By Sally Page. CCVS Deputy CEO. October 2023
The words cyber security can sound somewhat alien, however, with the publication of the National Cyber Security Centre (NCSC) report, Cyber threat report: UK charity sector, showing that the charity sector is particularly vulnerable to cyber risk, we need to ensure that we are protecting ourselves and our beneficiaries as best we can.
Cyber security as defined by NCSC “is the means by which individuals and organisations reduce the risk of becoming victims of cyber-attack.”
The good news is that improving cyber security isn’t nearly as complicated as you might think. CCVS have been reviewing its approach over the past 6 months and this blog shares some of the steps we’ve taken to reduce the risk posed by a cyber-attack.
We’ve also included some of our go-to resources and guidance at the end of this blog and welcome you get in touch with us for further support, or to share your experience.
- Understanding the jargon.
The first thing I learnt was that if we familiarised ourselves with the jargon, we would be more aware of what the risks are and what we could do to mitigate against them.
For example, phishing is one of the highest areas of cyber security risk for small charities, but do you know what ‘phishing’ means?
Phishing’ is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information. Phishing is becoming increasingly sophisticated and hard to spot.
Watch this short video for tips to help you spot phishing.
I also go back to definitions from NCSC whenever I’m feeling unsure.
Malware is malicious software, which – if able to run – can cause harm in many ways.
Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.
- Passwords: Encourage the use of strong passwords and consider using a password manager.
Advice has moved on from changing passwords regularly as this can mean that we are more likely to use a weak password, that is easy to remember but also easy to hack! The recommendation from NCSC is now that passwords are strongest when you use three random words and some special characters or numbers.
Then, because we can’t keep everything in our heads, NCSC suggest using a password manager.
A password manager securely stores and generates complex passwords, making it easier to maintain strong credentials without the need to remember them all. It enhances security and reduces the risk of password-related vulnerabilities.
CCVS have recently introduced a password manager. There is a small monthly fee and whilst it took some time to set-up and get used to, the benefits are clear.
It’s providing a secure way to hold information, with the bonus of saving us time. For example, you can use the system to automatically log-in to websites and can easily and securely share passwords with team members, win win!
- Train and empower your team to be suspicious.
It is increasingly hard to spot scams and fraud and so empowering and training your team to take the time to question what arrives in their inbox, is essential.
For example, fake invoices or payment requests pray on the time poor and whilst financial procedures might be one of those things that fill you with dread, having processes to follow, will reduce the risk of your organisation falling victim to fraud. Fraud can be as simple as your organisation receiving an invoice, that claims to come from a trusted supplier, and so if we don’t take the time to double check that it was expected and is approved, it is easy to become a victim of fraud.
CCVS have adopted an eLearning module by NCSC. It is free practical resource that gives us all an understanding of what cyber security is and steps we can take to reduce risk.
- Software Updates: regularly updating software on devices makes a difference.
We’re all guilty of this, delaying updates for as long as possible and then wondering why our laptops have gone a bit, well, squiffy.
Encouraging staff to install updates when prompted by their devices can make a huge different and help protect against potential exploits, as you are ensuring the software is equipped with the latest security features.
There are also NCSC tools that you can use to check your cyber security and test your organisations response processes, in case you did fall victim to an attack. They are free and a great way to learn and ensure you are prepared.
- Positive Team Culture: promote open communication and encourage all to admit mistakes or seek support, without fear of repercussions.
We’re all human and scams are getting increasingly hard to spot. Establishing an environment where everyone knows that reporting potential security incidents or seeking guidance is a valued practice. It will help you to tackle problems quickly and ensure your team feel comfortable asking for support.
Check your policies and procedures, make sure your team know how to report a suspected breach and share lessons learnt openly along the way.
- Keep your smartphones (and tablets) safe.
More of us are using smartphones or tablets on a daily basis, as part of our work. This means these devices have increasing amounts of information stored on them and because they are often taken out and about, there is a greater risk of them being lost.
NCSC give advice on how to keep mobile devices safe, more detail (P.10).
- Turn on password protection.
- Make sure lost or stolen devices can be tracked, locked, or wiped.
- Keep your device up to date.
- Keep your apps up to date.
- Don’t connect to unknown Wi-Fi Hotspots.
In summary, you don’t need to be an IT expert to protect your charity from cyber risks.
There are lots of free resources to increase understanding and confidence in cyber security, no matter who you are or what you do.
Here are some we’ve found helpful:
- National Cyber Security Centre (NCSC): provide a whole host of practical guidance, training, and support materials to enhance cyber security. Including this small charity guide.
- Charity Digital have helpful articles and podcasts that tackle jargon and put cyber security into content for charities.
- The Government’s Cyber Essentials scheme, delivered by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC), can help charities implement five essential controls that can reduce the impact of common cyber-attack approaches by up to 80%.
It is also important to be aware of what to do if you are victim of online fraud, scams, or extortion. This is deserving of another blog but here are some helpful links:
- Charity Commission
- If you are not sure if you have been attacked or need further advice, contact the NCSC enquiries.
We can help:
If you would like to talk through any of the points in this blog or ask for additional support in this area, we are here to help.
ccvsblog 