Cyber Security Guide - Actions
Cybersecurity is a fancy word for doing some simple things to make sure your digital infrastructure is protected from theft, disruption and damage.
It is the digital equivalent of locking your doors and windows – and it isn’t really any more complicated than that.
NICVA’s cybersecurity guide is designed as a one-stop shop for your basic cybersecurity needs. We want this to be comprehensive, accessible and concise.
By following the tips on this page, you can make your organisation’s cybersecurity robust.
However, for anyone who wants more information and a greater level of detail, the National Cybersecurity Centre (NCSC) has a fantastic series of resources aimed at charities of different sizes. Our guide will signpost users to these resources at various points, in case anyone reading this guide wants any explanations that are longer and contain more detail.
Every organisation, large or small holds information it cannot do without. This could include: membership lists, supplier details, payment details, emergency contacts and the like. Without them before long you would not be able to operate.
That’s why you need to take regular backups of important data, making sure that you can restore them.
This will ensure you can still function following flood, fire, physical damage or theft. Also, if you have backups of your data that you can quickly recover, you can't be blackmailed by ransomware attacks. This is when someone takes remote control of your devices or systems and makes a demand for cash or other reward in return for handing back control (i.e. literally holding you to ransom).
Here are five simple steps to protect yourself:
1. Identify what you need to back up. This is the information that your business couldn't function without. Normally this will comprise documents, photos, emails, contacts, and calendars, most of which are kept in just a few common folders on your computer, phone, tablet or network.
2. Keep your backup separate from your computer. It needs to be on a USB stick, a separate drive, a separate computer or on the cloud (or on a combination of these – having more than one back up, if feasible, will only make you more secure). It should not be accessible by staff or permanently connected (either physically or over a local network) to the device holding the original copy. This is important because ransomware (and other malware) can often move to attached storage automatically, which means any such backup could also be infected, leaving you with no backup to recover from.
Better still, consider storing your backups in a different location so fire or theft won't result in you losing both copies. Cloud storage solutions (see below) are a cost-effective and efficient way of achieving this.
3. Consider the cloud. You've probably already used cloud storage during your work and personal life without even knowing - unless you're running your own email server, your emails are already stored 'in the cloud'. Using cloud storage (where a service provider stores your data on its infrastructure) means it is separate from your location.
Service providers can supply your organisation with data storage and web services without you needing to invest in expensive hardware up front. Most providers offer a limited amount of storage space for free, and larger storage capacity for minimal costs.
4. Cloud security guidance. Larger organisations may wish to study the NCSC’s Cloud Security Guidance before contacting service providers. This guidance will help you decide what to look for when evaluating their services, and what they can offer.
5. Making back-ups an everyday routine. The majority of network or cloud storage solutions now allow you to make backups automatically. For instance, when new files of a certain type are saved to specified folders. Using automated backups saves time, and ensures that you have the latest version of your files should you need them. Many off-the-shelf backup solutions are easy to set up, and are affordable considering the business-critical protection they offer. When choosing a solution, you'll also have to consider how much data you need to back up, and how quickly you need to be able to access the data following any incident.
Malware is malicious computer software designed to steal your data or money, disrupt or block programmes or apps, or cause damage to you in some other way.
Examples include viruses, trojan horses and spyware. You want to avoid all malware. Making yourself more secure is not complicated, but it is essential.
Five simple actions to take right now:
1. Install and turn on anti-virus software. Antivirus software - which is often included for free within popular operating systems - should be used on all computers and laptops.
For your office equipment, you can pretty much click 'enable', and you're instantly safer. Smartphones and tablets might require a different approach. The NSCS provides full details here
2. Prevent staff from downloading dodgy apps. Staff should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware that might cause harm. You should prevent staff from downloading third party apps from unknown vendors/sources, as these will not have been checked.
In addition, staff accounts should only have enough access required to perform their role, with extra permissions (i.e. for administrators) only given to those who need it. When administrative accounts are created, they should only be used for that specific task, with standard user accounts used for general work.
3. Keep all IT equipment up to date. For all your IT equipment (tablets, smartphones, laptops and PCs), make sure that the software and firmware is always kept up to date with the latest versions from software developers, hardware suppliers and vendors.
Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, programmes, phones and apps should all be set to 'automatically update' wherever this is an option.
At some point, these updates will no longer be available (as the product reaches the end of its supported life), at which point you should consider replacing it with a modern alternative. For more information on applying updates, refer to the NCSC's guidance on Vulnerability Management.
4. Control how USB drives (and memory cards) should be used. USB drives or memory cards are often used to transfer files between organisations and people. However, it only takes a single cavalier user to inadvertently plug in an infected stick (such as a USB drive containing malware) to devastate the whole organisation.
When drives and cards are shared, it becomes hard to track what they contain, where they've been, and who has used them. You can reduce the likelihood of infection by:
- blocking access to physical ports for most users
- using antivirus tools
- only allowing approved drives and cards to be used within your organisation - and nowhere else
Make any directives part of your company policy to prevent your organisation being exposed to unnecessary risks. You can also ask staff to transfer files using alternative means (such as by email or cloud storage), rather than via USB.
5. Switch on your firewall. Firewalls create a buffer zone between your own network and external networks (such as the Internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on. For more detailed information on using firewalls, refer to the Network Security section of the NCSC's 10 Steps to Cyber Security.
Everyone knows what passwords are. We’ve all used them hundreds if not thousands of times. It is likely that most people will be familiar with the idea of a “strong” password, i.e. that is not too short, or common, or guessable.
Having a good system of passwords for your organisation involves using strong passwords, as well as a few other straightforward actions that will instantly make your organisation more secure:
Five important tips:
1. Make sure password protection is switched on. Set a screenlock password, PIN, or other authentication method (such as fingerprint or face unlock). For the latest advice on setting passwords please see this. If you’re mostly using fingerprint or face unlock, you’ll be entering a password less often, so consider setting up a long password that’s difficult to guess. The “three random words” method is recommended.
Please note password protection is not just for smartphones and tablets. Make sure that your office equipment (both laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but encryption may still need to be turned on and configured, so check you have set it up.
2. Use two factor authentication where available. If you’re given the option to use two-factor authentication (also known as 2FA) for any of your accounts, you should use it - it adds a large amount of security for not much extra effort. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method. This could be a code that's sent to your smartphone (or a code that's generated from a bank's card reader) that you must enter in addition to your password.
3. Avoid using predictable passwords. If you are in charge of IT policies within your organisation, make sure staff are given actionable information on setting passwords that is easy for them to understand.
Passwords should be easy to remember, but hard for somebody else to guess. A good rule is 'make sure that somebody who knows you well, couldn't guess your password in 20 attempts'. Staff should also avoid using the most common passwords, which criminals can easily guess. The NCSC has some useful advice on how to choose a non-predictable password.
Remember that your IT systems should not require staff to share accounts or passwords to get their job done. Make sure that every user has personal access to the right systems, and that the level of access given is always the lowest needed to do their job, whilst minimising unnecessary exposure to systems they don't need access to.
4. Dealing with password overload. If you're in charge of how passwords are used in your organisation, there's a number of things you can do that will improve security. Most importantly, your staff will have dozens of non-work related passwords to remember as well, so only enforce password access to a service if you really need to.
Where you do use passwords to access a service, do not enforce regular password changes. Passwords really only need to be changed when you suspect a compromise of the login credentials.
You should also provide secure storage so staff can write down passwords for important accounts (such as email and banking), and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily.
Consider using password managers, which are tools that can create and store passwords for you that you access via a 'master' password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.
5. Change all default passwords. One of the most common mistakes is not changing the manufacturers' default passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.
Mobile technology is now essential to how we work, with more of our data being stored on tablets and smartphones.
These devices are now as powerful as traditional computers and, because they often leave the safety of the office (and home), they need even more protection than 'desktop' equipment.
Five steps to take:
1. Make sure password protection is turned on. See the previous section for devising passwords. Many devices now include fingerprint recognition to lock your device, without the need for a password. However, these features are not always enabled 'out of the box', so you should always check they have been switched on.
2. Make sure devices can be tracked, locked or wiped. Staff are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home.
Fortunately, the majority of devices include free web-based tools that are invaluable should you lose your device. You can use them to: track the location of a device; remotely lock access to the device (to prevent anyone else using it); remotely erase the data stored on the device; retrieve a backup of data stored on the device.
Setting up these tools on all your organisation's devices can be done through mobile device management software. They even allow you to set up your devices to a standard configuration with a single click.
3. Keep your device up to date. Phones and tablets should be kept up to date at all times. All manufacturers (for example Windows, Android, iOS) release regular updates that contain critical security updates to keep the device protected. This process is quick, easy, and free; devices should be set to automatically update, where possible.
Make sure your staff know how important these updates are, and explain how to do it, if necessary. At some point, these updates will no longer be available (as the device reaches the end of its supported life), at which point you should consider replacing it with a modern alternative.
4. Keep your apps up to date. All the applications that you have installed should also be updated regularly with patches from the software developers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it's important to do so straight away.
5. Don’t connect to unknown Wi-Fi hotspots. When you use public Wi-Fi hotspots (for example in hotels or coffee shops), there is no way to easily find out who controls the hotspot, or to prove that it belongs to who you think it does. If you connect to these hotspots, somebody else could access what you're working on whilst connected, or your private login details that many apps and web services maintain whilst you're logged on.
The simplest precaution is not to connect to the Internet using unknown hotspots, and instead use your mobile 3G or 4G mobile network, which will have built-in security. This means you can also use 'tethering' (where your other devices such as laptops share your 3G/4G connection), or a wireless 'dongle' provided by your mobile network.
You can also use Virtual Private Networks (VPNs), a technique that encrypts your data before it is sent across the Internet. If you're using third party VPNs, you'll need the technical ability to configure it yourself, and should only use VPNs provided by reputable service providers.
In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your organisation's information.
Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point. This section contains some easy steps to help you identify the most common phishing attacks, but be aware that there is a limit to what you can expect your users to do.Configure accounts to reduce impact of attacks. You should configure your staff accounts in advance using the principle of 'least privilege'. This means giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced. To further reduce the damage that can be done by malware or loss of login details, ensure that your staff don’t browse the web or check emails from an account with Administrator privileges.
An Administrator account is a user account that allows you to make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. So an attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account.
Use two-factor authentication (2FA) on your important accounts such as email. This means that even if an attacker knows your passwords, they still won’t be able to access that account.
Think about how you operate. Consider ways that someone might target your organisation, and make sure your staff all understand normal ways of working (especially regarding interaction with other organisations), so that they're better equipped to spot requests that are out of the ordinary.
Common tricks include sending an invoice for a service that you haven't used, so when the attachment is opened, malware is automatically installed (without your knowledge) on your computer. Another is to trick staff into transferring money or information by sending emails that look authentic.
Think about your usual working practices and how you can help make these tricks less likely to succeed. For example:
- Do staff know what to do with unusual requests, and where to get help?
- Ask yourself whether someone impersonating an important individual (a customer or manager) via email should be challenged (or have their identity verified another way) before action is taken.
- Do you understand your regular business relationships? Scammers will often send phishing emails from large organisations (such as banks) in the hope that some of the email recipients will have a connection to that company. If you get an email from an organisation you don't do business with, treat it with suspicion.
- Think about how you can encourage and support your staff to question suspicious or just unusual requests – even if they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap.
You might also consider looking at how your outgoing communications appear to suppliers and customers. For example, do you send unsolicited emails asking for money or passwords? Will your emails get mistaken for phishing emails, or leave people vulnerable to an attack that's been designed to look like an email from you? Consider telling your suppliers or customers of what they should look out for (such as 'we will never ask for your password', or 'our bank details will not change at any point').
Check for obvious signs of phishing. Expecting your staff to identify and delete all phishing emails is an impossible request and would have a massive detrimental effect on business productivity. However, many phishing emails still fit the mould of a traditional attack, so look for the following warning signs:
- Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you'd expect from a large organisation?
- Is it addressed to you by name, or does it refer to 'valued customer', or 'friend', or 'colleague'? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
- Look out for emails that appear to come from a high-ranking person within your organisation, requesting a payment is made to a particular bank account. Look at the sender's name. Does it sound legitimate, or is it trying to mimic someone you know?
- If it sounds too good to be true, it probably is. It's most unlikely that someone will want to give you money, or give you access to some secret part of the Internet.
Email filtering services attempt to send phishing emails to spam/junk folders. However, the rules determining this filtering need to be fine-tuned for your organisation's needs. If these rules are too open and suspicious emails are not sent to spam/junk folders, then users will have to manage a large number of emails, adding to their workload and leaving open the possibility of a click. However, if your rules are too strict, some legitimate emails could get lost. You may have to change the rules over time to ensure the best compromise.
Report all attacks. Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they've not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
Do not punish staff if they get caught out. It discourages people from reporting in future, and can make them so fearful that they spend excessive time and energy scrutinising every single email they receive. Both these things cause more harm to your business in the long run.
If you believe that your organisation has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cyber crime reporting centre.
Check your digital footprint. Attackers use publicly available information about your organisation and staff to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a 'digital footprint').
- Understand the impact of information shared on your organisation's website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)?
- Be aware of what your partners, contractors and suppliers give away about your organisation online.
- Help your staff understand how sharing their personal information can affect them and your organisation. This is not about expecting people to remove all traces of themselves from the Internet. Instead support them as they manage their digital footprint, shaping their profile so that it works for them and the organisation. Organisations could consider including a statement of the importance of digital footprint management in key policies such as communications, social media and the wider induction process for new staff members.
- CPNI’s Digital Footprint Campaign contains a range of useful materials (including posters and booklets) to help organisations work with employees to minimise online security risks.
Putting it into action. The National Cyber Security Centre has pulled together a list of actions to take. It is designed for small businesses but is equally applicable to those in the voluntary sector.
If you or someone else is in immediate danger or risk of harm dial 999 now.
If you believe that you or your charity has been the victim of online fraud, scams or extortion you should report this through the Action Fraud website. You should also report it as a serious incident to the Charity Commission. Guidance on serious incident reporting to the Charity Commission can be found here.
You can report fraud or cybercrime to Action Fraud any time of the day or night using the online reporting tool. The tool will guide you through simple questions to identify what has happened and advisors are available twenty four hours for help and advice.
When reporting online you will be given the option to register, login to an existing account or continue as a guest.
By registering you will be able to:
- Save and resume a partially completed report
- Track progress of your report
- Add information to your report
- Call to discuss your report
- Receive an update by email
- Incidents can also be reported by phone on 0300 123 2040 Monday to Friday 8am - 8pm.
- Reporting a live cyber attack 24/7
- Charities suffering a live cyber attack, should call 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
- Reporting a cybersecurity incident
When you suffer a cyber-attack, or a related cybersecurity incident, you might need to report it to the Information Commissioner's office (ICO). Under the new General Data Protection Regulation (GDPR) rules, from the 25th May 2018 it is mandatory that you also report data breaches to the ICO within 72 hours.
For information on what to do see how and when to report a cybersecurity incident to the ICO
Phishing: Action Fraud also has a useful guide as to what to do if you are suspicious of an email you have received, or otherwise be believe you have been the subject of attempted phishing here.
So, you’ve followed all the tips above and your organisation is cybersecure. What now?
Cybersecurity, like any type of security, is an ongoing concern. You will need to weave certain bits of good practice into your day-to-day operations, and also carry out more detailed oversight on a periodic basis. That is the key to maintaining your cybersecurity.
The good news is that this doesn’t have to be difficult or a major burden.
The day-to-day business involves little more than the steps already described above. Back up your data regularly. Always update apps and other software (if you only use software from reputable sources, these updates should be reputable too). Make sure your anti-virus software and similar protections are always up to date.
Any time someone leaves your organisation, think about how this impacts your cybersecurity. No-one who isn’t one of your current staff or volunteers should have access to any of your digital operations, just like they shouldn’t keep a front door key after they move on.
Ideally, your staff will all have their own accounts with their own passwords for all their digital business. In this case, it is simply a matter of deactivating their account.
However, if more than one person has access to a shared account – such as a login and password for an email account – then that password needs to be changed every time someone leaves the organisation. If the person leaving also knows the security questions associated with an account (which can be used to gain access without knowledge of the password) then those questions will have to be changed too.
When it comes to periodic, more-detailed reviews, the starting point is building cybersecurity into your governance. It should be an agenda item for your board, and evaluating the performance of senior staff and the organisation as a whole should include an appraisal of how well cybersecurity is being maintained.
One good way to update your cybersecurity is to go through all the tips in this guide once more. This should involve much less work than it did the first time, because the fundamentals of your cybersecurity should be pretty good.
It is important to note, however, that digital technology is moving fast and in the foreseeable future threats that don’t exist right now could - and probably will – be of some concern. Guides like this one, and the resources offered by the NCSC, should be updated regularly to cover this off.
For now, the best way to reinforce your cybersecurity is to look at section three of this guide, which contains supplementary actions that will not only improve your cybersecurity in the short- and long-term, but will also allow you to capitalise on the measures you have taken by making your organisation more attractive to funders, who are going to care more and more about cybersecurity in the future.
Access section three here. [LINK]