The essential cyber security checklist

The National Cyber Security Centre has issued a report with frightening statistics. They found that charities are particularly vulnerable to attacks because of the sensitive data and financial information they hold.

 

The report also noted that charities are weaker when it comes to protective measures. Charities are less likely to use cyber security solutions and a whopping 64% of staff are using their own devices.

 

Phishing is the most common type of breach or attack, experienced by 83% of charities.

 

Given how pressing these findings are, we’ve developed an essential cyber security checklist. Tick these items off to help prevent attacks.

 

 

Perform a risk assessment

 

A risk assessment is the first step in establishing a cyber security checklist. Make sure you evaluate where operations may be vulnerable, what is valuable, and attempt to rank assets.

 

Top tip: When performing a risk assessment, consider not only replacement costs, but consequences of total loss.

 

 

Educate, educate, and then educate

 

The best prevention is awareness. Take the time to do annual refreshers on cyber security.

 

Top tip: For larger organisations, it may be worthwhile to invite a cybersecurity expert to speak to staff.  

 

 

Make sure your business continuity plan is in place

 

The business continuity plan is the organisation’s contingency when things go awry. Ensure that the plan is up-to-date, and that critical mission data and processes are backed up.

 

Top tip: Perform rehearsals on data and operational recovery on a regular basis.

 

 

Protect passwords

 

A zero-cost element on the checklist, passwords should be changed frequently and should have a certain complexity.

 

Top tip: Use password protection apps to avoid frequently used ones.

 

 

Install and update cyber security software

 

Stay up to date with the latest software to ensure that operations are protected. Check out updates for malware and anti-virus software, internet gateways, email filters, and other common cures.

 

Top tip: Schedule automatic updates.

 

 

Consistently evaluate access

 

Not everyone needs access to everything. To protect sensitive areas of operations, including financial controls, payment systems, and donor and beneficiary data, make sure staff are on a need-to-know basis.

 

Top tip: Qualify and justify as an organization who has access to what.

 

 

Keep on top of digital assets

 

Taking stock of digital assets as part of the content governance strategy makes sense when assessing risk. As part of the cyber security regime, a digital asset management system could help categorize and instate different protections for media.

 

Top tip: Even a manual list of important digital assets can help narrow vulnerabilities.

 

 

Enable multi-factor authentication

 

Multi-factor authentication is used to verify entry on at least two accounts. Typically, one key is a password and the other is an unknown, random one which is generated by the user.

 

Top tip: Use MFA widely to protect processes.

 

 

Check out third-party cyber security

 

Remember, it’s not just your own staff that need to be part of the cyber security regime. Require third-party service providers, freelance and contract workers to have a Cyber Essentials certificate.

 

Top tip: Ensure third-party service providers’ devices are secure.

 

 

Keep up to date on the latest tech

 

Tech changes all the time. Stay in the know by reviewing cyber security tools and trends. Artificial intelligence is an example of a recent advancement.

 

Top tip: There are tools for even the smallest of budgets.   

 

 

Take a good look at your virtual private network

 

Virtual private networks (VPNs) are part of the critical hybrid working infrastructure. Put simply, VPNs, through software, create a special connection between the device that is connecting to the network. Incorporate firewall or other software to protect against intrusions.

 

Top tip: VPNs, when used properly, help to authenticate users coming into the network. This software needs to be carefully monitored.

 

 

Instate a security monitoring plan

 

The National Cyber Security Centre explains why collecting logs is important. They note that: “In the event of a concern or potential security incident, good logging practices will allow you to retrospectively look at what has happened and understand the impact of the incident.” In other words, having logs ensures that learnings are easier to come by.

 

Top tip: Remember to protect the logs from any tampering.

 

 

Prepare for attacks

 

As the most common attack charities experience is phishing, share with staff the common techniques that perpetrators use: authority, urgency, emotion, scarcity and current events. Victims often fall prey to bad actors using a number of strategies to convince them to give up passwords or access to specific systems.

 

Top tip: Test your staff by sending fake phishing emails so that they understand how to avoid and report.