How to reduce cyber risk

There are lots of things you can do and practices you can implement to help protect your charity from cyber-attacks. Here are a few ideas.

Raise awareness 

Raising awareness among staff as to risk of cyberattacks and the ways in which they happen is the first step. Most attacks use social engineering models. For example, people are persuaded to click on a link or reply to an email. Prevention is about protocols but it’s also about the people. So, ensure that everyone in the team understands how attacks work and how they can be prevented. At the same time, security systems should be reviewed... 

 

Review your current security system 

Best practices are always changing, and chances are, even if you updated your security system six months ago, you could probably make more updates now. Reviewing your current systems to tighten your cyber security will help maximise controls. This review could include areas such as: 

  • Limiting browsers 
  • Turning off unneeded services 
  • Limiting access to certain website categories e.g. retail 
  • Requiring permission to access certain website categories e.g. social media 

 

Get smarter with password policies and management 

Did you know that although it’s recommended to use a different password per platform, only 21% of people do this? That could mean that 79% of your staff might be unknowingly putting your organisation at risk.  

Getting up-to-date with password best practices and implementing policies is a good place to start. For example, advising staff to have different passwords for every platform, and implementing password managers to support staff in remembering their passwords. 

 

Enforce software updates and security patches 

Software updates occur for numerous reasons, however the most important being the enhancement of security features. It’s therefore essential for all staff to update their devices as soon as there is a software update available. This is to prevent risks such as ransomware attacks, data breaches and other online threats that make charities much more vulnerable when working with out-of-date software.

 

Taking special measures for remote working 

With 47% of organisations opting to give employees the choice of working remotely once the pandemic is over, it’s worth mentioning that increased online working means increased cyber security risks. You should consider the risks involved and develop remote working policies and procedures. Some things to think about include: 

  • Office-based IT systems mean a high level of security. However, when we move to working from home, we rely more heavily on the internet and Cloud-based systems as staff need to access files and data online – growing your attack surface and therefore risk of cyber-attack. 
     
  • In addition, there are other considerations such as the increased risk of phishing attacks. In fact, did you know that a 2020report found that there was a 600% increase in reported phishing emails in the first month of the pandemic? With many of these attempts piggybacking off pandemic uncertainty!  

Ideally, staff should be encouraged to use their work laptop which has the relevant remote access and security controls. This will reduce the chances of cyberattacks, ensure the right defence tools are in place and allow IT to respond efficiently and appropriately should the worst happen. 

If your volunteers don’t have work laptops/phones, it may be worth investing in them, further considering the risks involved with using personal devices (particularly when personal/sensitive data is involved) and putting plans in place to mitigate risk. 

  • Naturally, tired employees make mistakes. And did you know that a recent survey found that remote staff worked on average five hours a week more than office-based staff? This could be due to remote staff over-compensating for the flexibility given to them, or because they can catch up on work in their spare time at home.  

If remote workers are putting in more hours, they may grow tired which could result in mistakes. This could mean saving documents in incorrect places, using the wrong data to contact a member, or handing over confidential information to an attacker. Therefore, promoting the importance of staff wellbeing is a vital step in reducing cyber risk. 

 

A few things to consider when thinking about implementing remote working policies: 

Team training 

Once you’ve implemented your policies and guidance, you’ll need to make sure staff are kept up to date. This could include regular training courses to ensure they’re fully aware of all the latest best practices and how this coincides with your charity’s policies.

Data encryption 

Storing sensitive data in text format can cause huge security risks for your charity. A solution to this can be encrypting your data which will protect it against hackers. If you have an IT team, they will be able to help with this. And if you don’t have an in-house IT team, it may be worth speaking to a specialist for some specific advice. 

Do not store credit card information 

This may seem like a simple point, but you’d be surprised by the amount number of people who still store financial information on their computers. Whether it’s staff who don’t want to keep troubling stakeholders for access to the credit card, or team members who aren’t familiar with cyber security best practices, tying this into your training is an extremely important step in mitigating cyber risk.  

Limit login attempts 

A common way for hackers to gain entry to your charity’s systems is via staff passwords. Limiting password login attempts (for example, three strikes and you need to speak to IT) can help you prevent attacks and keep your systems safe and secure.  

This may be frustrating for staff if they’re known for forgetting their passwords and locking themselves out, but implementing the password manager mentioned above should hopefully help maintain productivity as well as keep your charity’s systems safe. 

Implement a suspicious activity escalation plan 

It’s a good idea to have a process in place for when suspicious activity is observed. Depending on your charity’s structure, this could involve your dedicated IT technician immediately being able to shut down access to servers etc. or contacting the agency who manages your IT with an urgent request to follow the ‘kill switch’ protocol! 

You can read more about cyber security incident response in part three of CREST’s Cyber Security Incident Response Guide. 

Have a crisis management plan in place 

In the event where an attack does take place, having a crisis management plan and team dedicated to dealing with the issue is a sensible idea. This could include outlining responsibilities for briefing IT, communicating to staff, communicating to members/customers etc., liaising with PR agencies, providing updates and so on. It would ideally provide guidance on every step of the crisis management plan from start to finish. 

Consider cyber insurance  

An additional step to help safeguard your charity from the implications of a cyber-attack is investing in cyber insurance. Cyber insurance covers loss of income, legal protection and compensation claims following a cyber-attack, plus social engineering or phishing attacks. These types of attacks are an increasing threat in the digital age and all types of organisations should take the threat seriously. 

 

Go to Section 4.

1. What is cyber security and what are cyber attacks?

2. Importance of risk management and assessments

3. How to reduce cyber risk

4. Cyber security guidelines