How to do cyber security the right way

Does your charity have a strong security culture?

Cyber security is not something you can just do once and then forget about.

Rather, it has to be a part of everything that everybody who works at your charity is aware of and thinks about every day. In short, it has to be a part of your charity’s culture.

That means that staff must know and understand your charity’s password policy and take it into account every time they choose a password; it means they must understand that it’s not a good idea to post personal information on social media platforms that hackers could use in social engineering attacks, and it means that if they sign up for a cloud-based service they will automatically enable a two-factor authentication (2FA) option, either directly through the cloud service or by using a product such as Okta.

Does your charity offer sufficient cyber security training?

One key way to instil a cyber security culture in your charity is to provide effective training so that staff understand what cyber security risks they face, and what they should be doing to mitigate them.

Staff are far more likely to adhere to your password policy, for example, if they understand why it is important and how they can choose a password which is easy for them to remember which also complies with that policy.

Cyber security training is also one of the most effective ways of fighting the very high threat posed by phishing emails. Email security gateways can filter out a high proportion of phishing emails, but the only way to prevent your organisation from falling victim to one that gets through is by training your staff to recognise them and to treat any they are uncertain about with the utmost caution.

Do staff know how to use their own devices securely?

With many charity staff members working from home now, it is very important that they understand what security measures they need to take when using their own laptop, tablet or phone for work purposes. These should include ensuring that their mobile devices are secured with a passcode or biometric (which ensures that the data stored on the devices is encrypted), using a strong password for their laptop, and ensuring their hard drive is also encrypted.

Staff connecting to your office from home should also use a remote access VPN such as Cisco’s AnyConnect Apex SSL VPN.

Do you have an effective backup system in place?

Restoring data from backups may be the only way that your charity can recover if it falls victim to a ransomware attack, so it is essential that all data on all servers, desktops and laptops computers is backed up regularly. Your office-based systems may be backed up to a storage device in your office, but it is also good practice to back your data up to the cloud as well.

Home workers’ devices should also be backed up regularly to the cloud, and the best way to do this is to use an automatic backup service such as Arcserve UDP Cloud Direct, Carbonite Cloud Backup, or IDrive.

Have you run a cyber security risk assessment?

One of the best ways to identify any areas of your operations which pose unacceptable cyber security risks is to carry out a cyber security risk assessment. It is also something that the Charity Commission recommends all charities carry out regularly to ensure that they are adequately safeguarding their funds and assets. (A cyber security assessment may also be a prerequisite for compliance with regulations such as the General Data Protection Regulation (GDPR)).

You can follow these instructions to carry out your own cyber security risk assessment.

Have you thought about physical security?

The popular image of a cyber criminal is someone working on a computer from a room in a distant land, but the easiest way for some cyber criminals to steal your data is to come into your offices to find passwords stuck on Post-It notes, or to use an unattended computer that has been left logged in, or simply to walk away with a laptop in their bag.

To prevent this you need to have some way of keeping intruders out, and to ensure that servers and storage devices are locked away somewhere securely when the office is empty. Staff should also ensure that they log out of their computer any time they are away from their desk, and that passwords are never left written down in places where an intruder might find them.

Have you run a penetration test?

Penetration tests can be expensive, but they are arguably the best way of finding out if a cyber security could easily penetrate your defences and cause a security breach. If a professional penetration test is out of your budget then it is possible to carry our your own lower cost but less effective tests.

Do you need cyber insurance?

Cyber security breaches can and do happen regularly, despite many cyber security professionals’ best efforts. If disaster strikes the cost can be crippling to a charity, but the right cyber insurance policy in place might mean the difference between your charity recovering and being forced to close down.