Cyber Security Awareness Month: How to protect your charity

Cyber Security Awareness Month has arrived. The month calls for better awareness and better safety practices. There’s plenty to do in the space, especially given three in ten charities report having a cyber breach in the last 12 months, according to UK Government.

 

Given the scale of the problem and charity vulnerabilities, we’re offering some quick fixes and long-term options for organisations to boost digital security.

 

 

Build awareness

 

Start with making staff aware of the most common cyber security threats. According to UK Government, the most common attack came in the form of phishing. Take the time to speak to charity staff of how these attacks occur, what form they take, and how to prevent them. 

 

 

Practice defences for phishing

 

Once you’ve made staff aware of the prevalence of phishing it’s time to test resilience.

 

Many organisations send out bait phishing emails that staff are meant to report as suspicious. Practice phishing emails may use the most up-to-date techniques, including asking to connect with senior staff, requesting bank accounts or other sensitive information.

 

Develop case studies to share so you can build out defences.

 

 

Change passwords now

 

An easy fix here. As part of Cyber Security Awareness Month, make sure the memo gets out to change passwords to avoid being compromised.  As a longer-term project, consider multi-factor authentication.            The process includes using a known username and/or password with the addition of second verification factor to prove authenticity. 

 

 

Review your cyber security policy

 

Take this occasion to update your cyber security policy as part of your annual review. At Charity Digital, we’ve developed an essential checklist to ensure that you’ve covered most of the key elements of security and updates.

 

 

Protect your network

 

With hybrid working still in place, charity staff are logging in across many different internet connections. Virtual private network (VPN) software encrypts the connection between staff computers and charity servers. Since these ‘tunnels’ rely on software, it’s critical that the VPN is secured through software and updates.

 

 

Create a guest network

 

If you regularly have visitors on premises create a guest network. This should be a separate Wi-Fi connection for guests which does not connect to your operational data.

 

 

Understand upcoming trends

 

An easy win for Cyber Security Awareness Month is to get clued up on the trends.

 

Some of the key highlights includes developments in security architecture, password protections, and MFA. Looking further on the horizon, artificial intelligence (AI) may also play a big role in determining security threats.

 

 

Back up data now

 

Saving critical data into secure cloud storage protects against accidental hardware damage, cyber attacks, and other failures.

 

Extra copies means charity staff can recover data from any period. Our top tip is to set the back up on regular intervals. This should be part of any business continuity plan. 

 

 

Check out free resources

 

Be familiar with free, online resources.

 

The NCVO offers data protection and cyber security tips for small charities. They suggest easy preventative tips as well as legal obligations to protect data. The National Cyber Security Centre also offers a comprehensive guide to avoiding breaches and phishing attacks.  

 

 

Limit app downloads

 

While we all would like to be able to freely download apps and entertainment on work laptops and mobile phones, it’s probably not a good idea from a security perspective. To safeguard operations, limit staff downloads to essential apps. Set guidelines for what’s acceptable.

 

 

Consider access

 

Think about access on a need-to-know basis.

 

Clearly not every staff member requires beneficiary, donor, or financial data. As part of designing your zero-trust architecture, user access rights are a key component to limiting potential breaches – ensure that users are verified ahead of access.

 

 

Ensure hardware is secure

 

Laptops, payment devices, and mobile phones should be secured on a regular basis. For offices, that means locking up the physical premises, password protecting computers when stepping away, and setting mobile phones to locked screens when not in use.

 

Policies should reflect who is responsible for locking up the premises and devices.

 

 

Prepare for an attack

 

Despite all the quick fixes, one of the best ways to step up your cyber security plan is to prepare for an attack. Have a procedure for identifying attacks and what action needs to be taken to resolve any damages.

 

Resolutions might include reporting incidents to trustees and police in the case of fraud. In other cases, setting aside funds for damages makes sense. This could be to pay for software upgrades or replacing hardware.