New guidance for charities: improving cyber security
In February this year the National Cyber Security Centre (‘NCSC’), which is part of GCHQ, published the results of the first assessment of cyber threat to UK charities. Charities often hold a wide variety of sensitive data and information which is valuable to cybercriminals, such as financial information and personal details of supporters, volunteers and beneficiaries. Smaller charities with a culture of openness are particularly vulnerable to cyber security.
Falling victim to a cyber attack can have devastating consequences for a charity, both financial and reputational. Cyber security is also becoming increasingly important pending the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018. Substantial penalties will be imposed on organisations that do not protect and process data in accordance with the GDPR.
Following on from its cyber threat assessment, the NCSC published guidance to help small charities defend against cyber attacks. The NCSC recommends five key steps which will help charities to defend against the most common types of cyber attack:
- Back up data
The NCSC advises to back up data regularly and to keep your back up away from your computer. Access to data backups should be restricted to key members of staff or volunteers. Using cloud storage from a reputable and secure provider can be a reliable and efficient way of backing up data. The NCSC has published guidance on cloud security.
- Prevent malware damage
Viruses are the most well-known form of malware (malicious software). The NCSC advises using antivirus software on all computers and laptops. Only approved software should be installed on devices and users should not be allowed to download apps or software from unknown sources.
Portable memory devices, such as USB sticks and memory cards are susceptible to carrying and transferring malware between devices. It is advisable to consider restricting use of portable devices to selected approved devices or restrict file sharing to alternative methods.
All IT equipment and software should be kept up to date with the latest versions of software and hardware. Devices can often be set to update software automatically.
- Keep smartphones and tablets safe
Smartphones and tablets can be ‘easy pickings’ for cyber criminals looking to access data. The NCSC recommends protecting devices with passwords and activating software which allows lost or stolen devices to be tracked, locked or wiped. Software and apps should be kept up to date and public Wi-Fi hotspots should be used with caution as they may be insecure, allowing others to access your device.
- Use passwords to protect data
Devices should be password protected whenever possible and two factor authentication is recommended for sensitive websites such as banking and email. Passwords should be unique and secure.
- Avoid phishing attacks
Phishing attacks often take the form of scam emails requesting sensitive information such as bank details or contain links to websites which contain malware. The NCSC recommends limiting access to IT systems to the lowest level required for each individual member of staff or volunteer.
Providing training to staff or volunteers on how to spot obvious signs of phishing and warning signs to be aware of can also help to protect your charity. Encouraging staff to report phishing attacks can assist with ensuring appropriate steps are taken in response, such as changing passwords.
As charities, like other organisations and businesses, become increasingly dependent on IT the need to take measures to step up cyber security is growing. While cyber threats cannot be guarded against in their entirety, taking steps to reduce the risks is strongly recommended.
Click on the links below to view the NCSC’s publications: