Insights
INSIGHTS
All Topics
Free cyber toolkit helps charities secure vulnerabilities
29 Mar 2021by Aidan Paterson
The Vulnerability Disclosure Toolkit from the NCSC can help charities keep their staff, service users, and supporters safe online
Experts from the National Cyber Security Centre provide guidance for charities looking to secure their vulnerabilities and protect themselves from cyber crime.
The digitisation of charity work has been the hot topic of sector discussion for some time now. The COVID-19 pandemic has accelerated existing trends of digital transformation, as charities have moved fundraising, service delivery, and outreach work into the digital world.
But this move to digital comes with its own risks as well as its own rewards. Cyber criminals are aware of the increase in the charity sector’s digital operations. They are also aware that many charities adopted their new digital processes on an ad hoc basis in March 2020 as a response to the COVID-19 pandemic.
As such, charity leaders and cyber security experts will not have had time to subject these processes to the levels of scrutiny that any new addition would go through under normal circumstances.
Any online services that do not have cyber security built into the design are vulnerable to attack.
Security vulnerabilities are discovered within online services all the time. A growing number of people are reporting them directly to the organisation responsible before a cyber criminal can take advantage.
According to a report by HackerOne, there has been a 63% increase in the number of vulnerabilities being reported to organisations over the past year.
The report goes on to highlight the importance of a good vulnerability disclosure process. It also covers how such a process can help demonstrate an organisation’s commitment to resolving cyber security issues and prioritising supporter safety.
The NCSC has produced a free Vulnerability Disclosure Toolkit to help organisations of all sizes learn more about implementing a vulnerability disclosure process. The toolkit contains three components to help improve the disclosure process: Good Communication, Clear Policy, and Ease of Use.
Related Articles
Good Communication
Setting up a dedicated email address (such as security@example.com) or contact web form ensures that the vulnerability information gets to the person who can fix the issue.
The NCSC recommend vulnerability information is protected. One of the easiest ways to achieve this is to use a secure web form. You should make sure this contact route is easy to find. You can add it to your ‘Contact Us’ web page (or privacy or security pages) and publish a security.txt.
If you don’t want to highlight it on a web page, then you should publish the contact route in a security.txt.
Clear Policy
By providing a clear policy, you define what to expect from someone reporting a vulnerability (as well as what you will do in response). This means you can work with them in an agreed framework.
The ISO standard defines the minimum requirements for a vulnerability disclosure policy.
In its basic form, a vulnerability disclosure policy should contain the following information:
- How you want to be contacted
- Secure communication options (for example, a secure web form)
- What information to include in the report
- What the finder should expect to happen
- Guidance on what is in and out of scope for the finder to do in finding vulnerabilities
Ease of Use
There is no point to a vulnerability disclosure process if no one knows it exists, or it is difficult to use.
So, the process should be easy for the organisation to set up, and easy for individuals to report vulnerabilities.
The proposed IETF standard Security.txt is a great way for an individual to easily find all the information required.
It describes a text file that webmasters can host in the “/.well-known” directory of the domain root. It advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability.
The file contains two key fields:
- Contact: How finders should report vulnerabilities. For example, the email address of a link to the secure web form
- Policy: A link to the organisation’s vulnerability disclosure policy
Whilst is not intended to be a comprehensive guide to creating and implementing a vulnerability disclosure process, the toolkit will help you focus on the essential components needed to make a start.
Even if your organisation already has a process in place, please download the toolkit as it may help you to develop what you already have in place.
Download the Toolkit
Download the Toolkit to learn more
Aidan Paterson
Aidan Paterson
More on this topic
Recommended Products
21 Nov 2024by Josie Sparling
How one charity more than doubled its event’s incomeSponsored Article
21 Nov 2024by Ioan Marc Jones
How to make Christmas cards and fundraise for charity
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
