Free cyber security tools that can help charities

Did you know that more than one in ten charities in the UK only use antivirus software to look after their cyber security?  

 

Charity Digital’s survey, The State of Cyber Security in the UK Charity Sector, revealed that only 5% of charities were using comprehensive cyber security software to stay secure, including things like password managers and VPNs.  

 

It seems that charities are failing to grasp the tools that are available to them when it comes to cyber security. There is a perception that looking after your data and sensitive information is complex and costly. But it doesn’t have to be.  

 

There are plenty of free resources available online, from the National Cyber Security Centre’s (NCSC) Small Charity Guide to Charity Digital’s recent video series, looking at everything from how a cyber attack can affect your charity and the five core controls that can prevent a breach. Three in ten charities in our survey said they had positively changed their attitude towards cyber security because they had engaged with more cyber security content. 

 

There are also many discounted software options available on the Charity Digital Exchange that can help charities – but that’s not all. 

 

The NCSC has three tools that are entirely free for charities that can help them identify vulnerabilities in their operations and protect against cyber threats before a breach can occur.  

 

In this article, we look at each tool and explain how they can help organisations look after their cyber security and stay safe online – starting with Web Check.

 

 

Web Check 

 

 

Web Check was developed by the NCSC to check for vulnerabilities on your website. Organisations can put their URLs into the tool and it will check for issues such as whether your server software is up-to-date and patched, whether any links to third party sites are secure, and if there are any issues with a server’s certificate chain (these verify that websites are trustworthy).  

 

Web Check regularly reviews the URLs and organisations can view the results on a dashboard that sorts them according to urgency. The categories are urgent, advisory, informational, and positive – the latter tells organisations what they are doing well on their site in terms of security.  

 

This dashboard is only accessible to the user and, if there are any issues, it tells them how to fix it. Even if the issue is complex, it gives organisations somewhere to start. If they need to consult an expert, the guidance from Web Check means they can tell them exactly what the problem is, speeding up the process of getting it sorted.  

 

The tool is available to UK-registered charities as part of a pilot scheme, as well as local authorities, central governmental and devolved administrations, local authorities, academic institutions, and the NHS and emergency services. 

 

The bottom line: Web Check tells you what you need to worry about on your website, when you need to worry about it, and what you need to do about it. 

 

 

Mail Check 

 

The Mail Check tool helps you to understand how secure your email server configuration is, and how to improve and maintain it. The tool covers two areas of email security: anti spoofing and email privacy. 

 

Mail Check helps you protect your systems with ’anti-spoofing controls’, so that criminals can’t send emails pretending to come from your charity. Fake emails from your charity address could be responsible for spreading malware or conducting fraud and will damage your reputation. 

 

The tool teaches you about anti-spoofing controls and helps you identify and fix email sending systems so they can be trusted, whilst making sure you have confidence that your legitimate emails are being delivered.  

 

Most organisations using Mail Check find that these controls are a critical security measure, but also improve delivery of legitimate marketing emails, preventing them going to spam folders. 

 

The three anti-spoofing controls the Mail Check tool supports you with are DMARC, SPF, and DKIM. Mail Check will also ensure that you have proper email encryption set up on your systems so that emails remain private as they transition across the internet. This involves configuring the standards TLS and MTA-STS. 

 

Organisations using Mail Check noted, too, that the tool is helpful for understanding good practice when it comes to email security and that it has added further weight to their request higher up for a proper DMARC policy they don’t currently have. 

 

As with Web Check, Mail Check is available to UK-registered charities as part of a pilot scheme – the same rules of eligibility apply. 

 

The bottom line: Mail Check helps organisations identify, understand, and prevent abuse of their email domains.

 

 

Early Warning 

 

Early Warning is designed to give organisations a heads-up that there might be a problem with their cyber security that needs addressing. 

 

The tool filters millions of events every day and if it links any potential threats to an organisation’s IP address and domain names, it notifies them so issues can be investigated and mitigated. 

 

Essentially, Early Warning matches data from its information feeds to data given by the potential victim organisation and helps them prevent a breach before it starts.  

 

Those that sign up will receive alerts that let them know if their system is actively compromised, if there are any indicators that their network has been associated with malicious activity, or if they have any vulnerabilities on your network that could be exploited. 

 

Unlike Web Check and Mail Check, Early Warning does not need to be regularly reviewed by the user. In fact, with Early Warning, the best thing that can happen is that, once an organisation signs up, they never hear from the system again. This means that the tool has not identified any problems. No news in this case is very good news.  

 

Organisations can sign up using an individual’s email address – for example, that of the IT professional overseeing it – or set up a dedicated email address that everyone has access to.  

 

The latter is easier to manage because multiple members of the team have visibility and the inbox can be checked regularly, even if staff members move on. This guidance applies, too, to Web and Mail Check. 

 

(It is also worth noting that Managed Service Providers (MSPs) acting on behalf of registered charities can also sign up for all three tools – you can email the NCSC for more information.) 

 

Early Warning is not a complete failsafe, however. Open to all UK organisations who hold a static IP address or domain name, the tool should be used to complement their existing security controls, not instead of them. 

 

The bottom line: Early Warning helps organisations investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds.