According to a 2021 report by the Department for Digital, Culture, Media & Sport, more than a quarter of charities (26%) reported having cyber security breaches or attacks in the 12 months preceding the date of their analysis. Larger charities are more likely to be affected by cybercrime, with 50% of high-income charities (£500k or more) and 68% of very high-income organisations (over £5m) reporting that they have experienced breaches within a 12-month period.
These worrying statistics are accompanied by reports of triple-digit increases in cyberattacks. With no slowdown in sight for security breaches, it is more important than ever for organisations to ensure that their systems are protected as well as can be. For smaller charities and non-profit enterprises, this may present certain challenges from a finance and training perspective. However, there are simple steps that charities of all sizes can take to safeguard their data & protect confidential information relating to donors, trustees, and other stakeholders.
Below we have outlined some of the most important areas that charities need to consider when assessing their IT systems and security.
Ensure that you are securely backing up your data
Whatever the size of your organisation, you are likely to be storing vital documents that would impede your progress if lost. Information such as donor and volunteer details, governing and compliance documents, invoices and payment details must all be stored very carefully. Therefore, all charities must take steps to back up regularly and ensure that important files are not just stored on local machines. Storing all your critical files in the cloud is highly advisable, however, you do need to take care when migrating to a cloud system.
Take steps to protect your charity from malware
The WannaCry outbreak in 2017 is an example of malicious software, or ‘malware’ for short, that affected charities as well as businesses and other types of organisations. To protect your charity against malware attacks like this it is important to use antivirus on all computers, laptops or any other devices that connect to your server. You should prevent trustees, volunteers, and staff from downloading any suspicious apps using one of your organisation’s devices (or prevent them from accessing important data from devices that belong to them but have not been security checked).
It’s also very important to keep all your IT equipment and software up to date (patching) and to ensure there are controls in place in terms of how USB drives and memory cards are used. It’s a good idea to encourage staff to transfer data via cloud storage or email rather than use memory sticks which can be unwittingly infected.
Make sure any smartphones or tablets are safe for use by staff and volunteers
Many charitable organisations have staff and volunteers working “in the field”, where it’s essential for them to be able to access the central server using a mobile device. As such, it’s very important to ensure that these devices are configured properly and connect to your server in the most secure way possible. Essential steps to take to on this front include ensuring adequate password protection is in place; making sure that you can track, lock, and wipe any lost or stolen devices; making sure each device is regularly checked and updated; ensuring apps on each device are updated to the latest versions and ensuring staff and volunteers do not connect to your server using unknown Wi-Fi hotspots.
Look at ways of using passwords to protect your data
All the devices used by people within your charity will contain sensitive data such as the personal information of donors, supporters, trustees, volunteers, and staff members. It is essential that this information is available to you and other senior people in the management team but not to unauthorised users. Steps you can take on this front include using two-factor authentication for access to important accounts; banning the use of predictable or easy passwords; using password manager systems that enable tiered access to different file systems dependent on the seniority of the end-user, and ensuring that default passwords can never be used to access any parts of your server.
Take steps to avoid phishing attacks
Phishing is where cybercriminals send mass communications to many different targets (typically via email) where they ask for sensitive information such as bank details or access to an online account. Often these communications will include a link to a website that imitates a well-known brand or institution. Phishing attacks are becoming increasingly sophisticated, with their communications and websites looking near-identical to the brands they are imitating.
There are several things you can do to try to mitigate the impact of a phishing attack. This includes configuring your accounts and devices so that only very senior people within your organisation have access to the most sensitive data; offering basic training to staff and volunteers so that they are equipped with the skills to understand what a potential phishing communication looks like; regularly scan your IT systems for evidence of any irregularities, and put in place spam detection software to help syphon suspicious inbound mail.
Get assistance assessing the IT infrastructure of your charity
Are you concerned about the IT setup or security of your charity’s systems and servers? The team at help4IT have many years of experience providing IT support for charities, non-profits, and NGOs. Read how we assisted Age UK and Meals on Wheels, or simply call us for an informal chat with one of our friendly IT consultants.