IT risk - e-Strategy Guide

Coming to grips with IT risk

World-wide business surveys reveal that:

• 85 per cent of those surveyed detected computer security breaches within the previous 12 months;
• 70 per cent cited their internet connection as a frequent point of attack;
• 94 per cent detected computer viruses (85 per cent in 2000);
• over 60 per cent of all email is spam; and 
• 30 per cent of information systems accounts are for people who have left the organisation

The risks to nonprofit organisations are just as real.

Connecting computers to the internet allows nonprofits to access a wealth of information and resources. However, it also creates the risk that computers may be tampered with by hackers, or attacked by viruses distributed via email.

It is important to protect yourself against these risks and ensure that your data, including membership and client information, is safe and that your transactions are carried out securely. Otherwise, there is a risk of transactions being intercepted, privacy codes being breached, confidential information being taken or money being stolen.

Remember that information is an asset and therefore it needs to be suitably protected.

The three components of security

There are three core elements to IT security.

• Confidentiality – assuring sensitive data is read only by authorised individuals and is not disclosed to unauthorised individuals or the public.
• Integrity – protecting data or software from improper modification. For example, a virus may infect a program and alter documents created by that program. Data integrity could also be compromised by a disgruntled staff member or volunteer fraudulently changing records.
• Availability – accessibility of IT network, desktop and data resources when authorised users need such access. Availability definitions differ from organisation to organisation and from staff, clients, members, public and other stakeholders but increasingly all groups expect wider availability of these resources. Expectations about websites are that they are available at all times, so if your site is offline for more than a few hours over a weekend it is likely to provoke inconvenience and annoyance.

Four key points

• Building and maintaining trust and credibility with your clients, members, partners and funders is critical to achieving your goals.
• Security is a process, not a project or a product.
• Continuous improvement is the key success factor for good security.
• Initially, security adds to the cost of running your organisation. However, in the long term it could save your credibility, reputation and money.

Many organisations want to expand their use of the internet but are not sure how to do so in a secure way. The following sections of this guide will help you decide which strategies and processes are appropriate for your organisation’s e-security needs.