Insights
Training
On-demand
INSIGHTS
All Topics
Four common security mistakes and how to avoid them
06 Apr 2022by Paul Rubens
We look at four things you might be doing wrong that are putting your charity at unnecessary cyber security risk
This article is sponsored by the National Cyber Security Centre (NCSC) – a part of GCHQ. The NCSC is the UK’s technical authority on cyber security and offers a range of practical guidance and advice to help organisations and individuals stay secure online at www.ncsc.gov.uk
Falling victim to a cyber attack is often a disaster for organisations including charities. While larger ones may be able to recover – eventually – more modest ones are less likely to survive a security breach: 60% of smaller organisations cease to exist within six months of a cyber attack.
Yet many cyber attacks are relatively easy for charities to avoid. The reason that they fall victim to these attacks is that they make basic security mistakes. Here are four of the most common ones, and the steps your charity can take to avoid making these mistakes.
Mistake 1: Expecting everyone to understand cyber security
A simple act such as clicking on a malicious link in an email, or opening a malicious attachment, can lead to computers becoming infected with malware, confidential data being leaked, or ransomware bringing a charity’s operations to a halt.
The big question, then, is whether staff members and volunteers understand this? If not, then sooner or later it is inevitable that charities will fall victim to a phishing attack that could force them to close their doors
The solution is to provide cyber security training for everyone who works at your charity – both staff and volunteers. It’s important that this is not a one-off exercise.
Instead, training should be provided “a little and often” so that everyone is continually reminded of the importance of keeping vigilant and carrying out basic security precautions.
Mistake 2: Failing to update software to the latest, secure, versions
Cyber criminals and security researchers routinely find flaws in software. Once a flaw has been discovered, any charity running the software is easy prey to a cyber criminal – it’s the digital equivalent of leaving a safe unlocked and with the door open.
Shortly after a flaw is discovered, the software author will release an update or security patch for the software that fixes the flaw, effectively closing and locking the safe door.
Yet many organisations are slow to install updates to affected software or, worse still, have no process in place to check for updates regularly and to ensure that they are installed as soon as possible.
The easiest solution for charities who may have staff working from many different locations is to switch to applications running in the cloud offered by Software-as-a Service (SaaS) providers whenever possible.
SaaS offerings are updated automatically by the service providers as soon as a security update is released, and that means that staff can be sure that they are always using the most up-to-date version of any SaaS applications they use without having to do anything on their part.
Since not all software that charity staff use will be available from the cloud, it is also sensible to use one of the many patch management programs available. These scan all the software running on a computer (or on all your charity’s computers) on a regular basis, and download updates that become available automatically.
Follow-up questions for CAI
How can regular cyber security training reduce phishing attack risks?What benefits do automatic SaaS updates provide for software security?How often should backups be tested to ensure data recovery success?In what ways does two factor authentication enhance account protection?What processes help ensure all critical data is included in backups?Related Articles
Mistake 3: Assuming backups will work
Falling victim to a ransomware attack can cost your charity dearly both financially and in terms of lost reputation. In many cases a ransomware attack could prevent you from taking donations and delivering the services your charity exists to provide.
The best defence against a ransomware attack it to ensure that you take backups of all your data regularly. That means that if you lose access to your data after it is encrypted in a ransomware attack you still have an unencrypted copy of all your data that you can extract from your backups. By doing this you can turn a ransomware attack from a disaster to an inconvenience.
The problem is that many organisations back up their data for months or even years without ever checking that the backups are successful and that all the data that they need really is being backed up.
It is common to discover that backed up data can’t be extracted from the backups because it has not been stored correctly, or that encryption keys needed to extract the data have been lost, or that some vital data has been omitted from the backup procedure due to an oversight.
The only way to verify that backups are working as expected is to conduct regular testing exercises. These involve checking that data can be extracted successfully, and that all data – including data from newly adopted applications – really is being backed up.
Mistake 4: Relying on passwords for security
Passwords make it harder for cyber criminals to attack a charity successfully, but passwords by themselves do not provide sufficient security to protect against their attacks.
One reason for that is that many people use passwords that are easy to guess. Another is that they reuse passwords on many different sites, so if cyber criminals steal the passwords from one site, they can use that to get access to many different ones.
Recently cyber criminals have begun to bypass passwords by posing as a legitimate user and using the “forgotten your password?” function that many services offer.
Users are often asked to answer simple security questions such as their mother’s maiden name or the name of their first pet before their password can be reset, but cyber criminals can often come by this information easily.
For example, Facebook is riddled with posts such as “your stage name is your first pet’s name followed by your mother’s maiden name”, and hundreds of thousands of people respond by posting their supposed stage name. This is a treasure trove of information for cyber criminals wanting to gather information to hack into people’s accounts.
The easiest solution to the poor security provided by passwords is to activate two factor authentication (2FA) for any accounts that staff or volunteers use, whenever possible.
2FA adds another layer of protection by requiring users to provide a one time code from a text message or an authenticator app in addition to their password before they can log on to an account. That means that cyber criminals will be unable to access the account even if they successfully get hold of the user’s password.
Improve your cyber security
Click above to access free tools and resources to look after your cyber security from the National Cyber Security Centre
More on this topic
Recommended Products
05 Jan 2026by Laura Stanley
Free download: AI checklist for trusteesSponsored Article
26 Nov 2025by Laura Stanley
How to strengthen your cyber security with TechSoupSponsored Article
20 Nov 2025by Kellie Smith
Steps to take when starting a charity
13 Nov 2025by Charity Digital
Free anti-fraud resources for your charitySponsored Article
Our Events
11 Feb 2026Online
Masterclass: Working smarter with AI: A practical introduction
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
