A common misconception among many small non-profit organisations is that cyber risk is primarily a problem for established businesses or corporations in the for-profit sector. Contrary to this belief, last year 1 in 5 charities was a victim of cyber attack.
“Whether your turnover is £500 or £500,000 the criminal does not care, any profit is pure profit to cyber criminals.” advises Dr Danny Steed, Head of Strategy at ReSolve Cyber. In addition to funds, the type of data that charities collect and store, including personal, financial and commercial information, makes them a highly attractive target. Here are 3 simple and cost-effective steps you can take to protect your charity:
1. Never reuse your passwords
The Bible Society, a reputable charity which translates and distributes the bible around the world, was fined £100,000 by the Information Commissioner’s Office after a security breach left data from over 400,000 of its supporters exposed to hackers. How did this happen? Simple enough, through an automated trial and error process, the hackers were able to guess the charity’s network password. To minimise this risk of attackers infiltrating your system, avoid using weak passwords – common combinations such as “QWERTY” or “12345” and one word passwords can be hacked in seconds – and never reuse the same password for different accounts.
2. Keep your software up-to-date
Make sure that any devices that your staff and volunteers use are regularly updated with the latest software version available. This is crucial as manufacturers periodically release updates fixing security vulnerabilities and so attackers habitually target older versions that are easier to exploit. Similarly, ensure that all your devices have anti-viruses installed and that these are kept up-to-date.
3. Train your staff to recognise phishing emails
Phishing is the most common form of cyber attack experienced by charities. Sophisticated fraudulent emails are able to bypass standard countermeasures such as anti-spam filters or anti-malware software. The best means of preventing an attack from being successful lies in training staff to identify the less obvious signs of phishing, regularly testing their ability to spot inauthentic sources and conducting further awareness sessions where required.