Charity cyber security means much more than running anti-virus software on your laptop. We take a look at everything that cyber security entails for a charity today
Organisations around the world spend an astonishing £100 billion on cyber security measures last year, according to research house Gartner, and this figure is set to grow by over 10% during 2020.
The reason for this huge expenditure on cyber security is clear: cyber crime costs organisations more than £450 billion in damage, lost productivity, lost business, and other drains or resources every year, according to the government’s what is cyber security pdf.
Cyber security spending is not restricted to larger organisations. Small and mid-sized businesses and charities also require effective cyber security measures. That’s because 60% of these organisations fold within six months of falling victim of a cyber attack, according to the US-based National Cyber Security Alliance.
Cyber security or cybersecurity is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
This is a very wide definition, covering many different types of cyber security components and systems. But, in essence, these measures are designed to prevent malicious actors or hackers from:
Hackers launch tens of thousands of attacks on organisations every day, and many specifically target charities because they believe that charity cyber security systems are likely to be less sophisticated than those of commercial organisations.
The number of successful attacks each year is also increasing: Cyber security breaches have increased by 11% since 2018 and 67% since 2014, according to Accenture. Lack of effective cyber security explained many of these breaches.
The reason that charities need effective cyber security measures is that the consequences of a successful hacker attack can be very grave indeed. As mentioned earlier, 60% of small and medium-sized businesses that fall victim to attack cease to exist six months later. But even if the cyber security breach is not terminal, here are some of the other devastating effects:
There are several reasons for this. A ransomware attack could make a charity’s CRM system unusable, preventing it from running targeted fundraising campaigns. Or a website which stops working due to a hacker attack could prevent supporters from making donations online.
Desktop and laptop computers used by organisations’ staff are extremely vulnerable to attacks from hackers. That’s because they have access to the organisations’ business systems as well to the internet, so they can provide a convenient conduit for hackers to use to access valuable confidential data.
For that reason, one of the most important types of cyber security measure is effective endpoint security software installed on every end user’s computer. Endpoint security software includes ant-virus protection, but also provides carries out:
Although end user systems are the Achilles heel of most organisations when it comes to cyber security, organisations including charities also need cyber security systems to protect their servers and "back end" software. This may include customer (or constituent) relationship management (CRM), human resources, accounting, and other software needed for the day to day running of the organisations.
Many organisations use a cyber security appliance such as a firewall or unified threat management (UTM) device at the border between the internet and their own network to protect these systems.
These cyber security appliances are designed to inspect all traffic coming in to the network to prevent unwanted intrusions, scanning any that is let in for viruses and other malware, and observing any that goes out to look for unexpected or unusual patterns.
Some organisations which lack skilled security staff use a managed cyber security service, where a specialist third-party cyber security company configures, manages, updates and monitors the security appliances remotely.
As an alternative to a cyber security device, some organisations choose to use cloud-based security systems to protect their computer systems.
The way these work vary, but a common approach is to set up a diversion system so that all traffic destined for any of an organisation’s computers is first sent to a cyber security system run and managed in the cloud by a security service provider. This traffic is analysed in the cloud, and only once it has passed various security checks (such as virus scans) is it then forwarded to the organisation’s computers.
This type of setup can be very attractive to smaller organisations and charities which lack the staff and expertise to run and manage their own cyber security systems, or for organisations with many different offices and remote workers.
The cyber security systems described above are designed to stop hackers (or their malicious software) from getting on to computer systems and causing problems. But in addition to these systems, practicing good cyber security means removing any vulnerabilities in computer software which hackers can exploit. If these vulnerabilities are removed then it restricts the harm that a hacker can do even if they do get access to a computer system.
An important way that organisations can remove software vulnerabilities from their systems is by ensuring that they are running the most up-to-date versions of all their software. That’s because many updates include fixes to recently discovered cyber security vulnerabilities. Patch management programs scan all the software running on an end user computer or an organisation’s servers and provide an alert if software is not up to date.
Vulnerability scanners are a related type of cyber security software which scan an organisation’s software to look for known vulnerabilities which hackers could exploit.
No cyber security measures are 100% effective, and there is always a risk that hackers will be able to successfully attack your computer systems. It is important for charity leaders to understand those risks and take steps to manage them so that resources are directed at mitigating the biggest risks to more acceptable levels.
The way to do this is through a cyber security risk assessment, which will enable the charity to:
A cyber security assessment may also be a prerequisite for compliance with regulations such as the General Data Protection Regulation (GDPR).
Testing is an essential part of any charity cyber security program to ensure that the measures in place are effective.
There are a number of ways to do this, including checking that endpoint security software is up to date using the Anti-Malware Testing Standards Organization (AMTSO)’s Security Features Check (SFC) cyber security tools.
A penetration test is the most comprehensive form of cyber security system test. This involves trusted security experts attempting to mimic a hacker’s likely techniques to see if they can get access to computer systems or data that ought to be inaccessible. If they are successful they then provide details of the cyber security measures that need to be put in place to prevent a real hacker from having similar success.
Cyber security jobs in larger organisations tend to be fairly specialised, and their job titles reflect this. Common cyber security UK job titles include:
Smaller charities are unlikely to have the resources to recruit more than one person to look after all the cyber security requirements of the organisation. For that reason, they are likely to be responsible for buying in specialist cyber security services from a cyber security consultancy, a managed cyber security service provider, or a cloud-based cyber security service provider. Information about the various cyber security systems that are provided can then be compiled in an organisation’s cyber security wiki.
In 2018 there was an estimated global cybersecurity staffing shortage of three million people, and that has now grown to over four million, according to research by the International Information System Security Certification Consortium. That means that the global cyber security workforce needs to grow by almost 150% in order for those cyber security job vacancies to be filled, according to the research.
As a result, cyber security jobs command high salaries, making it harder for smaller charities to recruit large cyber security teams.
All cyber security jobs require strong IT skills with a good knowledge of computer hardware, operating systems, applications software, and networking. Beyond that, many people believe that specialist skills in specific cyber security fields are necessary. These can be attained by taking cyber security courses leading to certifications such as:
But gaining a certification in cyber security is not essential for getting a job in cyber security, according to Graeme Einfelds, an IT recruitment consultant at Henry Nicholas. "It’s not always about specific skills. Many companies will get one or two higher-level IT security experts in the door, and then recruit graduates and teach them," he says.