IT Security for Small Charities

According to data from Openreach, the UK’s internet usage doubled in 2020. This is largely attributed to an increase of people working from home as a result of Covid-19 restrictions, as well as an increase in those utilizing on-demand media services such as Netflix and Disney Plus. However unlike more commercial firms, small charities have largely not had the luxury of an IT person, nevermind an IT team to help with the transition to working from home. Instead many charities have largely had to rely on internal knowledge and that of volunteers and supporters to move to remote working.

By and large the majority of charities have managed to transition to some kind of home working relatively quickly. Whether this has been quite limited and a case of emailing documents between employees, or by means of a Cloud environment or SaaS offering such as an online CRM. However, although the initial priority might have been giving employees the access they need to do their work from a remote location, just as much attention, if not more, should be given to the security of these platforms.

IT Security for Small Charities

IT Security sounds like a daunting and expensive task for any charity. But for a small charity with limited resources it can appear overwhelming. The good thing is, there are ways to dramatically improve your charities IT Security by following some easy and low cost measures. The National Cyber Security Centre has put together a free guide for Small Charities specifically around improving their IT security. You can download a free copy of this document below.

NCSC Cyber Security: Small Charity Guide

NCSC Small Charity Guide (197 downloads )

Increase in Cyber Attacks: Malware, Phishing, DDoS and Ransomware

Unfortunately 2020 has also seen a rise in Cyber Attacks. These have largely been in the forms of Malware, DDoS. Phishing and Ransomware (I have explained these terms below, if you would like to find out more). The good news is that you can limit your chances of falling victim to some of these through following some simple steps.

  1. Have a good password policy. This should include:
    Do not use the same password for multiple systems.
    Do not save your passwords in plain text anywhere!
    Generate strong passwords that are not predictable. (Include a mixture of characters, numbers and symbols).
    For systems which hold personal information use Two-factor Authentication (2FA) (explained below).
    Change your passwords periodically (1-3 Months).
  2. Never click on links in ‘Unexpected Emails’. Instead navigate directly to the site in question.
    Be careful of links even in emails you are expecting. Where possible instead directly navigate to the site in question.
  3. Do not download any software that you are not 100% sure that is coming from a trusted source.
    Do not click on any ads, especially look out for ads that pretend to be warnings.
    Only navigate and use sites you trust. If you are unsure, ask someone.
  4. Ensure you have antivirus software installed, enabled and up to date on your machine.
  5. Ensure you have a firewall installed and enabled on your machine.
  6. Only connect to the internet through trusted connections.
  7. Have a cleanup policy. When someone leaves your charity, there should be a process that is followed to remove them for all systems they previously had access too.
  8. Keep all software up to date. This includes operating systems and the programs used.
  9. Disaster Recovery – Keep backups. Make backups of sensitive and important documents regularly. Either in the cloud or secure physical storage, perhaps even both.
  10. Familiarise all charity employees with the NCSC Small Charity Guide and revisit the document regularly.

Terminology Explained

DDoS – Known as a distributed denial-of-service attack, is a malicious attempt to disrupt a targeted server, service or network by overwhelming its target with a flood of internet traffic. An example of this would be sending an overwhelming amount of malicious traffic to your website which would take up your websites resources and make it unavailable for your actual users.

Malware – Malware is a piece of software intentionally designed to cause damage to a computer, server, client, or computer network. Malware can make its way onto your machine from downloading genuine software from ungenuine sources, clicking on untrustworthy links in emails, direct messages or potentially (although less common) via system vulnerabilities.

Phishing – This is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. E.G Making an email look like it has come from Paypal but in fact it has come from a scammer. They will also typically make the link you click on take you to a website that they have made look like Paypal as a way of trying to convince you the email is genuine.

Ransomware – This is a little similar to Malware. However once on your machine Ransomware will lock all of your files so you can not access them. It will then demand you make a payment to them to get the password to be able to unlock and retrieve all of your files.

Two-factor Authentication (2FA) – Two-factor Authentication is where you need to pass two authentication checkpoints to get access. Typically this is by entering your password, and then entering an SMS code to confirm it is you. There are various authentications that may be part of Two-factor Authentication including using a fingerprint scanner, authentication app, etc. Two-factor Authentication is becoming the new norm as it makes it harder for anyone to gain access to your account even if they have acquired your password.

Any questions or comments, please message me or comment below.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.