This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.





The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Getting IT security right

This opinion piece is over 5 years old
 

Fraser Nicol examines what charities can do to protect against the threat of a cyber attack

Security breaches, malware threats, cyber-attacks and phishing. All terms that you might have heard being discussed on the news when a large, private organisation has had its IT systems hacked and is potentially being held to ransom; but have you seriously considered how such an attack might impact a charity? After all, considering the funds as well as personal, financial and commercial data that is held, it doesn’t matter to a hacker that you are working toward a purpose – there is still a significant value to the information that you have.

According to a survey commissioned by the Department for Culture, Media and Sport (DCMS) in 2017, cyber-security was a high priority among businesses. Indeed, of the 1,500 companies surveyed, most (67%) spent money on their cyber-security, with related budgets being higher among medium-sized firms (87%) and large firms (91%).

But for the charity sector, IT budgets can’t compete with their bigger business cousins. As a result, knowing where to begin to protect the business and who to speak with can be daunting.

Fraser Nicol
Fraser Nicol

There are, however, several quick, easy and inexpensive ways to protect a charity against the threat of a cyber-attack.

Back it up

Hopefully this is something already being done in case of fire or flood (with daily backups taking place); but nonetheless, it’s important to remember to have a backup of any essential data made and be clear on what data you class as important. This may include email, contact information, personnel data, financial records and donor details to name a few.

The backup should ideally be kept separate from the office computers in either an external hard drive or even a USB. To keep things even more secure, it might be worth considering using the cloud to protect this vital data. Not only will it mean that the charity’s data is fully accessible, it will also mean that it will be stored away from the office and will benefit from a specific level of data security.

Beware malware

Malware (also known as malicious software) is most often identified through viruses which appear on a computer system. To help to prevent malware attacks, ensuring that all computers have the latest anti-virus software installed (and switched on) is vital as well as ensuring staff are regularly updating the latest patches for the product of choice.

Another way to prevent such attacks is to educate staff about what apps/pieces of software can and cannot be downloaded onto a work computer, mobile or tablet. Recommend that they only download from a reputable app store, as these apps are checked and will provide systems with a certain level of protection from malware. If there is ever concern about staff or trustees downloading non-approved apps or apps that don’t support their role, then consider asking for an administrator approval prompt each time a specific piece of software is requested to be downloaded.

Mobiles are just as important

It’s not just office equipment that needs to be kept secure. Recent research by the University of the West of England found that 54% of commuters use train Wi-Fi during their commute to check and send work emails. While on initial inspection this may seem a clever use of otherwise ‘dead time’, there is no easy way to guarantee who controls that Wi-Fi hotspot (or way or knowing how secure it is). This could leave an awful lot of business and charities alike (who heavily rely on smartphones and tablets everyday) open to someone accessing what employees are working on while using the hotspot – or even accessing private login information that many apps maintain while the user is logged on.

The best precautions to this is to either only connect to Wi-Fi hotspots using a Virtual Private Network (VPN) or to connect to your email through your own 3G or 4G data service, which have in-built security, and can be used to tether a mobile to a laptop to keep working. Alternatively, staff could prep all the emails they want to send during their commute and only press send once they reach a trusted internet connection.

Protect passwords

Whether it’s on a mobile, laptop or system backup, passwords are important. Forget ‘Welcome1’ or ‘Password1234’ – it’s time for passwords to get a little bit more complex. The latest guidance from the National Cyber Security Centre is to select three random words and place them together. Think ‘BananaFishTriangle’ or ‘SilverPhoneTrigger’; if a hacker was to get into an organisation’s system and hit a password protected area, using a password like this would take days rather than seconds to crack.

But password overload can also be a problem – especially if the three random words approach is adopted. If need be, provide staff with the option to store their passwords somewhere they can be locked away where only specific people hold the key. Alternatively, consider the use of password managers which help individuals store and organise all the passwords they need to remember.

Avoid phishing attacks

Like traditional fishing, a phishing attack involves people trying to get something – but this time through sending an email that looks legitimate. For example, they could be asking for private information or the email could contain bad links to websites.

Ways to avoid such attacks could include downgrading specific staff or trustees in terms of the system access they hold. A lower ‘privilege’ access right would then mean that if they were the subject of a phishing attack, then the potential damage to the organisation would be reduced.

However, staff education can be just as important. By making them aware of what constitutes a ‘normal’ email, this will provide them with the knowledge to question if a request they receive is suspect or not. Encourage them to question any email or message they receive as out of the ordinary or to consider if the language used in the email seems odd (i.e. obvious spelling or grammar issues). More often than not, if an email looks suspicious, it is.

While these basic steps provide a good start in the journey to ensure a charity is secure from security attacks, there is still more that can be done if it’s felt more advanced security is needed. There are lots of organisations who are happy to be approached to provide support – from business advisory organisations through to governmental agencies like the Information Commissioners Office or National Cyber Security Centre. All can provide advice on further steps to take all the way through to what kind of cloud to deploy. The important thing is not to wait until it’s too late…act now.

Fraser Nicol is a partner at business advice and accountancy firm Scott-Moncrieff