Non-profit businesses need to understand how to tackle cyber security. They hold a lot of valuable data making them exciting targets for hackers. There are many security solutions to help to protect them, but they may suffer from budgetary constraints and lack of knowledge about security.
GOV UK identified that a quarter of UK charities had a breach or attack in 2019. Another report conducted by the NCSC found that there were varying levels of awareness amongst charities; while some are aware of the value of their data, the UK body concluded that “Many, particularly smaller charities, do not realise the value and do not perceive themselves as targets”.
There are a few key points charities should consider to ensure they’re on the right track with their security.
Do you have security foundations?
Charities might not have the funds to invest in security solutions, but there are many that are cost effective.
All charities should make sure they have a strong firewall. The firewall should support data loss protection (DLP) and intrusion detection/protection (IDS/IPS), while allowing VPN connections for remote workers.
Non-profits should also make use of an email security solution. In a recent survey, 81% of charities said they’d experienced fraudulent emails within the year. By blocking most phishing and impersonation attacks before they arrive, as well as warning employees of suspicious emails, it greatly reduces the risk of a successful attack. A good email security solution will also block inappropriate websites linked in emails and prevent domain spoofing.
How strong is your internal security culture?
Most employees and volunteers are aware of cybersecurity threats, but would they know how to spot a potential attack? According to a UK government survey, just 38% of charities are reporting on cybersecurity and monitoring threats. With volunteers often in the field, it can be difficult to keep their mind on threats.
Training combined with a strong password policy, can help charity workers stay vigilant about the risks. A password policy should include frequent mandatory changes , multi-factor authentication, and strict password requirements. Volunteers and employees should know what makes a good password and should also receive regular training on how to react to a malware attack and spot phishing attempts.
Have you run a cybersecurity risk assessment?
It can be worthwhile to run a risk assessment or penetration test to understand the key areas that require protection and identify investment priorities. Though there may be an initial cost involved in running a test or assessment, identifying and subsequently protecting weak areas is a huge step in the right direction.