Insights
We look at the basics of cyber security and show how charities can protect against loss of revenue, reputational damage, financial disruption, and much more
Cyber security means protecting computer systems and networks from theft, damage, and other forms of criminal activity. Strong cyber security is essential to the charity sector, as it protects you against loss of revenue, reputational damage, financial disruption, and much more.
This article aims to empower. We want to give you the tools to protect yourself from cyber criminals and allow you to fulfil your mission without disruption. We explore, among so many other things, the basic definition of cyber security, the reasons you need cyber security, how to prevent cyber-attacks, how to react to cyber breaches, how to educate your team, and much more.
So, without further ado, here is everything you need to know about cyber security.
Skip to: What is cyber security?
Skip to: Why you need cyber security?
Skip to: Types of cyber attack
Skip to: How to prevent cyber attacks
Skip to: How to react to cyber attacks
Skip to: Cyber security tools to use
In simple terms, cyber security is the protection of your computer systems and networks from theft or damage. Cyber security protects and secures hardware, software, electronic data, and other parts of your network, ensuring there is no disruption or misdirection in the services they provide.
Cyber security provides protection against malicious attacks designed to access, alter, delete, destroy, or extort sensitive data. Cyber security is designed to prevent cyber criminals from the following:
These are the main ways in which cyber criminals operate. We will cover the exact terminology, and the exact forms of attack, later in the article. But first, we will explore the risks posed by the attacks.
Cyber security is important because our devices have become essential to our ability to deliver services, raise funds, and continue daily operations. Any act that prevents our ability to use devices poses a serious threat to our organisations. And cyber crime is certainly a threat.
Let’s look at some of the statistics. Consider, for example, that according to the Charity Digital and National Cyber Security Centre (NCSC) report, The state of cyber security in the UK charity sector:
The above shows that charities are broadly aware of the threat of attack, but seemingly do very little to prevent that threat. There is an awareness of cyber crime, but few charities taking it as seriously as they should. That is a problem, one that is particularly widespread in the charity sector.
The reality is that cyber attacks can be devastating. Below we look at three of the main consequences of a cyber attack, highlighting exactly why your organisation needs to adopt robust cyber security.
Cyber attacks can compromise the data of service users, volunteers, supporters, donors, and other stakeholders. That is particularly harmful to the reputation of charities, largely because charities operate on trust. The loss of trust can result in fewer donations, skepticism from service users, less volunteers, and a broad unwillingness to engage with your charity.
Customers will be angry, distressed, and upset if their data has been stolen, perhaps leaving them to cut ties with your charity, tell family and friends, perhaps report it to newspapers, or share on social media. Employees may lose faith in their organisation, if their data is breached. And service users may feel unsure about using the charity, given the organisation’s failure to protect privacy.
In short, charities need robust cyber security to protect their reputation. They need to ensure that all stakeholders and users feel safe working with them, and can trust that their data is secure.
The cyber security market has grown in recent years, largely because of the monetary impact of cyber crime. Charities continue to fall victim to cyber attacks, partly because they believe it will not happen to them, partly because criminals know they are not well protected, and partly because charities have a much harder time justifying the expenditure on cyber security products.
But the expense is justified, because cyber attacks themselves are very expensive. The average cost of a data breach in 2021 was about £4.24 million, according to IBM’s Cost of a Data Breach report. The costs come in many forms, but theft of financial information, disruption to daily operations, loss of funds and donations, and asking for ransoms are common tactics.
Small charities need to be particularly aware of the monetary costs. Cyber crime disproportionately hits small organisations. The financial impact to large companies may be huge but based on scale the implications are relatively minimal. Small charities, on the other hand, face an existential threat due to cyber security, so they need to ensure they are very well protected.
Finally, it’s worth mentioning the legal consequences, which often follow in addition to all of the above. Data protection and privacy laws require organisations to secure personal data. That could be the data of your employees, service users, donors, or any other person related to your organisation.
If your organisation’s data is compromised and you have failed to employ effective cyber security measures, you may face fines or sanctions, depending on the jurisdiction. In short, you may lose money through the cyber breach, you may face organisational disruption and reputational damage, you may lose your user data, and then face fines on top of all of the above.
For more on the charity sector’s relationship with cyber security, check out our podcast below:
There are various types of cyber attack, all of which provide different levels of threat. We run through some of the most common attacks to give you all the necessary information you might need:
Malware refers to various forms of malicious software that alters the way devices operate. Malware, once installed, performs tasks without the knowledge or consent of the users of infected computers. Malware is largely used by cyber criminals to gain access to computer systems and online accounts, to steal data and other information, and to extort and steal money. Two main types of malware are ransomware and trojan horses, both of which we will cover below.
To protect your organisation against malware, check out: Everything you need to know about malware
Ransomware is a type of malware that infects end user computers, as well as servers. Once on a computer, ransomware silently encrypts all the files on the computer or just certain types of files such as databases, spreadsheets, and documents.
Ransomware then locks your device and the encrypted files become inaccessible. A ransom note then demands payment (usually in cryptocurrency) for the decryption key needed to restore access. Most ransomware also seeks out connections from an infected computer to other computers, so that a single infection can lead to a large number of devices becoming quickly infected.
To protect your organisation from ransomware, check out: What is ransomware?
Trojan horse malware is particularly nasty because it can cause considerable damage. A trojan horse can empty bank accounts, enable ransomware, and steal, modify, or delete data from your systems. The trojan horse gains its name from the fact that it is hidden inside apparently legitimate software that a user downloads and runs – unknowingly allowing the malware to carry out malicious activities.
The software containing the trojan often appears to work normally, so the user has no reason to suspect their computer has been infected. That’s why a trojan is so damaging, because it is often undetected and enters systems through supposedly legitimate means.
To protect your organisation from trojan, check out: What is trojan horse malware?
Phishing is one of the most devastating weapons that cyber criminals use to get their hands on your charity’s data, infect computers with malware, and steal money. Phishing is perhaps the cyber attack with which we are most familiar. Criminals send emails, texts, or other comms, attempting to trick employees or users into clicking a bad links, downloading malware, or taking them to dodgy websites.
It’s a form of social engineering. And it is often very easy to spot – with the right training and awareness – but has become increasingly sophisticated in recent years. The key to protection is simply practicing caution and knowing potential signs of phishing messages.
To protect your organisation from phishing, check out: Real examples of phishing emails
Evil twins are Wi-Fi access points set up by a cyber criminal that look like legitimate ones, usually public Wi-Fi as found in pubs, coffee shops, and other locations. When people connect to an evil twin, the cyber criminal can intercept passwords and other confidential information prior to sending it to its intended destination – performing what is known as a man-in-the-middle attack.
The best way to keep data secure when using a Wi-Fi access point in a public place is to connect to the charity office using a remote access VPN that encrypts data so that it is unreadable. If you are not connecting to your office you can also use a standalone VPN product such as ExpressVPN or NordVPN.
For more information, check out: Six charity cyber threats
A denial-of-service (DoS) attack works by driving large amounts of internet traffic to a web server until it is overwhelmed. The result is that legitimate users who want to visit your site are unable to, which causes significant damage. Consider, for example, that supporters may be unable to donate, service users unable to use resources, and general trust in your organisation might plummet.
A DoS attack is the digital equivalent of getting thousands of people to call a company’s phone line at the same time over a sustained period: the result would be that ordinary customers would be unable to get through because the phone number would be permanently engaged.
To protect your organisation from denial-of-service, check out: What is a denial-of-service attack?
For more information on types of cyber attack, check out our podcast below:
There are two elements of cyber security that organisations need to consider around cyber attacks. Preventing them from happening and reacting appropriately when they do happen.
The first is the most essential, as adequate cyber security will give you a high chance of never experiencing a cyber attack – and never having to put the second element into action.
Below we look at some of the steps that charities can take to prevent cyber attacks from occurring.
All your computers should be protected with endpoint security software, such as BitDefender, GravityZone or Norton Small Business, which provide anti-virus and anti-ransomware capabilities.
Another popular example of an endpoint security product is Avast Business Antivirus. Avast software scans and analyses suspicious information coming and going from devices and blocks malicious files, dangerous websites, unusual behaviour, unauthorized connections, and other threats. It is suited to medium-sized charities and is available for a discounted price on the Charity Digital Exchange.
Endpoint security software also provides many security features, such as the blocking of malicious websites to help prevent users from visiting sites that are known to contain malicious links. Larger charities can also opt to use a security gateway appliance that filters all internet traffic arriving at your site from malware and other cyber threats.
Almost all operating systems include a firewall to block hackers. The firewall operates by simply checking all internet traffic that aims to access your computer and denying access to anything that may raise alarms.
Firewalls are often turned on by default, but can be disabled by malicious software, or accidentally by the user. So ensure that you check regularly and turn on your firewall if necessary.
Larger charities can also use a security router, such as Cisco’s C881-K9 integrated services router, to set a firewall where your charity’s network connects to the internet, as well as benefit from security features such as an intrusion prevention system and VPN connection capabilities.
Setting your Wi-Fi password is just one element of cyber security. Passwords across your organisation should be secure, as they are often the key barrier preventing cyber attacks. But passwords are only effective if they are long and complex – in other words, difficult to guess.
There is debate about passwords, but we suggest at least 13 characters and made up of upper case and lower case letters, along with special characters such as ‘!’ and ‘?’. The National Cyber Security Centre advises using three random words to make it easier for users to remember their passwords and harder for cyber criminals to guess.
One effective way to ensure robust passwords is by using a password manager program, such as LastPass, Dashlane, or 1Password. Many endpoint security software options will include password management, so do some digging if you’ve purchased any of the abovementioned options.
A password manager stores all of a staff members’ passwords in an encrypted form and enters them automatically whenever they are needed. A password manager only works after it is activated by entering a master password – the only password that a password manager user has to remember.
Two-factor authentication (2FA), or multifactor authentication (MFA), is a useful method of cyber security, increasingly employed by larger companies. It allows you to keep your confidential information and accounts secure, even if a hacker gets hold of your password.
You will have likely seen 2FA or MFA in action, if you have ever tried to log in and the platform asks you to input a code, provide a fingerprint, or input another form of biometric.
Cyber security breaches often involve hackers exploiting vulnerabilities in your software. That might be because you have not downloaded the latest versions or updated your applications. Old versions are often more vulnerable to breaches and thus failure to update leaves you at risk.
It is essential that you are running the most up-to-date version of your software. Charities, at a minimum, should regularly check for updates at start up and ensure their operating systems are set to update automatically. Making sure all updates are installed is referred to as ‘patching’ or ‘patch management’.
A better option is to make use of software updated programs, such as Patch My PC Updater and IObit Software Updater. As above with password managers, many endpoint security programs, including from vendors like Avast, also include software updating modules.
Phishing deserves its own piece of advice, largely because it is easy to prevent but so rarely prevented. Phishing emails, for example, account for around 80% of all reported cyber breaches.
The solution is simply awareness. Charities need to provide training to staff and volunteers to help them spot phishing emails. The training should teach them to recognise malicious links and attachments and, importantly, teach them not to click on them. Larger charities can provide continuous phishing awareness training to all your staff using a product like Cofense PhishMe.
It is also possible to reduce the number of phishing emails that staff receive by using an email security gateway, which filters out malicious emails and malware before it is delivered to their inboxes.
For more information, check out the following articles:
Preventative measures are essential. And the more preventative measures you take, the better. But an unfortunate facts remains: no one is safe from cyber criminals. Even the most tech-savvy, even the most well prepared, can fall victim to a cyber attack. The best way to prevent serious damage is to ensure that you react quickly and efficiently, preferably enacting a plan you have already devised.
Below we explore some of the essential steps you should take in the event of a cyber attack, looking at containment, finding support, fixing the problem, and much more.
Let’s begin at the beginning. You’ve been attacked. You’ve been breached. Your first step is containment: stopping the attack and minimizing the damage. So, disconnect your charity’s network from the internet, cut off criminals’ access to computers, and ensure no future data is removed.
Ransomware can continue encrypting data, even after disconnecting to the internet, so put all devices into hibernation mode, if possible. Do not turn your computers off, though, as that can destroy evidence experts might need to work out how your charity was breached.
Disconnect everything, in essence, including back-up devices from your computers, aiming to control the breach and prevent further infection.
Change the passwords on any cloud services you use, or any other accounts that charity staff log on to. Do that as soon as possible, as one or more of these accounts may well have been compromised during the breach.
Failing to change passwords may result in cyber criminals launching another attack once the charity recovers. And, obviously, use different passwords, ensure they’re complex, and utilise a password manager programme if you have access to one.
You need to then work out what happened. You need to understand how criminals were able to attack your organisation and fix the vulnerability. It is likely that the reason will be one of types of attacks we have specified above, such as phishing, malware accessed through software vulnerabilities, and so on.
Regardless of the type of attack and the way the attack was made, you will want a third-party to work out what happened and to give you advice on future preventative measures.
Perhaps the most important step in this whole process is getting a complete understanding of the impact of the cyber attack. You need to understand the exact data that was accessed, modified, or stolen, who might be affected by the breach of data, and the exact consequences of the breach.
Working out the damage means understanding all actions the cyber criminals may have taken. That means, for example, that they may have placed malware on your systems or installed keyloggers on your computer in order to monitor activities in the future to intercept passwords.
Consider all possibilities and mitigate against them. It can be quite complex – and exhausting – which is precisely why you should rely on experts, especially if you’re a small charity.
You should report the incident to Action Fraud by submitting an incident report. If the attack is still happening, you can call 0300 123 2040 and press 9 on your keypad. This will allow your call to be dealt with as a priority and your live incident will be triaged over the phone. Victims of significant cyber attacks should also report the attack to the NCSC, if they haven’t already asked them for advice.
Your charity is obliged to report the breach to the Information Commissioner’s Office (ICO) if the attack led to the destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. You should make the report without delay and in any case within 72 hours of discovery.
If unsure whether you need to report the incident, take the ICO’s online self-assessment. If the breach poses a high risk to the rights and freedoms of individuals, the UK GDPR states that the individual must be informed as soon as possible.
You should communicate as soon as possible in an open and sincere manner, admitting the mistakes you made, the reasons why the criminals were able to breach your systems, and any steps you plan to take to support people affected by the data breach.
Fixing the problem is the final step. That might seem anti-intuitive, but remember that the above steps should happen almost immediately. You need to mitigate damage before fixing the problem.
Once you know what has happened and why, you can fix the vulnerabilities and ensure the attack does not happen again. Remember that you will need to address the weaknesses in your system, not simply revert to your previous level of cyber security – which leaves you open to further breaches.
For more detailed information, check out the following articles:
Charity Digital’s survey, The State of Cyber Security in the UK Charity Sector, revealed that only 5% of charities use cyber security software to stay secure, including password managers and VPNs.
Worse still, so many charities are failing to employ freely available tools and resources that will help them effectively improve cyber security. Below we note just some of the tools and resources that your charity can use, with some brief descriptions to help you find the right bits for you.
The NCSC supports the most critical organisations in the UK, the public sector, industry, SMEs, charities, and the general public. When incidents do occur, the NCSC provides effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.
More specifically, the NCSC:
If you have any queries or questions, you can leave comments below or contact Charity Digital directly for information on tools and platforms that will bolster your cybersecurity.
The NCSC has plenty of tools. First, you can use the Web Check, which was developed by the NCSC to check for vulnerabilities on your website. Organisations can put URLs into the tool, and it will check for myriad issues, such as whether your server software is up-to-date and patched, whether any links to third party sites are secure, and whether there are any issues with a server’s certificate chain.
The Mail Check tool helps you to understand the security of your email configuration server. The tool covers two areas of email security: anti- spoofing and email privacy. It protects your systems with ’anti-spoofing controls’ so criminals can’t send emails pretending to come from your charity. The tool teaches you about anti-spoofing controls and helps you identify and fix email sending systems so they can be trusted, while ensuring that legitimate emails are delivered.
The Early Warning tool is designed to give organisations a heads-up that there might be a problem with their cyber security that needs addressing. The tool filters millions of events every day and if it links any potential threats to an organisation’s IP address and domain names, it notifies them so issues can be investigated and mitigated. Essentially, Early Warning matches data from its information feeds to data given by the potential victim organisation and helps them prevent a breach before it starts.
There are plenty of other products and services on the NCSC site, along with advice and guidance, opportunities to educate and improve cyber skills, and information on the latest cyber developments.
Much of the government’s Get Safe Online website is aimed at the general public, but its business section includes a large number of comprehensive explanatory overviews on many aspects of data security, and a jargon-buster section for breaking down many of the terms.
Get Safe Online includes a wealth of information in one place and in plain English, on the main regulations, different types of security attacks and risks, types of scams and attacks, hardware and software information, and a section on guidelines for charities with an overview of the specific responsibilities and risks, and what to do if you’re a victim of fraud.
The IASME governance standard was created during a government-funded project to create a cyber security standard easily affordable to smaller organisations, and as a more achievable standard to the international ISO27001.
IASME assesses and certifies organisations against two standards at both the self-assessment and audited levels, with specific certifications in Cyber Essentials for the health and social sector and certifications in GDPR. Charities can use the Cyber Essentials Readiness Tool to see if they have the five core controls necessary to prevent a cyber attack and become cyber certified.
You can also download a copy of the standard on their website which is aimed at helping organisations understand their risk profile in detail and see the typical test that you’ll need to pass to be certified. Charities should particularly take note of the Cyber Essentials Charity Week in November, where charity-specific guidance is shared and a discount is offered for the accreditation.
Charity Digital’s Exchange software donation programme has been helping charities save money on essential software for more than 18 years. Registered charities can receive as much as 96% off the retail price of software, including popular security tools from Bitdefender and Symantec, as well as tools like Avast and even add-ons to existing programmes, such as Windows Defender.
We also host webinars and publish guidance to support the charity sector in their quest to improve cyber security. We have an upcoming webinar that will run through the basics, as posted at the top of this article, and various articles, podcasts, and videos to help you navigate the complexities.
For the sixth year in a row, we're bringing back an action-packed event filled with Digital Fundraising insights from the charity and tech sectors. Join us on 7th October 2024 for a free, one-day online event featuring informative webinars and interactive workshops.