What is hardware security (and how does it help charities)?

When it comes to charity cyber security, the solution we most commonly think of is ‘antivirus’. In Charity Digital’s latest survey with the National Cyber Security Centre (NCSC), ‘antivirus’ was by far the cyber security software that charities were most familiar with – 82% of charities said they were familiar with it, compared to just 20% who said they understood patch management.  

But keeping your devices and networks protected is more than antivirus software, and our hardware should be protecting us just as much. Yet hardware security is something the charity sector struggles to keep up with.  

For example, according to a 2022 report from the Department of Digital, Culture, Media, and Sport, a third of charity employees are not confident they can perform basic tasks such as configuring firewalls.  

In comparison, in large businesses, only 5% of digital leads are unconfident and the proportion is 12% among those working in the public sector. 

Having a firewall installed on your devices is an essential part of “hardware security” and another example of how important it is that you understand the tech you use. Only then can you know how it will protect your charity. 

In this article, we look at other ways charities can ensure their tech protects them from cyber threats and the role of hardware in cyber security.  

What is hardware security? 

At its most simple, hardware security means protection through physical devices or operations rather than software such as antivirus.  

It can be a device that monitors network traffic, such as the aforementioned firewall, or something that scans employee endpoints to detect vulnerabilities within their systems (for example, to check if their system has the latest security updates). 

According to IT company Spiceworks, hardware security “is especially necessary as attacks targeting computing as well as non-computing connected devices such as machine to machine (M2M) or internet of things (IoT) environments are becoming more prevalent as their adoption increases”. 

How can I ensure my tech keeps me secure? 

Here are three key hardware security tips that charities can follow to ensure their tech is keeping them safe. 

• Control who has access to what 

Access control is an important part of staying cyber secure, so much so that it is one of the core elements of the Cyber Essentials certification.  

Access control means regulating who can view or use your resources at any given time. One study showed that more than a fifth of cyber-attacks come from people within an organisation, either through negligence or intent. By creating accounts on your devices with different levels of access, charities can reduce that risk. 

For example, if one employee has an admin account, they can control which apps are downloaded to ensure that every app is legitimate and has a well-defined purpose within your charity. 

With more charity employees working remotely more often, access control is a really great example of how your hardware can protect you from cyber threats.  

Charities can be confident that the devices their employees or service users use have the right security in place and are not leaving the organisation itself, or its people, vulnerable to cyber attacks.  

• Always update your systems 

When updates are recommended on your laptop or computer, it is largely because there is some bug they have fixed – this is called patching. Without these updates, cyber criminals can exploit each vulnerability in your systems and hardware. Patching prevents them from getting through.  

The NCSC calls this ‘vulnerability management’. It notes that, while updating everything as soon as possible is the ideal practice, it can be difficult. There are barriers to regularly updating your systems when required, such as change in functionality, cost, and potentially reduced compatibility between apps and the updated operating system.  

But, as the NCSC points out, “it is better to start small and make progress than feel overwhelmed by the task and do nothing”. 

Charities should regularly assess vulnerabilities, even implementing a special ‘Patch Day’, by which all employees should apply their security upgrades.  

If needed, charities can prioritise updates by which ones are most important, but by setting a specific deadline for when they need to be done, employees can prepare for any lost time during the update.  

Charity IT staff can also use the deadline to monitor who has applied the updates and remind anyone who hasn’t yet carried them out to do so.

• Check security specifications when procuring new tech 

While most modern devices, whether smartphones or laptops, are considered secure enough for nearly all users, it is also important that charities take their security needs into account when buying new technology. 

Budget, accessibility, and app support may come first, but security should never be too far from our minds. Organisations should always put the people intended to use the technology first. If they struggle to use it, the chances are they may move to another less secure device to complete their work.  

If they can effectively use the tech you’re giving them, they won’t have to and you can monitor threats much more easily.  

The NCSC sets out six key steps when it comes to deciding which devices you need to use with security in mind. They are:  

1. Assess which operating systems support the software features and apps your users need to use to get their jobs done 
2. Decide on device manufacturer(s) that can meet the security requirements for your organisation as described above 
3. Decide on device types(s) that have the performance and hardware features that your users need, and that come within your budget 
4. Pilot devices before deploying them widely to ensure you have covered all aspects of the device selection that are relevant to your organisation 
5. Select the device or devices that best meet your business requirements and budget 
6. Develop a strategy for updating your list of approved devices