In a recent survey conducted by Third Sector and the National Cyber Security Centre (NCSC) just half of nonprofit respondents were fully aware of the potential consequences of a cyber-attack on charities and 70% had no plans to deliver cyber security training in the next six months. A lack of action, knowledge, training and confidence among nonprofit organisations around cyber security risks and how to stay safe was concluded.
It’s impossible to fully appreciate the disruption and violation a security breach can cause until it has actually happened. Much like any other crime, cyber criminals are looking for easy targets, obvious vulnerabilities and signs of weakness, meaning preventative measures are paramount as a first line of defence. All organisations, including charities and nonprofits are open to serious risk of being targeted for their assets, data and funds and as a result – their valuable reputations. Whilst the threat of cyber-attacks is increasingly on our radar, more can be done to improve awareness and decrease risks.
As a provider of charity and nonprofit software, Assemble manages large volumes of data and takes an incredibly robust approach to cyber security. We’d like to share our expertise in this area and help raise awareness of the most common cyber threats, along with some of the simple measures that can be implemented by users to ensure that charities and nonprofits are taking a proactive approach to protect their data. We will also share some of our favourite, comprehensive resources to help support organisations when it comes to the wider range of possibilities and security measures.
Malware and viruses
If you haven’t heard of malware, this is harmful software used by cybercriminals to disrupt or exploit a network. Malware is often used to gain access to data, spam, spy on users or change the way your software or hardware performs. There are several ways users can be infected, including via email attachments and links, websites, and online adverts.
The common types of malware include viruses, worms, ransomware, spyware, adware and trojans. Many of these viruses disguise as something familiar or enticing to the user and can spread rapidly from system to system in a network or via your email contacts. The results can be devastating, from changing how a system works to huge breaches of privacy, alterations in performance to a network or device, access to a user’s keystrokes, camera or microphones or completely blocking users from accessing a device or system.
These attacks are becoming more sophisticated and can lead to catastrophic and frustrating results, from charities and nonprofit organisations being unable to function, to exposing personal data and passwords, or paying large ransoms to release data. Most IT professionals will be well versed in the best solutions to prevent a cyber-attack, but smaller charities and nonprofit organisations without everyday access to professional resources could start by looking at the following:
Antivirus / Endpoint Protection – The simplest and most cost-effective way to get started on protecting your organisation against malware is to deploy end point protection. Using an antivirus software is a first line of defence for malware and helps to detect potential threats and protect your network. These should provide essential tools to safeguard servers and web browsers from being compromised. An excellent example of an antivirus / endpoint protection product is Sophos Endpoint protection.
Patching – Keep software and devices up to date. Always download the latest versions of any software you are running and set updates on your software to ‘automatic’. Taking these simple measures will ensure you are benefitting from the most recent (and most secure) versions of your software, which should contain fewer vulnerabilities. In addition to this, make sure you remove old technologies that are not in use to close the loop on those potential inroads.
Software selection – Further to the above point, choose your software provider carefully. Reputable providers will have their own security measures in place, which in turn should provide a considerable first line of defence. Make sure you check these before selecting a software product.
Passwords and multi-factor authentication
Much of our work and personal life is spent on our mobile devices and laptops; our homes are now places of work, which provides another level of vulnerability and requires us all to be more cyber aware. This is even more true in the case of volunteers, who will often never set foot in an office but may be responsible for beneficiary data or digital campaigns on behalf of an organisation.
Furthermore, our digital footprints can become a target for cyber-criminals and should be treated with the utmost respect. With these few effortless steps, we can all ensure a more diligent approach to protecting our passwords and access to our own – and potentially others – data.
Begin by auditing the strength and complexity of your passwords. Your password is a critical pathway for cyber-criminals to access your device or software and can dictate how effectively it resists intruders. The NCSC’s advice is to choose Three Random Words. “By using a password that’s made up of three random words, you’re creating a password that will be ‘strong enough’ to keep the criminals out, but easy enough for you to remember.”
Multi-factor authentication is a robust mechanism for preventing cyber-attacks. Upon sign-in to a device or application a username and password is teamed with a code, normally generated or sent to your device via a text message or authenticator app. This combination adds an extra layer of protection and can mitigate huge risk. Although this is fast becoming a widely used method of protection, it is not always activated in every instance. For example, social media accounts often have this feature available as an option, rather than a default setting. Encourage everyone in your organisation to switch it ‘on’ wherever possible – from volunteers right through to members of the board.
Avoiding phishing attacks
Phishing attacks are designed to lure users in by baiting them with fake emails from scammers. These highly sophisticated schemes might request personal data, sensitive information, money or something else of value to the scammer. Most of us know about phishing scams, but the key is how to differentiate these from a regular email.
Educate your staff and volunteers to treat anything out of the ordinary as suspicious. Emails containing requests for payments or attachments from people you don’t know or are not expecting could be phishing. Once attachments are opened, malware may automatically install on your device without your permission. Set expectations and provide guidance to volunteers on what to look out for in a genuine email from your organisation, so that they can recognise an email request that might be bogus.
To further reduce the impact of an attack, you can begin by restricting your users’ software permissions. For example, staff, volunteers and trustees may only need the lowest level of user privilege, which can significantly slow the speed or potency of an attack and mitigate further potential damage to other users. Avoid assigning unnecessary permissions and assign only what the user needs to perform their role.
Administrators often have permission to change settings on behalf of others, including security features, so this level of access is not recommended unless essential. Administrator accounts should not be accessed or shared by other users to browse the web or check emails. Ideally these would be a separate account that is not in everyday use.
Finally, look out for the warning signs of phishing emails, which can be something as simple as checking the recipients email address. Is this an authentic email address? Does the content of the email look and sound genuine? Is the presentation, copy, spelling and/or design legitimate or what you would expect? Often phishing scams originate overseas so may contain below standard content. A phone call to the sender on a known number (not the one in the signature of the footer) would be a quick and easy way to avoid doubt.
User education and resources
Security awareness training is a great place to start. This will empower staff, volunteers and trustees to recognise common cyber security threats. Security awareness training courses will ensure users understand potential vulnerabilities and threats as well as their responsibilities when using a computer, device or network.
The NCSC “acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents.” It is our go-to resource on this subject.
The NCSC have a wealth of resources for charities. If you are responsible for the prevention of cyber-crime you can learn more about your current level of resilience with NCSC’s Exercise in a Box’ This online tool helps organisations test, learn, and practise their response to a cyber-attack. You may also want to check out NCSC’s 10 steps to Cyber Security which provides guidance on how organisations can protect themselves in cyberspace.
At Assemble, we take our approach to security incredibly seriously; our success depends on it. Assemble currently complies with a range of cloud security policies and controls. We are Cyber Essentials certified, which means we follow a government-backed scheme to help organisations protect themselves against the ever-growing threat of cyber-attacks. Furthermore, Assemble also holds a BSI accessed ISO 27001:2013 certification – an internationally recognised certification for its approach to information security. This officially rubber stamps our diligent approach to safeguarding data and sensitive information.
Assemble and its supporting infrastructure is frequently reviewed for potentially harmful vulnerabilities. Assemble uses industry-recognised, third-party security specialists who hold CREST and CHECK (NCSC approved) credentials, enterprise-class security solutions, and custom in-house tools to regularly analyse the application and production infrastructure to ensure that any vulnerabilities are identified and swiftly mitigated. Results of these tests are shared with Assemble management. Assemble’s security team reviews and prioritizes the reported findings and tracks them to resolution.
For more on Assemble’s approach to security and compliance read our Trust Guide.