There’s a lot to think about when getting a new Charity CRM system. It’s really easy to let information security become a “I’ll do that later” kind of a job.
Don’t let “later” become “too late”. Although the news-worthy hacks are usually big companies and other countries doing industrial espionage, the reality is that someone, somewhere, is trying to hack even the smallest of charities. As we’ve seen with hacks of the NHS, being ‘good’ is no defence. If you look at who is trying to log in to your Microsoft account every day, you’ll see the answer is “lots of people from all round the world”.
Even the smallest organisation or individuals should take some basic steps to protect themselves to reduce the risk of losing your data, or money. There’s more at Small Charity Guide – NCSC.GOV.UK
Passwords: manage them
A password manager stores all your passwords securely, so you only have to remember one – for the password manager itself. That means that you can have a different, long, random password for each site or system you use. You open your password manager and then copy and paste the password when you need to log in.
I recommend the NCSC guide on this if this is new to you. There are different ways to approach this, and some notes of caution to be aware of. But overall, a good thing that will make it very difficult for hackers to guess passwords, and if they do discover one, they won’t be able to access everything else too.
Whether you’re using a password manager or not, enforcing good passwords is a good practice. Lamplight allows you to set a minimum length (we recommend at least 12 characters) and disallows use of the most common passwords. You can also add other complexity requirements, but these are the first ones to add.
Of course if you are using a password manager, it’s easy to meet these requirements because the software will automatically generate long random passwords.
Two Factor Authentication is Good
We’re all getting used to two factor authentication now. Banks use it all the time – you have a little widget of some sort that generate a code you have to type in to login. Or you get an sms with a code to enter.
It’s definitely inconvenient. But so are locks on our front doors. We have to trade convenience for security online as well as off. And two factor authentication is a big win when it comes to increasing security.
For many systems, including Lamplight, you’ll have an app on your phone which generates a new, unique to you 6 digit number every 30 seconds. So to log in you have to be able to access your phone as well as know your username and password.
You may not need to add it to everything. But we recommend that at least system administrators should use it.
Review Access
Checking who has access to what is a really good habit to get into (set yourself a regular calendar item to do it). Because people come and go, and their roles change, it’s really easy to find that they still have access to systems and data that they really shouldn’t.
So every now and then (how often can depend), take a quick look at who’s still got a login, and lock or remove access if need be.
Do You Really Need 24/7 access?
Good security systems have lots of layers. Just because you have a burglar alarm, you don’t take the locks off the doors, for example. You add layers of protection.
So an extra layer that Lamplight offers is to restrict when and where different people can log in. If your team shouldn’t be accessing data at 3am, it’s easy to lock this down. You can also limit access to your office IP address if that’s appropriate.
Limiting Data Access Withing Your System
Not everyone needs access to everything. Again that’s a basic point about security. You don’t give everyone access to your bank, however convenient it might be.
You may need to enforce limits within your system so that different teams only have access to certain records.
We’ve added this one last, though, because the security trade-off can be trickier. It seems attractive to lock everything right down, but it does add a management cost. For example, you need someone to decide who has access to which records, somehow. And what happens if they’re not available – on holiday, for example?
So this is one to think carefully about, and to talk through with your CRM supplier (if they offer this functionality). If they work with charities they should have the experience to help you weigh things up and come up with the right security levels for you.
