The importance of security in grants management software

by | Jul 30, 2021

This is Part 1 in a 5-part series, where we look at why security is important in grantmaking and what you should look for when evaluating a grants management system.

Why does security matter?

It seems everyday we hear more and more about data breaches and privacy violations. You may be wondering how this impacts you. What are the risks specifically for grants and scholarship programs?

From cyberattacks to physical loss, there are a number of possible risks to take into consideration when evaluating a grants management system. Read on to find out more about the specific risks your program may be exposed to.

Cyberattacks

There are several forms of cyberattack and they are often used in conjunction with one another. They can range from simple incursions by the technically curious to full blown disasters rendering entire cities inoperable.

Malware

Malware is malicious software that enables unauthorised access to networks for purposes of theft, sabotage or espionage. There are several types of malware including fileless malware, spyware, adware and ransomware. Out of all these, ransomware is perhaps the most well-known. Ransomware attacks, at their core, render an organisation unable to access their data unless a ransom is paid.

In 2018, the cities of Baltimore and Atlanta in the U.S.A were attacked with ransomware, halting all city activities. In total these attacks cost those cities more than US$17 million each.

Phishing

Phishing occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information which can then be used against them for fraudulent purposes.

Man-in-the-middle attack

Man-in-the-middle attacks involve attackers inserting themselves as relays or proxies in an ongoing, legitimate conversation or data transfer. They exploit the real-time nature of conversations and data transfers to go undetected while intercepting confidential data or inserting malicious data and links in a way indistinguishable from legitimate data.

Think of this as a type of “eavesdropping” attack, where ransomware, malware, malicious damage and other nefarious activities could be carried out by “the man in the middle”.

Denial-of-service attack

A denial-of-service (DoS) attack is a type of cyberattack that renders a computer or other device unavailable to its users by overwhelming or flooding a targeted machine with requests.
These requests build up until normal traffic is unable to be processed, resulting in denial-of-service to additional users. Basically, the computer running the services you need will not work.

SQL injection

SQL(“sequel”) stands for Structured Query Language. And is a commonly used programming language. A SQL injection attack consists of insertion of a SQL query by adding data from the client to the application. A successful SQL injection can read and modify sensitive data and execute administration operations on the database.

Zero-day exploit

This term refers to the time between a newly discovered software vulnerability and the time that the software provider has to fix it, which is “zero days”, since the developers must fix the problem that has just been exposed before it is exploited by hackers.

If the hackers exploit the security hole before the software provider has managed to resolve the issue, it is known as a zero-day attack.

Bot attacks

Bots are internet robots that perform repetitive tasks on the internet, like indexing search engines. However, bots can also be programmed to conduct malicious tasks such as logging keystrokes, relaying spam or some other destructive action.

A bot attack is the use of automated web requests to manipulate, defraud, or disrupt a website, application, API, or end-users and can be used for a variety of reasons, such as: content scraping, account takeover, form submission abuse, phishing, DDoS and much more. In the context of grants or scholarships, DDoS and form abuse are the most common goals of bot attacks and can lead to countless false submissions or total disruption of your platform.

Physical loss risks

Physical and human threats are a reality for any organisation—not just grants
and scholarship programs. These risks are not to be overlooked, particularly in the evaluation of whether to use online software at all.

Loss / damage

If your program is run by way of paper applications and assessments or spreadsheets stored on a local computer, you are exposed to the realities of physical risks like fire, flooding, electrical faults and malicious damage. Even if you’re using online software, how easy would it be for a disgruntled co-worker to access your software and hit the delete button on several, or all, of your program data files?

Theft/espionage/fraud

Theft, fraud and espionage are jarring realities of life. It may seem unlikely, but you can never rule it out. If you deal in the distribution of funding, you are especially at risk. But it’s also not limited to funding programs. Do you have an unsecured paper-based or spreadsheet list of all bank accounts to be paid? Is it possible to add/modify/delete a bank account on that list? What else is unsecured? How easy is it to access?

Even data stored in online software is capable of being stolen, spied on or vulnerable to fraud. Do you share login credentials with an entire office? What stops someone from changing data? How would you know who did it? Is it worth that risk?

Digital loss risks

Programs already running digital programs also face risks of loss by way of unreliable digital systems or the inappropriate inter-connecting of two or more software products as a “hack” project to achieve the submission and assessment outcome.

Use of inappropriate software

Many programs are still run by way of cobbled together systems of spreadsheets, online forms and email – none of which are purposefully created to manage grant, scholarship or funding application submissions and assessment.

These software products are totally unsecured and easily circumvented. Without naming software providers, teenagers in COVID lockdown figured out how to identify correct answers in an online questionnaire – simply by inspecting the page using their browser.

Equally, these cobbled-together systems are prone to failure. Should one software product go down, for whatever reason, the whole system could go down with it.

Use of immature or fly-by-night software

It is not easy to identify fly-by-night or immature software. The marketing websites say all the right things and the software interfaces may be quite good! Unfortunately, most of these systems are unreliable and unstable – often crashing at inopportune moments.

Risks of non-compliance with local law

There are now several countries/regions with compliance laws surrounding the handling of personally identifiable data and this list of countries and regions is growing regularly. These laws are far reaching (at times spanning continents) and come with harsh penalties for non-compliance. For example, in the European Union, non-compliance with GDPR means fines could be 10 million Euros or 2% of turnover from the previous year! And that is for less serious infringements.

For serious infringements, that goes up to 20 million or 4%, whichever is larger! No one wants to be on the wrong side of that.
Some of the more well-known compliance laws include:

This is Part 1 in a 5-part series discussing grants management software security. In Part 2, we’ll cover why using an online system is considered best practice and the preferred option to run your grants or scholarship program.

Want to learn more? Download our free ebook which includes a handy checklist you can use to evaluate different grants management systems.

Search our blog

Categories

Follow our blog