privileges, who have regular access to sensitive information or financial operations.
Managers need to give employees the tools to recognize threats. They also need to give them support to report any suspicious activity, without the fear of sanctions.
| Contents | Previous | 2.4 Answers from the Interviews | Next |