How the British Red Cross takes a people-first approach to security

According the to the UK Government’s 2019 Cyber Breaches study, over half of charities with annual income of more than £500,000 had identified breaches in the previous year. Because of the public nature of charities, many of these attacks have made headlines. In January 2020, British housing charity Red Kite lost almost £1 million when attackers spoofed its domain and acquired email details of “known contacts providing services to Red Kite”.

Last year, St. John’s Ambulance was subject to a ransomware attack on its training course booking system, and the Bible Society was fined £100,000 by the ICO after attackers were able to access the personal data of over 400,000 society supporters. In 2018 Cancer Research UK was hit by a Magecart attack not long after the same attack struck British Airways.

It’s not surprising, then, that the British Red Cross (BRC) is balancing its digital transformation efforts with protecting its volunteers, staff and the people it is helping.

Securing digital transformation in charities

As a humanitarian charity, BRC aims to help people at home and abroad, providing emergency services and first aid to those in need, running first aid training courses, and helping refugees and victims of trafficking. As with many charities, the British Red Cross has undergone various digitization initiatives to keep up with how it recruits volunteers, receives donations, and helps people. However, digital transformation comes with risk.

“You’re constantly under attack and my role is how do we mitigate the impact of cybercrime against the Red Cross, and how do we protect that data for the individual,” says Lee Cramp, head of information security at the BRC. “We’re a humanitarian organisation and we’ve got to make sure that those that we are supporting, those most vulnerable people, are protected.”

A UK Government report into cybersecurity in the charity sector acknowledged that competing demands such as “core service provision, fundraising, monitoring finances and other Charity Commission reporting requirements” could lead to lack of investment in cybersecurity within the sector. At the same time just 53% of UK charities have undertaken five or more of the Government’s 10 Steps to Cyber Security foundational basics.

Cramp says that while its true charities often have smaller budgets than large companies, he doesn’t view cybersecurity within the charity sector as very different from the rest of the UK business landscape, arguing that organisations like his are “still susceptible to exactly the same disease everybody else is fighting.” While charities have no shareholders to answer to, they are well aware of the consequences of a cyber attack.

“We don’t go to try and make things worse; we try and make things better,” Cramp explains. “That’s how we look at data and that’s how I look at the security. Our key thing is we’ve got to protect people.”

“My fear is that for whatever reason, if any of that [information] was to get out and then put someone in an even worst position than they were before, that would be tragic for us.” Cramp continues. “Like with any business, there could be reputational damage or there could be financial consequences, but the impact on people will be catastrophic for us.”

One threat vector that Cramp says might be more problematic in the charity sector than others is the issue of impersonation. “When a particular tragic tragedy happens, whether it’s a natural disaster or terrorist attack, there are those people who will spin up websites to make it look like it’s the Red Cross, for example.”

To counter that, the BRC works with the rest of the Red Cross and Red Crescent federation internationally to monitor for, and take action against, any domains hosting websites or sending out email pretending to be a part of the Red Cross.

Demystifying security and the path of least resistance

As with many organisations, security as the BRC is about more than just technology, but the people within the company. “What I’m trying to do is demystify cyber, because for most people, do they even know what cyber is,” says Cramp. “We’re a humanitarian organisation. We live and breathe our values. So to put our staff, volunteers and those that we support in danger would not be living those values so we have to make sure they are safe and to do that we’ve got to educate [our staff].”

As well as posting regular blogs and vlogs internally, one way that the British Red Cross is making cyber easier to understand is through gamification. It has based a phishing awareness training campaign around the classic arcade game Frogger so that people can have fun while they’re learning.

Another element of phishing awareness within BRC is to kill the potential curiosity that comes with unidentified links. Curiosity is natural, explains Cramp, and so rather than simply sending out warnings that employees may be being targeted by a particular phishing campaign, he attempts to remove the curiosity associated with potentially dangerous emails.

“We go, ‘This is happening; If you click the link, this is the screen it will show you. If you were then to go one step further, this is the chain of events that would happen,’” says Cramp. “Then hopefully what that does is it removes that degree of curiosity and educates people.”

As well as helping the volunteers and staff understand cyber, Cramp is keen to understand the people in the organization and the way that they work to help keep everyone more secure. “To say that the humans the weakest link I think is wrong as it paints a really bad picture of the industry to point the finger at people,” he says. “People come into work to do a good job; that’s all they want to do.  They don’t come in and go ‘I’m going to send this spreadsheet with all this information on to someone I shouldn’t.’ People are just trying to find the path of least resistance, so that they can do the job as best as they can.”

“People make decisions that in their eyes, whether it looks right or wrong or stupid to us, it makes perfect sense to them. If you can tap into that decision making, then you can then tap into how to make it so it works for everyone.”

As part of that effort, during testing new of processes and technologies the BRC tests to see if they might be creating a shadow process that an employee might use instead that users might find quicker and easier. “Understanding the user, and how they react is key,” says Cramp. “We need to make sure that we’re creating technology that is fit for the end users. They’re the ones using it, they’re the ones who are out there day in, day out. If we put controls in place that we think make it safer but actually puts staff off, then all we’ve done is create that bad practice, because we’ve designed it poorly.”

DevSecOps at British Red Cross

As part of its security efforts, the British Red Cross is looking to introduce more security into its software development lifecycles. “We’re trying to introduce DevSecOps,” says Cramp. “We’re very much in our infancy in doing that and we really are learning a lot at the minute.”

Currently the main focus is introducing a minimum set of security standards Cramp expects everybody to adhere to and apply. “I’ve tried to demystify it and bring it down to some very basic, some very minimum things that we must do—almost like the top 10 cybersecurity that the NHS has. We can’t spend time and resources on everything. If we were going to do, for example, a vulnerability test against the old standards, what would be the key checks the key things that we would want to make sure are absolutely 100% covered?”

Integrating security into the DevOps process is not only about tools and technology but instilling a security-first mindset amongst the development teams. “We in the industry focus a lot on tech, but the tech is so small part of it. it’s all humans,” says Cramp. “Sit down and have that conversation with your digital teams, your development team, someone creating a new project, if you can understand what their motivations are, what their fears are.”

By understanding their views, Cramp says, you can get a better understanding of the security’s perception in the wider business. If teams feel like security is slowing them down, engage with them on why and whether it’s a true reflection of the situation, and then work through that with them. “You don’t have to speak CIA; What’s your confidentiality, integrity, availability? Poof, gone, glazed over and they’ve checked out.”

Instead, Cramp says, you should talk about the risk, make people understand the impact if a particular asset or dataset is compromised. “Demystify it, let’s make people understand it, because I see that having a bigger impact so that when someone wants to do the new technology, the new fancy widget, they’ll already be thinking about security because they understand it.