Insights
INSIGHTS
All Topics
What cyber security measures do charities need in 2024?
We highlight the cyber security controls that charities most need in 2024 in order to become cyber secure and achieve cyber certification
Find out more about Cyber Essentials
The new year is a perfect opportunity to get your charity’s cyber security in place. Robust cyber security can prevent or mitigate operational, financial, and reputational damage, keeping the data of your stakeholders safe against increasingly sophisticated cyber threats.
A good place to start with your cyber security is Cyber Essentials. Cyber Essentials is an effective, government-backed cyber security scheme, centred on five core controls that, if implemented correctly, will help you to protect your charity against the most common cyber attacks.
In short, Cyber Essentials certifies that charities have put the necessary measures in place to be cyber secure. Having met the five criteria, charities certified by Cyber Essentials are showing their donors, beneficiaries, trustees, and funders that they are taking cyber security seriously and prioritising it within their operations.
But for those in the sector who are yet to be certified, you may be more ready to do so than you think. The Cyber Essentials Readiness Tool is a free online tool, accessible on the IASME website where you can work through a series of interactive questions to determine your charity’s current level of cyber security. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your charity to take the next steps towards certification.
More than 1,700 charities have used the Readiness Tool to assess their cyber security, helping them to identify easy wins and areas for improvement. Over the last year, the Readiness Tool revealed that charities are only 8.7% less ready to certify across all Charity Essentials controls than the average organisation across all sectors. This means they are only slightly lagging behind their private sector counterparts, despite limited in-house IT support or flexible funding to develop their infrastructure.
However, like other sectors, charities are clearly more ready to certify some controls than others. Below, we explore which core controls charities are most familiar with and which elements they need to improve in order to become more cyber secure.
Try the Cyber Essentials Readiness Tool
Patch management
The Cyber Essentials control charities are most likely to be ready to certify is patch management, according to anonymised data from IASME.
‘Security update management’ or just, ‘patch management’ is a control to prevent cyber criminals using the vulnerabilities they find in software as an access point to your systems. Cyber Essentials requires that all critical and high-risk updates must be installed within 14 days of release by the vendor.
There are two reasons why charities might be implementing the patch management control in an effective way. One of the easiest and most effective ways to ensure that all your software is kept up to date is to turn on automatic updates on each of your devices. This will mean that patches are automatically applied when they are released by the respective vendor.
Many devices have automatic updates enabled as default. Some updates might require the device to be manually restarted. If a device hasn’t been restarted in a while, then the update might not be installed.
You can check that automatic updates is turned on in settings, under update and security, or systems preferences, under software updates.
Most charities looking to certify their organisation to Cyber Essentials understand that using supported software is a key non-negotiable element to being cyber secure.
If you have to use legacy software inside your organisation, you can still comply by segregating all your out of support software and devices using a firewall or VLAN to keep it separate from your ‘in scope’ financial and business data systems.
Access controls and secure configuration
The Cyber Essentials controls charities are least likely to be ready to certify are access control and secure configuration.
Access Control is about managing who can access your data and services and what level of access they have. Secure Configuration is the way you set up your computer securely to minimise the ways a cyber criminal can find a way in.
Although more data is needed to find concrete evidence why charities find some things easier, we can look at the anecdotal evidence for some insights into why they find these controls harder. Charities may face challenges with access control and secure configuration as both controls include many actions and processes that could be complicated by having employees and volunteers working remotely and using their personal devices.
The Cyber Essentials requirements clearly states that all devices that access organisational data and services are in scope. That includes mobile phones that access work emails and/or cloud services.
So how do you apply the Cyber Essentials controls to a device that is not owned by your organisation? How do you control things like account separation, password use and device locking on a volunteer’s laptop?
Let’s break down the main parts of the two controls and examine how they might specifically relate to charities.
When staff are using their own devices for business purposes, the commonly used term for this is Bring Your Own Device (BYOD). In order to apply the Cyber Essentials controls to those devices, it is recommended that you create and implement a Bring Your Own Device policy. When implementing a BYOD policy, it’s often useful to explain why the controls will make both the organisation and the individual more secure, so that they understand that you are helping make them safer too.
The following suggestions that apply to user access control and secure configuration can be included:
-
Users apply the password advice given by Cyber Essentials to their own devices and accounts – this allows the organisation to achieve consistent security, but also makes the individuals less exposed to cyber threats.
-
Users logging in on computers and tablets have a day-to-day user account, and this is separate to the administrator account that lets them install, modify and deletesoftware etc. even if the same person has access to both. This means that if someone makes a mistake, for example, clicking on a link, malware will not be able to automatically install as the user is not logged in on an admin account.
-
The device automatically locks when not in use and requires a 6 character or more pin/pass code to unlock, (use a biometric if available). Thieves are increasingly targeting mobile phones because of the increase in our use of banking apps etc. They’re looking for easy ways to steal cash, but that also exposes confidential information if the victim is logged into their email or a file system.
-
Unused apps should be uninstalled – lots of devices are delivered with ‘bloatware’, which are apps vendors are paid to preinstall on new devices as a sales tactic. These apps slow down devices and bombard users with unwanted pop-ups and notifications, but they’re also a security risk because we might not think to update software that we never wanted! Most of this software can be deleted, and where it can’t there’s an option to disable it, which stops it being both a risk and a nuisance.
It is also recommended that your organisation asks all staff to follow a password policy. Your password policy can be achieved by giving guidance to your employees and contractors and this can be as you see fit – through policies, procedures, training or technical controls.
It would include:
-
That all default passwords on all devices are changed
-
Each user requires their own username and password and there are no shared accounts
-
Details of the process to change passwords promptly if a user knows or suspects the password or account has been compromised
-
The importance of using different passwords for different systems
-
Guidance and support on how to create good passwords within your organisation
-
The measures needed to protect accounts against brute-force password guessing
All accounts used for work (including personal accounts where an employee or volunteer accesses work files or can be contacted by customers, etc.) must include one of the following:
-
Using a password of at least 8 characters long (with no maximum length) and multi-factor authentication
-
Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length)
-
A minimum password length of at least 8 characters with no maximum length restrictions and use automatic blocking of common passwords using a *deny list
*An automatic deny list will block users from using passwords that are on a pre-configured list of common passwords that have been breached. Organisations can create a deny list from a file of the 100,000 most commonly breached passwords compiled by the NCSC.
All accounts used for work that are accessible via the internet must force the use of multi-factor authentication (MFA). This means that people have to take two steps instead of one to prove who they are before accessing information. This is needed because cyber criminals now find it much easier to work out what our passwords are than they used to.
To combat this, vendors have added an extra layer to help us prove who we say we are, by giving them information about something we have (a trusted device, token, etc.) or sharing something we can’t change about ourselves (biometrics). Like other Cyber Essentials controls, MFA is something that will make all accounts more secure, so it’s good for users to implement it in their personal accounts too.
Organisations have a choice of several different methods that they can use for multi-factor authentication.
-
A trusted device: MFA techniques that use a trusted device can rely on the knowledge that a user possesses a specific device (e.g a company computer) to prove they are who they say they are. Organisations can configure cloud services to only accept authentication attempts from within their trusted enterprise networks. This ensures that users can only authenticate if they are either directly connected to that trusted network or have remote access to it over a virtual private network (VPN). In addition, or as an alternative to using a VPN, remote workers would be able to access online services only on trusted devices that are managed by the organisation.
-
An application: An authenticator app generates a single-use password that changes every minute. Alternatively, an app can receive push notifications that prompts the user to confirm or deny that they are currently trying to log in to a named service.
-
A physically separate token: These techniques use the knowledge that a user has a physical security token, which proves they are who they say they are – most people are familiar with these as they include the devices handed out by their banks. Some types will require the user to unlock them before use, others just require proof of possession. Examples of physically separate tokens are FIDOuniversal2nd factor authenticators such as YubiKey, Smartcards that are unlocked by a PIN code, and devices such as RSA tokens and chip-and-PIN card readers which generate a single-use code each time a user logs in.
-
A known trusted account: this is where a service sends codes to a registered email address or phone number, or telephones the user.
Jane Waterfall
Jane Waterfall
More on this topic
Recommended Products
19 Nov 2024by Ioan Marc Jones
Black Friday 2024: The cheapest new and refurbished hardware
13 Nov 2024by Laura Stanley
How to stay cyber secure with volunteersSponsored Article
08 Nov 2024by Laura Stanley
Artificial intelligence: Responsible use for charitiesSponsored Article
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
