Why Insecure File-Sharing Apps Can Put Your Charity at Risk
Charities lag in technology – so they risk using legacy tools like insecure file-sharing apps
UK charities are way behind in the management of digital technologies, a study shows. The result is that they use the wrong tools for their work online and offline, and this leads to security risks. The prevalence of legacy file-sharing apps is one dangerous way in which charities in the UK, Ireland and Northern Ireland put their data – and their future – at risk.
The latest Lloyds Bank UK Business Digital Index revealed that more than 100,000 charities lack basic digital skills, which is more than half of the registered charities in the UK. The report said that 9,000 charities don’t use the internet at all and one in three believes being online is irrelevant. There was also a four percentage point rise in the number of charities that rated their digital capabilities as low.
Hence the prevalence of file-sharing apps like Dropbox, Egnyte, Hightail and the many others like them. There is nothing inherently wrong with these apps if they are used informally by consumers, but in business and not-for-profit operations, they put the risk of a data breach at an unacceptable level.
A Digital Code for charities has been set up by group of not-for-profits, insurers and banks in the region. The Code states: “Charities should have a board-level awareness of the risks posed to their organisation from cyber-attacks. The following steps will help any charity protect themselves from the most common cyber-attacks:
- Charity leaders and trustees should periodically review their existing systems and processes, understanding what is in place, how they work together, whether they are obtaining value for money, and anticipating and evaluating any risks such as the ability to keep services secure, up to date and working as intended.
- Charities may require support from someone with good technical skills to help them evaluate risk, which could be a member of staff, a trustee or a volunteer (provided the appropriate accountability is in place). Where the risk is potentially significant, all possible actions to manage it should be evaluated and a plan put in place to deal with different scenarios.
- Risks should be reviewed, monitored and assessed periodically. Where relevant, they should be recorded on the risk register.
Reviewing policy and use for file-sharing apps is clearly indicated by these principles.
The danger of charities using insecure file-sharing apps
Organisations are at serious risk of data loss and compliance violations due to risky file-sharing practices, a study by the Ponemon Institute has revealed.
Charity management, like their colleagues in business, are failing to respond to the escalating risk of ungoverned file sharing and regular breaches of security policies by staff. Almost half of the more than 1,000 information security professionals polled in the UK, Germany and the US believe that their organisation lacks clear visibility of staff-use file-sharing or file sync-and-share applications.
Just over half said that they did not believe their organisations have the ability to manage and control user access to sensitive documents and how they are shared. While the study showed that most organisations have policies governing the use of file sharing, policies are not being communicated to employees effectively.
There are a very small number of secure file-sharing apps available. A few of them use encryption like SpiderOak ONE, Certain Safe and Box. While their security is relatively good, these applications are far from perfect for use at charities. Apparently, the security is so good that the IT departments can’t even help users reset their passwords if they lose them, and for charities where worker turnover is high, this is a major flaw.
There are other functional issues with using these types of applications which may make them inappropriate for charities. For example, with Certain Safe, users can send files, but not individual folders. This is a limitation that may not work well at all for charitable organisations, which often exchange a large volume of files among users.
Charities must protect data
In the UK, Ireland and Northern Ireland, the European Union Regulation General Data Protection Regulation 2016/679 has been transposed into national law. Charities are by no means exempt from its requirements to protect personal data that is stored or made use of, and to take all reasonable steps to prevent a data breach.
For charities in the region to comply with these regulations, it is imperative that they take action to patch well-known vulnerabilities – many file-sharing apps constitute precisely this type of vulnerability.
Secure Board Portals Provide the Privacy, Security and Features Charities Need
Board portals are the perfect solution. Portals, such as the one provided by BoardEffect, provide the best in security for today’s charitable organisations. The portal is a secure, personalised online space that is legally compliant and fully auditable.
Both board members and management are now expecting this level of service, whereby they can send and share information as conveniently as sending a link to an article to a friend, while enjoying the highest level of security possible.
BoardEffect board portal supports good governance
To support risk management at charities, board members require the support of a quality board portal like BoardEffect – it has all the tools to make them efficient and better performing.
BoardEffect is collaborative software that makes collaboration at the board level easy and secure – we serve over 200,000 users worldwide, providing competitive pricing and exceptional value.
It allows not-for-profit boards of directors in sectors from developing nation funding to healthcare to work together wherever they are, and with whatever device they are using – it is user-friendly, so no extensive training is required.
The BoardEffect platform has been developed to be clear, intuitive and elegant. This is particularly important, as the high-profile audience who use BoardEffect usually have other jobs and commitments. Ease of use has become our “true north” – ensuring that our system can be used successfully by those with any level of technology experience and comfort. We back this up with 24/7/365 training and support for all users.
Communication among trustees is safe, and sensitive data stored on the portal is protected by the highest grade of encryption. They can securely access board books and other documents and collaborate with other users electronically. Collaboration can include discussions, surveys, electronic voting and more. The platform has unlimited storage that can be configured for each group to work privately.
BoardEffect ensures the highest level of security through a five-part security programme. We encrypt data in transit through Transport Layer Security (TLS) and at rest (AES-256), have secure SSAE16 audited SOC1 and SOC2 data centres with fail-overs, mirroring, third-party penetration testing and 99.99% facility uptime. We also have disaster recovery and business continuity plans, specialised compliance modules for healthcare, intrusion detection systems and much more.