This is the third article in my series exploring the dangers the not-for-profit sector faces.
We’ve already covered the way charities are targeted and the importance of patching in maintaining cybersecurity. Today, we’ll look at charities’ and not-for-profits’ dynamic, volunteer-heavy workforce. This vital resource can easily turn into a cybersecurity timebomb, but taking a holistic approach to security can greatly minimise the risks and keep organisations safe.
A dynamic workforce helps charities deliver
Most charities, not-for-profits (NFPs) or organisations offering humanitarian services rely heavily on volunteers. Budgets and overall spend are lower, so for these services to continue, volunteering and part-time work are a vital part of their operations.
Volunteers, contractors, full-time staff, part-time staff and casual workers may all be a part of the dynamic workforce of an NFP. They usually have a fluid roster of people joining and leaving, along with those who help out for a few hours at a time. This mix of worker types helps charities and NFPs deliver vital community services. This approach of tapping into a flexible workforce as needed brings clear benefits:
increased flexibility for rostered work
new ideas from a more varied set of people
the ability for volunteers to get involved without a long-term commitment
strengthened ties between individuals and within the community
Data leakage is a matter of “when” not “if”
But this level of flexibility introduces a new level of cyber risk to any NFP. Masha Arbisman is the Behavioural Engineering Manager for the Paranoids, Verizon’s information security team. In the most recent Verizon DBIR report she explains how the conversation around data leakage has shifted from “if” to “when”. That’s supported by the Australian Cyber Security Centre’s findings that in 2021, Australian businesses reported a cyber attack every eight minutes – compared to one every ten in 2020.
Time and time again, employees have proven to be one of the biggest contributors to an organisation’s risk posture. Verizon’s report notes that 85% of breaches involved a human element. The reality is that an organisation’s responsibility is to secure not just the technology they use but also the people that use it.
Why the human factor is critical for NFP security
Every organisation will have a mix of technical aptitudes and technology use across its workforce, and different industries present their own challenges. Take local government entities: they employ both office workers who utilise technology all day alongside park workers whose only interaction with technology may only be the payslip they receive via email every month.
Charities and NFPs can be very similar, with a mix of hands-on volunteers, community organisers, public-facing fundraisers and administrative staff. Indeed, charities and NFPs are unique in having a large majority of volunteers under their remit. Volunteering Australia estimates that almost 6 million people volunteer through an organisation annually. Those 6 million volunteers provide around 600 million hours of work annually – at wildly varying levels of tech capability - which means a serious risk exposure.
How even the best people can make mistakes
How many of us have experienced that sinking feeling when you reach for your pockets and realise your phone isn’t there? Or the time when you almost forgot your laptop bag? To err is to be human, and even the best-intentioned people slip up from time to time.
When we focus on the number of users and company-owned assets, it is very common for devices to be stolen or lost. What shouldn’t come as a shock is that human error beats out theft in these incidents. The most common cases involve an internal user misplacing an asset and reporting it back to the organisation.
The way we work has changed since the pandemic, and a lot of organisations are adopting more flexible approaches to work locations. Just the other day I was on a call with a person who was working remotely in a caravan as he travelled cross Australia, visiting all the pubs he passed as he made his way around. These kinds of work patterns are becoming more mainstream, which brings different kinds of risks to the table. Personal data remains the top type of data lost, representing 80% of the data compromised in the confirmed incidents reported by Verizon’s DBIR.
NFPs need a holistic approach to cyber awareness
The best way to keep your assets and your workforce safe? All-around user awareness and training. If your employees are not ready for a cyberattack, your organisation isn’t ready either.
Knowledge is power, and individual employees should be able to recognise the signs and warnings of common security threats. Just as every organisation has its own unique set of challenges and circumstances, not every situation will match exactly how you might envision it – I mean, how many ways are there to have your credentials phished?
Organisations that rely on part-time workers or volunteers can use tailored contracts, appropriate onboarding and technical controls to keep control of their data. It’s important to address cyber awareness training with a more holistic approach, focusing on behavioural change and improving awareness, not just box-ticking exercises.
Encourage a positive cybersecurity culture
This tip is one for organisation leaders to take on board and cultivate. Being surrounded by others who are like-minded regarding proper security practices can make it easier for people newer to adjust. When you see someone close the door after they enter a guarded room to prevent tailgating, or locking up their laptops after they’ve clocked off for the day, does this encourage you to do the same? By normalising cyber hygiene, these practices become a key indicator of a positive cybersecurity culture.
Your volunteers and employees must feel supported in their learning. For a lot of staff working in NFPs and charities, this will be a new way of working for them. As with all new skills, this takes time to get used to. Using fear and intimidation to enforce security practices, like scapegoating those who make security missteps, can sometimes feel effective right off the bat. But any success is generally fleeting and not great for long-term outcomes.
From a user’s position this can be quite degrading – which is worse still when you’re relying on volunteer goodwill. I recommend checking out this blog post by Miranda Nolan, a colleague of mine who talks about the use of FUD (Fear, Uncertainty and Doubt) in cybersecurity awareness training strategies.
By supporting your staff with a positive cybersecurity culture, appropriate training and a holistic approach to cybersecurity you can help keep data leakage at bay, freeing up your charity or NFP to keep up the good work.