Non-profits: how to do cyber-security the right way
Non-profit businesses can hold valuable data making them an enticing target for hackers. Though modern security solutions exist to help protect them, budgetary constraints and lack of knowledge can make charities more vulnerable than other businesses.
While it’s difficult to discern the true number, due to lack of reporting, a GOV UK report identified that a quarter of UK charities had a breach or attack in 2019. Another report conducted by the NCSC found that there were varying levels of awareness amongst charities; while some are aware of the value of their data, the UK body concluded that “Many, particularly smaller charities, do not realise the value and do not perceive themselves as targets”.
With that in mind, there are a few key points charities should consider to ensure they’re on the right track with their security.
Do you have security foundations?
Charities may not have the funds to invest in full scale security solutions, but many security technology providers have cost-effective, core offerings. Furthermore, if you take advantage of a managed service provider, they can help streamline licensing and provide expert support on how to keep costs down without compromising the quality of protection.
First and foremost, charities should make sure they have a strong firewall – whether a dedicated device or as part of a security appliance. The firewall should support data loss protection (DLP) and intrusion detection/protection (IDS/IPS) as a minimum, while allowing VPN connections for remote workers.
Non-profits should also make use of an email security solution. In a recent survey, 81% of charities said they’d experienced fraudulent emails within the year. While training can reduce human error where email attacks are concerned, implementing an automated solution helps make prevention much easier. By blocking most phishing and impersonation attacks before they arrive, as well as warning employees of suspicious emails, it greatly reduces the risk of a successful attack. A good email security solution will also block inappropriate websites linked in emails and prevent domain spoofing.
In case of a successful breach, having a data protection solution will help minimise loss and could prevent a fatal blow. Data protection offerings can provide ransomware, disaster recovery, storage, and file sync solutions across all devices – and are much more affordable than you think.
How strong is your internal security culture?
Most employees and volunteers are aware of cybersecurity threats, thanks to the news, but would they know how to spot a potential attack? According to a UK government survey, just 38% of charities are reporting on cybersecurity and monitoring threats. With volunteers often in the field rather than at a desk, it can be difficult to keep their mind on threats.
Training and reinforcement, combined with a strong password policy, can help charity workers stay vigilant about the risks. A password policy should include regular mandatory changes, multi-factor authentication, and strict password requirements. Volunteers and employees should know what makes a good password and should also receive regular training on how to react to a malware attack and spot phishing attempts.
Have you run a cybersecurity risk assessment?
With budget a key concern for charities looking to invest in cybersecurity, it can be worthwhile to run a risk assessment or penetration test. This will help to understand the key areas that require protection and those that could stand less investment. Though there may be an initial cost involved in running a test or assessment, identifying and subsequently protecting weak areas is a huge step forward.
Have you considered physical security and cyber insurance?
One area where non-profits can lapse is in physical security. While none of us want to believe that someone would steal from a charity, it happens. Often, the easiest way for a criminal to steal your data is to simply sit at an unattended computer in your office, read your password on a post-it note, or drop an unlabelled, malware-infected USB stick at your desk.
This is a particular risk when workers bring their devices into the field. An unattended laptop bag or phone could mean disaster if a cybercriminal comes across it. Good physical security measures for your office can greatly mitigate this risk – CCTV cameras, automatic logouts, and padlocked laptop bags all equal better protection.
You may also want to consider what measures you have in place should an attack, physical or otherwise, succeed. Planning for the worst is important, and for some, that may include a cyber insurance policy. Should you suffer a major breach, cyber insurance could ensure that the repercussions don’t put a permanent end to the important work your organisation is doing.
Please contact us to organise an informal chat/ teams/ zoom call.