15 ways to boost your charity’s cyber security
One of the defining technology-related talking points of 2017 has been security. And with reason – earlier this year Government research found that nearly half of all UK organisations suffered a cyber breach or attack in the past 12 months, while attacks are continuing to become more sophisticated and widespread – the global WannaCry ransomware attack that caused chaos at the NHS just one example.
The fact is that all organisations – including charities – are at risk of attack. In fact, charities are a prime target for attacks as they hold or process extensive databases of personal information and payment details.
With that in mind, what can charities do to protect themselves from fraud? Here’s our list, in no particular order, of top tips:
1. Security starts with processes and policies
Draw up clear processes for everyone in your charity to follow.
2. Use a firewall to secure your internet connection
You should protect your internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks. In the simplest case, this means between your computer (or computers) and ‘the internet’. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
3. Anti-virus software is an absolute must
We hear all the time that too many charities aren’t using the most-up-to-date version, or their licenses have expired. Now’s the time to check – before it’s too late – if you have a good quality anti-virus software suite that’s fully updated. Charities can get donated licences of the latest, best antivirus through tt-exchange, so there’s really no excuse here.
4. Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both operating systems and installed apps or software. Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Operating systems, software, devices and apps should all be set to ‘automatically update’ wherever this is an option.
5. Update obsolete IT
All IT has a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.
6. Only download from reputable sources
The National Cyber Security Centre (NCSC) recommends that you only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors/sources, as these will not have been checked.
7. Consider a sandbox
For those unable to install antivirus or limit users to approved stores, there is another, more technical, solution. Apps and programs can be run in a ‘sandbox’. This prevents them from interacting with, and harming, other parts of your devices or network.
8. Train staff to spot unusual behaviour and activity
Attacks are sophisticated and can beat the most stringent security measures, so the ability to spot an attack rapidly can make a big difference.
9. Educating staff about the need for effective security is also important
They need to play their part in ensuring software and operating systems have been updated and they’re following the correct procedures.
10. Password protection is essential
Passwords must be strong! There are loads of articles on this topic online and it’s worth pointing out that banks recommend that you never share passwords or online banking secure codes to anyone on the telephone.
11. Back everything up regularly to protect vital data
Cloud back-ups and/or off-site back-ups are a good idea and try to make back-ups automatic to ensure they happen when they should.
12. Be wary
Don’t rely on your phone’s caller display to identify a caller, because fraudsters can make your phone’s incoming display show a genuine number.
13. Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
14. Choose the most secure settings for your devices and software
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease.