UK charities faced an average of five cyber attacks in the past 12 months, new research has found.
According to a new report compiled by Sapio Research, 80 per cent of charities have faced between four and ten cyber attacks in the last year alone. The data further revealed that 43 per cent of companies had not upgraded their cybersecurity policy in the same space of time, despite the growing number of attacks to the sector.
The findings are worrying to say the least. While smaller non-profit organisations may not view themselves as attractive targets for cybercrime, the pools of sensitive data they hold on supporters and beneficiaries makes them vulnerable. Considering the potentially ruinous consequences that can come from even a minor attack, charities cannot afford to put cybersecurity on the back-burner. With this in mind, the following six steps should be taken to protect your organisation from a potential cyber attack:
Keep your IT equipment up to date
It may not seem like much, but ensuring that the software operating systems across all devices are updated to the latest versions is the bread and butter of best practice in cybersecurity. Updates are developed with cybercrime trends in mind; they contain key upgrades that help in protecting against known threats and vulnerabilities. In 2017, the NHS fell victim to a ransomware cyber attack – all because a small number of places hadn’t upgraded their operating systems. More information on patching for maximum protection can be found in the NCSC’s guidance on vulnerability management.
Use passwords to protect your data
Keeping sensitive data on lockdown is non-negotiable for any charity and passwords are an easy and free way to ensure information is only accessible to those who need it. Even increasing password strength can add an extra layer of security to your network, but leaders would be wise to implement two-factor authentication (2FA) for important accounts. Since 2FA requires two different methods for individuals to prove their identity (usually a password and a QR code) before using a service, charities can implement this provision and thus make it much harder for outsiders to gain access.
Back up important data
With the number of ransomware attacks on the rise, taking precautions to mitigate the damage that a data breach could have on your organisation is critical. From sensitive documents, emails, financial records and supporter or beneficiary databases, securely backing up the information your charity needs to function to a separate location will provide you with a reserve should the worst happen. Remember, whether it’s stored on a separate computer or hard drive, back-ups should be restricted so that they are not accessible by all members of staff or volunteers.
Provide ongoing training at every level
Implementing policies to minimise the risk of a cyber attack on your charity is critical, but without sufficient staff-wide training, your network remains vulnerable due to a lack of understanding on best practice or ability to spot threats from far away. Circulating the NCSC small charity guide is a great first step, but there exists plenty of online resources and face-to-face training solutions that can ensure your staff are well-versed with the dangers of poor security and understand their responsibilities with regard to data protection.
Test your defences
It only takes one weak link for an opportunistic cybercriminal to gain access to your network. In order to understand potential pain-points in your IT infrastructure, it’s wise to undertake regular risk analysis and perform spot checks on how your staff are working with regard to interaction with other organisations. Common methods may include sending an invoice for a service you haven’t used or tricking staff to update their password or transfer money through a phishing email. This will ensure your people are better equipped to identify requests that are out of the ordinary and potentially harmful.
Keep your finger on the pulse
A read through The National Cyber Security Centre’s dedicated report on the UK charity sector reveals findings from a survey in which 30 charities admitted they had experienced a number of different types of threat such as ransomware attacks, phishing emails, website takedowns, viruses and even identity theft. Leaders in the third sector would be wise to bear in mind that even one fraudulent email can quickly evolve into theft of highly sensitive data and loss of valuable funds.
Formed in 2007, the Charities Security Forum represents over 400 charities across the UK and will enable you to get the latest issues in data security relating to the charity sector. Amidst a fast-evolving threat landscape, keeping abreast of is key in understanding exactly what your organisation is contending with.