Asking yourself these questions can help you to establish whether your charity is adequately protected from cyber security threats
It’s the news that every charity leader dreads: your organisation is experiencing a cyber attack, orchestrated by cyber criminals who want to loot as much of your confidential data as possible. The question is, will the cyber criminals be successful?
The answer to that question depends on whether you have all the cyber security measures in place needed to provide adequate protection. To get a clear picture of how effectively you are protecting your charity and how to ensure that there are no gaps in your cyber security provisions, ask yourself the following questions:
Are the cyber security basics in place?
The first line of protection for an organisation’s network of computers and storage devices is a security firewall, and every charity should have one – either as a dedicated device or as part of a network security appliance such as Cisco’s ASA 5506-X Security Appliance with FirePOWER Services.
Other security functions that a firewall or networks security appliance should be providing include an intrusion detection and protection system (IDS/IPS), data loss protection (DLP) to help detect and prevent large amounts of data being exfiltrated from your network, and the facility to provide VPN connections for remote workers.
Your charity should also have an email security gateway which scans all incoming emails for viruses and malicious links to help prevent phishing attacks, and a web gateway such as the Avast Secure Web Gateway to block web-based threats before they get onto your charity’s network.
All servers and personal computers should be protected by endpoint security software such as Bitdefender’s GravityZone Business Security to provide protection against viruses and other malware such as ransomware.
Finally, you should have a rigorous procedure in place so that all your software is updated in a timely fashion with security patches to ensure that you are not running programs with know security vulnerabilities that cyber criminals could exploit. Popular patch management tools include SolarWinds Patch Manager and Avast Business Patch Management.
Does your charity have a strong security culture?
Cyber security is not something you can just do once and then forget about.
That means that staff must know and understand your charity’s password policy and take it into account every time they choose a password; it means they must understand that it’s not a good idea to post personal information on social media platforms that hackers could use in social engineering attacks, and it means that if they sign up for a cloud-based service they will automatically enable a two-factor authentication (2FA) option, either directly through the cloud service or by using a product such as Okta.
Does your charity offer sufficient cyber security training?
One key way to instil a cyber security culture in your charity is to provide effective training so that staff understand what cyber security risks they face, and what they should be doing to mitigate them.
Staff are far more likely to adhere to your password policy, for example, if they understand why it is important and how they can choose a password which is easy for them to remember which also complies with that policy.
Cyber security training is also one of the most effective ways of fighting the very high threat posed by phishing emails. Email security gateways can filter out a high proportion of phishing emails, but the only way to prevent your organisation from falling victim to one that gets through is by training your staff to recognise them and to treat any they are uncertain about with the utmost caution.
Do staff know how to use their own devices securely?
With many charity staff members working from home now, it is very important that they understand what security measures they need to take when using their own laptop, tablet or phone for work purposes. These should include ensuring that their mobile devices are secured with a passcode or biometric (which ensures that the data stored on the devices is encrypted), using a strong password for their laptop, and ensuring their hard drive is also encrypted.
Staff connecting to your office from home should also use a remote access VPN such as Cisco’s AnyConnect Apex SSL VPN.
Do you have an effective backup system in place?
Restoring data from backups may be the only way that your charity can recover if it falls victim to a ransomware attack, so it is essential that all data on all servers, desktops and laptops computers is backed up regularly. Your office-based systems may be backed up to a storage device in your office, but it is also good practice to back your data up to the cloud as well.
Home workers’ devices should also be backed up regularly to the cloud, and the best way to do this is to use an automatic backup service such as Arcserve UDP Cloud Direct, Carbonite Cloud Backup, or IDrive.
Have you run a cyber security risk assessment?
One of the best ways to identify any areas of your operations which pose unacceptable cyber security risks is to carry out a cyber security risk assessment. It is also something that the Charity Commission recommends all charities carry out regularly to ensure that they are adequately safeguarding their funds and assets. (A cyber security assessment may also be a prerequisite for compliance with regulations such as the General Data Protection Regulation (GDPR)).
You can follow these instructions to carry out your own cyber security risk assessment.
Have you thought about physical security?
The popular image of a cyber criminal is someone working on a computer from a room in a distant land, but the easiest way for some cyber criminals to steal your data is to come into your offices to find passwords stuck on Post-It notes, or to use an unattended computer that has been left logged in, or simply to walk away with a laptop in their bag.
To prevent this you need to have some way of keeping intruders out, and to ensure that servers and storage devices are locked away somewhere securely when the office is empty. Staff should also ensure that they log out of their computer any time they are away from their desk, and that passwords are never left written down in places where an intruder might find them.
Have you run a penetration test?
Penetration tests can be expensive, but they are arguably the best way of finding out if a cyber security could easily penetrate your defences and cause a security breach. If a professional penetration test is out of your budget then it is possible to carry our your own lower cost but less effective tests.
Do you need cyber insurance?
Cyber security breaches can and do happen regularly, despite many cyber security professionals’ best efforts. If disaster strikes the cost can be crippling to a charity, but the right cyber insurance policy in place might mean the difference between your charity recovering and being forced to close down.