PwC has been doing audit for Doctors Without Borders for years. Similarly to many other projects, we have noticed that a company audit should deal with the financial aspects, yet it should also provide an opportunity for further development. That’s why Doctors Without Borders have been offered help by our Cyber & Privacy team and its five colleagues led by Michal Wojnar. Audit of cyber security should not be underestimated even by other non- profit organisations.
Do you have data? And do you want us to see it? Nowadays, everything is about data and every organisation needs to protect it. Just think about what kind of information is passed onto you. Is it donors’ data? Your key employees’ data? Or data of your suppliers?
As for Doctors Without Borders, an organisation providing medical care in countries affected by war, natural disasters or epidemics, it’s quite easy to imagine hackers’ goals. There’s more than a huge amount of sensitive information that could be of interest to them. If lost, it's not only the reputation of the non- profit organisation that could be jeopardised.
“Threats can be aimed at various goals – despite the fact that, as far as non-profit organisations are concerned, hackers might not be that much interested in money, their motive could be political or ideological and it should definitely not be underestimated,” explains Michal Wojnar, leader of the team.
3 stages of cyber security audit
Cooperation of our colleagues from PwC Cyber & Privacy team and Doctors Without Borders involved three stages necessary for organising the process. We focused on process security, technical security and revision of the Office 365 security system (O365) used by the organisation. Such work cannot be done in a single afternoon and it requires the involvement of management of each audited organisation. What did
the individual stages consist of?
- Security process level – You need to consider which kind of data is key to your organisation, where it is processed and which way its management is done within the organisation. It is thus necessary to understand what needs to be protected and where it is located.
- Technical security level – What’s the overall security architecture of your organisation and the security of the individual components? What are its weaknesses? How to protect them? At this stage, we evaluated more closely the security level of individual workplaces, local networks and servers as well as access management.
- Security and Office365 setting – This stage involved the revision of security settings and of the O365 as a cloud environment provided by Microsoft for the cooperation of teams (MS Teams, Sharepoint, OneDrive, Outlook) and data-containing office applications such as Microsoft Word or Excel.
Similarly to medical examinations, the output of a cyber security audit is a diagnosis of the organisation’s security level and a proposal of treatment. After that, it depends on the level of advancement of the given organisation. Some need to be guided through the journey of cyber security. Others only need to understand the specific steps which might have been put aside. Some of these steps require a single action, such as with certain kinds of vaccination, but it is more common that the steps need practising and repeating even in the future, as with your muscles when doing exercise.
“Data protection is taken very seriously by our organisation and an independent insight from the outside world is probably the best way to test our current settings,” explains Sylva Horáková, General Director at Doctors Without Borders. “The audit has provided us with a comprehensive
insight of the technical as well as procedural level of our security system and it has also provided very specific recommendations that are already being realised right now. We would like to take this opportunity to thank Michal and his team, we admire and highly appreciate their
excellent work and assistance.”
Don't underestimate cyber risks, there are plenty of opportunities to defend yourself
“We’re very happy that, at PwC, the support of non-profit organisations isn’t only about making financial contributions, but that we also had the chance to help them in their development, which was also the case of Doctors Without Borders. We would definitely like to keep up with this work in the future,” says Michal Wojnar and adds that cyber security of non-profit organisations is a topic which shouldn’t be left behind. “Support can be provided by private companies, whether through long-term cooperation or, as in this case, by organising a hackathon focused on the specific needs of the given organisation. Regarding cyber security, companies can also contact the National Cyber and Information Security Agency which stipulates a security standard for small and mid-sized enterprises that can also be well-applied in the non-profit sector.”
Support to Doctors Without Borders was provided by the brilliant team of PwC Cyber & Privacy volunteers including Michal Wojnar, Lucie Carne, Petr Šimsa, Kristýna Bačová, Karolína Kubínová, and Yulia Zhuleeva. We would like to thank them all!