Talking at Cyber Security Connect UK in Monaco, Lee Cramp, Information Security Officer for the British Red Cross, tells Johanna Hamilton AMBCS about the security challenges facing the charity sector.

The charity sector often leads with campaigns about how “just £2 a month could buy blankets, pay for clean water, create a safe place to sleep…” so just how does an ISO in the charity sector secure money for cyber security?

How do you approach technology in the charity sector?

‘We all know that technology is becoming easier to procure and use and, while friction with core systems can create shadow IT in any organisation, we need to be especially careful given the nature of our work. If we make an application too difficult to use, this could put our staff, volunteers and those we support at risk, so we must ensure we create secure solutions that do not negatively impact the end user. I like to call this, “the path of least resistance”.

‘Wherever you’re a member of staff or volunteer using our systems, it has to be as simple and user-friendly as possible, while remaining secure. It is not acceptable to have our staff and volunteers (who can be working in some really challenging conditions) to have to jump through hoops to do the simplest of tasks, simply because “security” says so. We must balance the security risk with the usability for the end user.’

What is the most important concern when thinking about cyber security?

‘For me, it’s about user experience. Everything we do is for the end user and that means making things simple for our staff and volunteers who can, at times, be working in challenging conditions. In my experience, the challenge is how we make security invisible to the user. They need to know about security and how it’s working for them, but they shouldn’t be impeded by it.

‘We (the industry) talk about the “insider threat” like there is this evil nemesis - the fact is, we create this threat in the way we design solutions for the end-user. The vast majority of people just want to do the best job they can. They don’t intentionally come to work and decide that today is the day they want to send that email with lots of sensitive data to people who shouldn’t receive it; yet I find we put barriers in people’s way.

We talk about creating, an “enabling function”, but inevitably, I believe that what we tend to do in security and IT, with all the best intentions, is risk becoming a barrier and making solutions unworkable for the end users, who then, inevitability, find a less secure workaround. My role at the BRC is to find opportunities to help people and steer them away from those unsecure workarounds.’

When many of the British Red Cross staff and volunteers are in war zones or far flung countries, how can you ensure your systems deliver a good end user experience?

‘I’m a firm believer that there isn’t anyone you can’t learn from, if you are just willing to listen to them. To that end, we do lots of customer journeys and spend a lot of time with the users in their individual situations. One approach we have adopted, as part of the testing phase, is to steer away from the yes / no answers and fix accordingly.

‘My approach, from a security point of view - and again from that user journey when we find something not working - is to see what the user does when things don’t go to plan. That’s going to be their workaround and that's going to be the ungoverned process the user will take in the real world. Once we understand that, then we can start, not just to fix the solution, but also to gain even more insight into the user that we might have missed.’

Is it difficult to justify IT budgets for a charity? Because, obviously, people do want to spend money on blankets and people being fed…

‘Our trustees and board are very much behind security and the safe-keeping of our data. We have a duty of care; the same way you can’t give people unclean water, we can’t give people unsecure devices / systems.

‘Is it a hard sell? I think if you speak to any of the professionals here at the Cyber Security Connect UK conference, they would say the same thing, we all know that “data is the most valuable commodity on the planet”. Yet, if you look at pretty much every security team across any industry, they will probably be working with the smallest budget to protect the biggest asset of that business. I’m very fortunate that The British Red Cross understand this and invests in the security of its systems and data to ensure those we support stay safe and secure.’

Do you feel GDPR has strengthened data governance?

‘We were already very strong in our data governance and we have an amazing information governance team who ensure we protect data. As with a lot of regulation, it tends to be introduced because what we should be doing as standard good practice isn’t being done - so we put regulation in place to ensure that it is done as standard.

At a very high level, I think GDPR put the spotlight on the use of data. It gave both industry and people the opportunity to increase their visibility of the data that they've got, how it’s being used, who it’s being shared with - and to examine if that use was appropriate.’

As a long-standing charity of some 150 years, The British Red Cross must have legacy systems. Is the digital transformation of the organisation an ongoing process?

It's always going to be [that way], not just at the British Red Cross, but in every sector. You’ll know from BCS, the issue you're always facing is legacy. I suppose this is one of the challenges of the industry right now.

‘If you or I wanted to share a photo, we could download an application, take the photo and share. It takes minutes. That’s the consumable world we live in. However, to do that in an any organisation, with the steps and controls that have to be put in place, could take months.

So, by the time you’ve put an application in place for everyone to use, it almost becomes a legacy system. One thing we are trying at the British Red Cross is DevSecOps - building in security from the start, so we can develop, test and release new applications much faster. Learn more about our digital and innovation work

Do you see any patterns in the types of attacks levelled at the BRC?

It’s estimated that 87% of all emails coming into an organisation is spam or phishing. So, if you get one million emails in a month, 870,000 will be erroneous. So, of course, phishing is always going to be a concern. And we face all the same threats as any other business or person at home would face; just because we are a charity doesn’t mean we are immune to cyber criminals attacking us.

‘A threat more specific to charities is that of website hacking, especially if there is a large incident, such as a devastating natural disaster requiring humanitarian aid. There are so many fake sites created to look and feel like the real charity’s page, so that the unsuspecting donor makes the donation to the fake website. This then takes vital support away from those in need and goes to the criminal. So, we are constantly checking for fake websites and shutting them down to protect our donors.’

And what about phishing?

‘We do phishing exercises throughout the year to see where our vulnerabilities are and to understand what the behaviour is of our volunteers and our staff. I always follow up every exercise with a full explanation of the findings and the changes we will make; for example, if we notice a subject line that people clicked on, then we can set policies in the security software to prevent these types of emails coming through in the future.

‘I don’t see my job is to catch people out, it’s to help everyone “get” cyber. We’re really good at dressing up what cyber security is, but if people don’t get it, then they can’t see the value in it. What we need to do is remove some of the unfamiliar language and put it into every day speak so people get the analogy.

‘All the cyber-awareness training I do at the British Red Cross is aimed at the individual and how to keep our staff, volunteers and their families, safe. To get the message across, I’ve gamified a lot of my cyber-awareness training, such as a take on the retro game Frogger to help teach how to spot phishing. I do regular blogs internally. I've done vlogs. We do lots of online videos, too. I'm currently doing a cyber roadshow where we're talking about digital footprint.

‘I also want to inform people about what happens when you do click that link. The reason most people click is out of curiosity. So, take the curiosity away and help educate people. If there is a phishing email going around, I will explain what the email is trying to do, the steps it will take you through, the pages you are likely to see and what the end game of the criminal is. It’s no good just asking people not to click the link.’

To summarise, what are your IT aspirations for the BRC?

‘If I can demystify the world of cyber so people ”get” it and help design systems for people that stand true to my maxim of the “path of least resistance” for the user while remaining secure, then I believe I'll be a success - because that’s the only way we can keep people safe. And, as a result, their families and friends will benefit as well.

‘People always ask - what do you do for a living? I say my job is much like a librarian. Data is a story with soul, we are all writing the books of our lives every day; what we do, how we live and there are some parts of your biography that you allow people to see, much like the public area of the library. Then, there are sections of the library where the most valuable books are kept, just like the things in our biography that we keep for those closest in our lives.

So, like a librarian, I’m responsible for ensuring that I let the right people in the public library to read the books we want them to, while making sure they only take the books they have permission to read, while more sensitive books stay locked away in the archives.’