10 Point Checklist to Help Secure Your Data

3. Use two-factor authentication for added security

 

Passwords are also used for logging in to various accounts – for example cloud-based services such as Office 365, or internal applications such as a charity CRM system.

 

You can make it harder for hackers or other unauthorised people to access these accounts and the data they contain by enabling two-factor authentication (2FA) if it is available. All good cloud-based services should offer 2FA, and 2FA can usually be implemented on in-house systems.

 

2FA systems add a step to the logon process by requiring users to enter an access code sent to their phone or a biometric measure such as a fingerprint in addition to a password.

 

 

4. Be phishing aware

 

Phishing attacks are designed to trick people into providing their login name and password at fake websites, or to download software which records these details surreptitiously when they are entered. The cyber criminal then harvests those login details and uses them later.

 

Phishing attacks are very dangerous, so it is important that all charity workers are trained not to visit websites or download software via links in emails. Software such as PhishMe can be helpful in maintaining awareness of the threat of phishing attacks

 

 

5. Watch out for social engineering

 

Social engineering involves convincing charity staff to reveal their passwords or provide access to confidential data by posing as someone else. For example, a common practice is to call up a staff member posing as someone from the IT department and ask them for their password under some pretext.

 

The best way to protect against social engineering attacks is to make it clear to staff that there are no circumstances under which they should reveal confidential information such as a password over the phone or via email.

 

 

6. Use a VPN

 

Encryption protects data "at rest" – when it is stored on a computer disk or memory stick. But when charity staff access data over the internet – for example when connecting to office systems from home - then that data also needs to be encrypted "in flight" as it travels over the internet.

 

The best way to do this is by using virtual private network (VPN) software which encrypts the data at the beginning of its journey over the internet, and decrypts it when it leaves the internet.

 

VPN software is often included in larger charities’ internet routers, while smaller charities can use a VPN appliance or a security appliance which includes VPN software such as Cisco’s AnyConnect Apex VPN.

 

 

7. Backup securely

 

Ensuring that data is backed up regularly is important to protect against the possibility of data loss, for example in the event of a ransomware attack.

 

But backup data needs to be kept just as secure as the original data.

 

That means that encryption should be activated on backup systems, whether they are located locally or in the cloud.

 

 

8. Restrict what you share on social networks

 

Many password retrieval systems ask for personal information such as "mother’s maiden name" or "name of pet" before allowing users to reset a password. This information is supposed to be impossible for anyone else to know, but often it is available for anyone to see on Facebook or other social networks.

 

Hackers know this and collect many types of personal information about people to use during hacking attempts. For that reason, it is important not to share personal information on social networks that you have used when signing up to online accounts.

 

 

9. Use data loss protection systems

 

It is not always possible to keep hackers out of computer systems, but a data loss prevention (DLP) system makes it hard to steal data when they do break in. A DLP system works by recognising certain types of data such as credit card numbers, or particular file types such as spreadsheets, and blocking any unusual attempts to download large amounts of that type of data from your charity.

 

DLP software, which is often included in endpoint security systems as well as security appliances, can be very effective at limiting the damage that a hacker can cause

 

 

10. Delete securely

 

If you throw away an old computer or disk drive, then you never know who might retrieve it and what data they may be able to steal from it. So before you discard any computer or storage device make sure that you have deleted its contents securely. Simply deleting the files or reformatting the disk is not sufficient as data can still be retrieved after these actions.

 

The best way to delete the data from a hard disk drive securely is to use a program such as the free open-source DBAN hard drive eraser and data clearing utility which overwrites data multiple times to ensure that it can never be retrieved.

 

Solid state drives (SSDs) require a slightly different treatment: most SSD manufacturers offer free utilities which include a Secure Erase function which deletes all data securely.

 

For USB drives, the simplest option is to format the drive and then to destroy it with a hammer.