Cyber Security & The Third Sector

As the third sector has shifted to an increased digital approach due to Covid, along with more charities accepting online donations unfortunately this had led to the third sector becoming an increasingly bigger target for cyber criminals. The Cyber Security Breaches Survey revealed that in last year alone, 26% of charities experienced some form of cyber attack. Worryingly that’s just over 1 in 4 charities who have suffered an attack and the numbers are rising. Whilst cyber criminals are mainly targeting larger charities, smaller charities aren’t immune from a cyber attack with many actually posing as easier targets for the attackers. With the shift to digital being kickstarted by Covid and with the general direction including some form of digital approach, now is more important than ever to ensure you are taking steps to protect yourself. We have compiled some brief actions that you and your staff can take to ensure you don’t fall victim and have also linked a very helpful guide from the National Cyber Security Centre on what else you can do to prevent a cyber attack below.

Steps you and your team can take to prevent cyber crime:

  1. Protect your data:
  • Avoid sharing personally identifiable information like your Username or Password.
  • Report suspicious emails or ransomware to TSA support immediately.
  1. Beware of phishing & SPAM:
  • Avoid pop-ups, unknown emails, and links as they may result in a security breach. This also includes opening or previewing files from emails you aren’t certain are safe. Cyber attacks not only come from links but can infect your systems from PDFs, Word Documents and many other forms of documentation which you download or preview.
  • Never enter personal or company information in response to an email, pop-up webpage, or any other form of communication you didn’t initiate.
  • If unsure about the legitimacy of an email or other communication, contact TSA Support who will assist.
  • Is that email addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
  • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like ‘send these details within 24 hours’ or ‘you have been a victim of crime, click here immediately’.
  • Look out for emails that appear to come from a high-ranking person within your organisation, requesting a payment is made to a particular bank account. Look at the sender’s name. Does it sound legitimate, or is it trying to mimic someone you know?
  • If it sounds too good to be true, it probably is. It’s most unlikely that someone will want to give you money, or give you access to some secret part of the Internet.
  • Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
  1. Use strong password protection and authentication:
  • Ensure you have complex passwords with 10+ characters which includes numbers, symbols, and capital and lowercase letters.
  • You should change your logon passwords on a regular basis via CTRL + ALT + DEL.
  1. Treat and Virus Scanning:
  • Every workstation within your business will have virus checking software (Malwarebytes, Panda, Bitdefender or other) which gives you real-time protection against threats as they emerge. However you should perform a manual scan once a week to ensure virus definitions are up-to-date and that your workstation is fully protected.

5.Keeping your smartphones (and tablets) safe:

  • A suitably complex PIN or password (opposed to a simple one that can be easily guessed or gleaned from your social media profiles) will prevent the average criminal from accessing your phone. Many devices now include fingerprint recognition to lock your device, without the need for a password. However, these features are not always enabled ‘out of the box’, so you should always check they have been switched on.
  • No matter what phones or tablets your organisation is using, it is important that they are kept up to date at all times. All manufacturers (for example Windows, Android, iOS) release regular updates that contain critical security updates to keep the device protected. This process is quick, easy, and free; devices should be set to automatically update, where possible. Make sure your staff know how important these updates are, and explain how to do it, if necessary. At some point, these updates will no longer be available (as the device reaches the end of its supported life), at which point you should consider replacing it with a modern alternative.
  • Just like the operating systems on your organisation’s devices, all the applications that you have installed should also be updated regularly with patches from the software developers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it’s important to do so straight away.
  • When you use public Wi-Fi hotspots (for example in hotels or coffee shops), there is no way to easily find out who controls the hotspot, or to prove that it belongs to who you think it does. If you connect to these hotspots, somebody else could access your data.

Like businesses, charities are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. As the Charity Sector Threat Assessment illustrates, losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally.

You can read and download the National Cyber Security Centre’s full guide here