Security. A simple, easily understandable word, and something that most charities would say they consider to be of utmost importance. So why is it that the instant you put the word ‘Cyber’ in front of it, the concept becomes so daunting? Recently, the Department for Digital, Culture, Media and Sport (DCMS) commissioned a survey of UK charities exploring awareness, attitudes and experiences around Cyber Security. The results weren’t great.
What’s the issue?
The survey shows that amongst charities, there is a general feeling of uncertainty and confusion around Cyber Security and that many organisations, especially the smaller ones, have little or no understanding of the topic. When asked, many admitted to not considering Cyber Security until the interview. Several of the charities said that they ‘had not felt the need to learn more because Cyber Security was dealt with by an outsourced IT provider.’ While external providers will of course be aware of Cyber Security, it’s always wise for Charities to safeguard themselves.
Another issue highlighted by the survey was the lack of funds Charities have available to set aside for Cyber Security and IT Solutions. Without the necessary knowledge to address the issue themselves and minimal cash to throw at it, it appears that many organisations are choosing to simply ignore the problem. However, as the number of Cyber Attacks steadily rises year on year, it makes sense that we should all be thinking about how secure we are as individuals and as organisations. According to hackmageddon, it’s not just the number of security breaches that is changing, it is also the nature of them. One graph comparing 2014, 2015 and 2016, highlights just how much they have increased. In August 2014 there were 72 recorded Cyber Attacks, in August 2015 this increased by a massive 61%
Another noticeable trend is the continued rise in Malware attacks. Malware is the most common method of hacking, rising from 19.4% in May to 34.4% in June. Targeted attacks rose to 18.8% from 14.9% in May, while account hijackings dropped to 7.8% from 19.4%. So, what does this mean? Well, as the charts show, hackers are getting smarter and more resourceful. Reassuringly, Cyber Security measures are quickly following suit to protect users.
What can you do?
Going back to the Government study, one of the points raised was that charities would like to see more information made available tailored to them. Other comments included having a ‘Cyber Security checklist’ for charities. Cyber Security is by no means an easy topic to cover fully (especially in one checklist), but we like a challenge! Covering steps right from the basic elements of password protection, through to server security measures, we have come up with a simple guide to help any charity improve its Cyber Security. Just go through each topic, until every area is complete and you’re done! Seven steps to Cyber Security, especially for Charities.
1. Password Protection
Make sure that all electronic equipment used to communicate (PC’s, laptops, mobile phones etc.) is password protected. One simple way to put this in place is to produce a Password Policy for your organisation. Ensure that it covers the minimum criteria for your passwords, for example, do you want there to be a minimum character limit, should users have to include numbers etc., along with other relevant information, such as whose responsibility it is to ensure compliance. You can use our sample policy as a guide. Be warned! Any policy is only as strong as its enforcement. All staff and volunteers need to be aware of the policy, and have copies available where needed.
Malware (literally malicious software) is getting more sophisticated all the time, so it is important to make sure that all equipment has suitable protection. Anti-Virus is readily available for PC’s, laptops and Macs, but did you know you can get Anti-Virus for your phone too? There’s a wealth of options available, so make sure you do some research before picking one. Look out for Anti-Virus software that has automatic updates, preferably offering a choice as to when they happen. Some providers also offer charity discounts, so be sure to ask!
3. Physical Security
Access to IT equipment should be no less stringent than in any other area of the organisation. If there are servers on site, make sure you keep them in locked racks in a locked room. If IT is outsourced, check that the company employed adheres to any security measures already in place. A good indicator that an IT Company takes security seriously is if they have achieved the ISO 27001 or Cyber Essentials accreditations. Mobile computing equipment must also be considered. Ensure that there are a few simple policies in place to protect them. Some to think about including are; ensuring laptops and phones are never left unattended and logged in, all mobile devices have tracking software installed, and that there is the ability to remotely wipe any lost or stolen devices.
4. Security Screening
We’ve all heard the adage ‘a chain is only as strong as its weakest link’ However, when it comes to employees, this could not be more apt. Why spend time devising and implementing stringent security processes if access is then allowed unchecked? When hiring, potential employers should always ask for references going back at least five years. Any new employee should be able to supply contact details for previous employment without too much difficulty. Some charities also qualify to have DBS checks performed.
A Firewall is a piece of software that acts as a filter between the internet and the user. It helps to screen out hackers, viruses or worms that try to reach computers, servers or networks via the Internet. When connected to the Internet, there is a constant flow of information in small units called packets. A firewall filters these packets to see if they meet a certain set of criteria and then blocks or allows the data through according to the parameters set. While even your home modem will include one, the firewall in a standard home modems tend to only monitor incoming traffic. A good firewall will monitor traffic in both incoming & outgoing data, keeping private information safe. Firewalls can also act as cloaking devices, hiding computers, servers or networks from online traffic, helping to prevent people from trying to hack in the first place.
6. Data Security
There are certain types of data that need more security than others, i.e. not everybody in an organisation should have access to personnel files, or accounts software. There are several different ways to restrict access to different types of data:
Software access restrictions - Most secure software such as fundraising software, will come with options for user logins. Make sure that only people that really need to access it can, and that they setup their passwords in line with the Password Policy mentioned earlier.
Secure Data Drives - There are network drives that are restricted in access. These are useful if there is a specific set of data, such as personnel contracts, which you need to keep on file, but only specific people should be able to read. Any IT administrator or company should be able to set these restrictions with relative ease.
Password protected documents - If there are specific documents that shouldn’t be edited or accessed without permission, there is a choice to password protect the documents themselves. Don’t know how? Follow our simple ‘How to’ guide, and don’t forget to make sure those passwords conform to any Password Policy put in place.
7. Keep it Up!
So, the servers are now safe, the data is all protected, what next? Well, it’s not over! You need to ensure that the security you have put in place continues to work. You need to look at this in two ways, Monitoring and Maintenance.
Monitoring - The policies and practices will need continuous monitoring. Technology is an ever-evolving field, and so it is of paramount importance that you don’t allow gaps to open in the security that is in place. One way to keep on top of this is with Penetration Testing. Exactly what it sounds like; a specialist piece of software is used that is designed to try and penetrate security systems. The software then produces a report, which highlights potential threats, failures or shortfalls in Cyber Security. This can then be used as a checklist to address any issues. Keeping an eye on red flags, such as password failures, through auditing can also help to track any data breaches or brute force attacks.
Maintenance – There are always new pieces of Malware being developed and released, utilising new and ingenious means to sabotage your data. This means that in order to ensure your security stays effective, you need to make sure that your software is kept up-to-date. A ‘patch’ is a piece of software which is designed to update a computer program or its supporting data (like your firewall or Anti-Virus software) to fix or improve it. Developers release these patches regularly to fix security vulnerabilities and other bugs. Many of these updates can be set to take place, but if you don’t ensure that these updates take place, you risk leaving your systems open to attack.
By following the simple steps above, alongside ensuring that data is regularly backed-up, and that you keep a proactive approach to internal Cyber Security practices, you can ensure that your organisation is safer and more secure in the Cyber World. If you have any concerns or questions about the security of your IT Systems, let us know. We are always happy to offer help and guidance on all IT needs.
Brought to you by the Experts at WorkPlaceLive.