What is charity cyber security?

 

Organisations around the world spend an astonishing £100 billion on cyber security measures in 2019, according to research house Gartner. The reason for this huge expenditure on cyber security is clear: cyber crime costs organisations more than £450 billion in damage, lost productivity, lost business, and other drains or resources every year, according to the government’s what is cyber security pdf.  

 

Cyber security spending is not restricted to larger organisations. Small and mid-sized businesses and charities also require effective cyber security measures. That’s because 60% of these organisations fold within six months of falling victim of a cyber attack, according to the US-based National Cyber Security Alliance.

 

 

What is meant by cyber security?

Cyber security or cybersecurity is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

 

This is a very wide definition, covering many different types of cyber security components and systems. But, in essence, these measures are designed to prevent malicious actors or hackers from:

• getting unauthorised access to computer systems
• infecting computer systems with viruses or other malware which enables them to steal, modify or delete data
• fooling computer users into submitting data, payment details, or other confidential data at websites controlled by the hackers
• preventing customers or service users from accessing victim organisations’ computer systems by overloading them or diverting data traffic away from them

 

 

Why do we need charity cyber security?

Hackers launch tens of thousands of attacks on organisations every day, and many specifically target charities because they believe that charity cyber security systems are likely to be less sophisticated than those of commercial organisations.

 

The number of successful attacks each year is also increasing: Cyber security breaches have increased by 11% since 2018 and 67% since 2014, according to Accenture. Lack of effective cyber security explained many of these breaches.

 

The reason that charities need effective cyber security measures is that the consequences of a successful hacker attack can be very grave indeed. As mentioned earlier, 60% of small and medium-sized businesses that fall victim to attack cease to exist six months later. But even if the cyber security breach is not terminal, here are some of the other devastating effects:

• Loss of revenue Fundraising is the lifeblood of any charity, but a successful hack attack causes a drop in revenue in almost a third of cases, according to the Ame Group. 38% of these cases see revenue drop by 20% or more.

There are several reasons for this. A ransomware attack could make a charity’s CRM system unusable, preventing it from running targeted fundraising campaigns. Or a website which stops working due to a hacker attack could prevent supporters from making donations online.

• Loss of reputation If hackers successfully steal supporters’ personal details such as address and credit card details then this can cause significant inconvenience for them. This makes them less likely to trust the charity with those details again in the future, and this could lead to a lack of trust in the general competence of the charity as a whole.
  
  
• Loss of productivity Following a successful cyber security breach it is usually necessary to carry out a great deal of remediation work to restore data, disinfect systems and get them working again, improve cyber security measures, inform supporters if their personal data has been compromised, and carry out PR activities to try to minimise the harmful publicity which may ensue. All of this takes up staff time which would normally be spent on the charities core fundraising, service provision and other activities.
  
  
• Costs of the cyber security breach Cyber security breaches can be very costly in terms of fixing problems causes by hackers and getting systems up and running again – activities which may have to be carried out by outside cyber security experts. But there are also many other costs including the cost of informing supporters that their personal data has been compromised, legal fees, increased cyber crime or other insurance premiums, and even fines from regulators if the cyber security breach was caused by a failure to comply with regulations such as the GDPR.

 

Browse Avast discounts

 

 

Types of cyber security systems

 

Having cyber security systems in place is vital for protecting your charity - yet research revealed that one in ten charities are only using anti-virus to defend against cyber threats. 

 

Cyber security systems don’t have to be costly. Charities can find many of the solutions they need at a considerable discount on the Charity Digital Exchange, including Charity Digital’s Essential Cyber Security Bundle, which you can access here.

 

 

Endpoint protection software

 

Desktop and laptop computers used by organisations’ staff are extremely vulnerable to attacks from hackers. That’s because they have access to the organisations’ business systems as well to the internet, so they can provide a convenient conduit for hackers to use to access valuable confidential data.

 

For that reason, one of the most important types of cyber security measure is effective endpoint security software installed on every end user’s computer. Endpoint security software includes ant-virus protection, but also provides carries out:

• protection from fraudulent phishing emails and websites which hackers use to steal passwords, payment details and other information
• ransomware protection to alert a user if large numbers of files are being encrypted unexpectedly
• intrusion detection to alert a user if a hacker has gained access to the computer
• data loss protection to prevent a hacker from downloading data from the computer
• firewalling to help prevent hackers accessing the computer
• data encryption to protect data even if a hacker manages to steal it

 

Firewalls and unified threat management systems

 

Although end user systems are the Achilles heel of most organisations when it comes to cyber security, organisations including charities also need cyber security systems to protect their servers and "back end" software. This may include customer (or constituent) relationship management (CRM), human resources, accounting, and other software needed for the day to day running of the organisations.

 

Many organisations use a cyber security appliance such as a firewall or unified threat management (UTM) device at the border between the internet and their own network to protect these systems.

 

These cyber security appliances are designed to inspect all traffic coming in to the network to prevent unwanted intrusions, scanning any that is let in for viruses and other malware, and observing any that goes out to look for unexpected or unusual patterns.

 

Some organisations which lack skilled security staff use a managed cyber security service, where a specialist third-party cyber security company configures, manages, updates and monitors the security appliances remotely.

 

 

Cloud-based cyber security systems

 

As an alternative to a cyber security device, some organisations choose to use cloud-based security systems to protect their computer systems.

 

The way these work vary, but a common approach is to set up a diversion system so that all traffic destined for any of an organisation’s computers is first sent to a cyber security system run and managed in the cloud by a security service provider. This traffic is analysed in the cloud, and only once it has passed various security checks (such as virus scans) is it then forwarded to the organisation’s computers.

 

This type of setup can be very attractive to smaller organisations and charities which lack the staff and expertise to run and manage their own cyber security systems, or for organisations with many different offices and remote workers.

 

 

Cyber security incident prevention

 

The cyber security systems described above are designed to stop hackers (or their malicious software) from getting on to computer systems and causing problems. But in addition to these systems, practicing good cyber security means removing any vulnerabilities in computer software which hackers can exploit. If these vulnerabilities are removed then it restricts the harm that a hacker can do even if they do get access to a computer system.

 

An important way that organisations can remove software vulnerabilities from their systems is by ensuring that they are running the most up-to-date versions of all their software. That’s because many updates include fixes to recently discovered cyber security vulnerabilities. Patch management programs scan all the software running on an end user computer or an organisation’s servers and provide an alert if software is not up to date.

 

Vulnerability scanners are a related type of cyber security software which scan an organisation’s software to look for known vulnerabilities which hackers could exploit.

 

 

Cyber security risk assessment

 

No cyber security measures are 100% effective, and there is always a risk that hackers will be able to successfully attack your computer systems. It is important for charity leaders to understand those risks and take steps to manage them so that resources are directed at mitigating the biggest risks to more acceptable levels.

 

The way to do this is through a cyber security risk assessment, which will enable the charity to:

• Identify any areas of operations which pose unacceptable cyber security risks
• Prioritise areas that need cyber security improvements
• Reduce the chances of cyber-security breaches
• Reduce the likely financial and reputational costs of cyber security breaches
• Reduce the impact of cyber security breaches on service delivery and fundraising

A cyber security assessment may also be a prerequisite for compliance with regulations such as the General Data Protection Regulation (GDPR).

 

 

Testing charity cyber security systems

 

Testing is an essential part of any charity cyber security program to ensure that the measures in place are effective.

 

There are a number of ways to do this, including checking that endpoint security software is up to date using the Anti-Malware Testing Standards Organization (AMTSO)’s Security Features Check (SFC) cyber security tools.

 

A penetration test is the most comprehensive form of cyber security system test. This involves trusted security experts attempting to mimic a hacker’s likely techniques to see if they can get access to computer systems or data that ought to be inaccessible. If they are successful they then provide details of the cyber security measures that need to be put in place to prevent a real hacker from having similar success.

 

 

What jobs are in cyber security?

 

Cyber security jobs in larger organisations tend to be fairly specialised, and their job titles reflect this. Common cyber security UK job titles include:

• App security engineer
• Cyber security consultant
• Data protection officer
• Chief security officer
• Security analyst
• Security engineer
• Security architect
• Security and penetration testing expert

Smaller charities are unlikely to have the resources to recruit more than one person to look after all the cyber security requirements of the organisation. For that reason, they are likely to be responsible for buying in specialist cyber security services from a cyber security consultancy, a managed cyber security service provider, or a cloud-based cyber security service provider. Information about the various cyber security systems that are provided can then be compiled in an organisation’s cyber security wiki.

 

In 2018 there was an estimated global cybersecurity staffing shortage of three million people, and that has now grown to over four million, according to research by the International Information System Security Certification Consortium. That means that the global cyber security workforce needs to grow by almost 150% in order for those cyber security job vacancies to be filled, according to the research.

 

As a result, cyber security jobs command high salaries, making it harder for smaller charities to recruit large cyber security teams.

 

 

What skills are needed for cyber security?

 

All cyber security jobs require strong IT skills with a good knowledge of computer hardware, operating systems, applications software, and networking. But it is important that all employees and volunteers have a good understanding of cyber security in order to identify threats and prevent breaches. 

 

There are lots of free resources available to charities, such as the Avast Academy, whereby security experts Avast provide advice on topics such as privacy, identity protection, phishing, and much more. The National Cyber Security Centre is also home to a variety of tools and resources that charities can use, such as their Cyber Aware action plans and Web and Mail Check tools.

 

Beyond that, many people believe that specialist skills in specific cyber security fields are necessary. These can be attained by taking cyber security courses leading to certifications such as:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)

But gaining a certification in cyber security is not essential for getting a job in cyber security, according to Graeme Einfelds, an IT recruitment consultant at Henry Nicholas. "It’s not always about specific skills. Many companies will get one or two higher-level IT security experts in the door, and then recruit graduates and teach them," he says.