Tag Archive for: cyber security

Cybersecurity for Small Charities

 

Slide 1

Cybersecurity

Hello and welcome to this recording from Support Cambridgeshire, a partnership of Cambridge CVS and Hunts Forum. This is one of several recordings we have developed to support small charities.

To accompany the recording there are guidance links, available at the end of the transcript which will provide you with any materials or links we mention.

 

Slide 2

What we’ll cover:

This training uses resources and training developed and supplied with consent from the National Cyber Security Centre (NCSC) and the National Association for Voluntary Community Action (NAVCA)

During this short introduction, we will cover:

  • Awareness of NCSC
  • Why Cyber security is important
  • What you and your group should be aware of and looking out for when it comes to cyber attacks
  • Where can you access support and resources for you and your group for free

This on-demand training is aimed at individuals linked to community and voluntary groups and small charities, the goal is to encourage you to consider your cyber security position.

 

Slide 3

Awareness of the NCSC

Who are the National Cyber Security Centre?

The National Cyber Security Centre or NCSC are formally a part of GCHQ, one of the 3 main UK intelligence agencies. The NCSC mission is to help make the UK the safest place to live and work online. The NCSC provides key and up-to-date guidance for charities which are free to use. Their website is a one-stop shop for any of your cyber questions. You can contact the NCSC via their enquiries page. There is a helpful link from Charity Digital article; An A-Z glossary of cybersecurity terms and definitions

 

Slide 4

What is a cyberattack?

A cyber attack is considered any malicious attempt to damage, disrupt or gain unauthorized access to computer systems, IT networks or devices (such as laptops, phones and tablets). Specifically without your knowledge and permission.

Recent cyber attacks have made news headlines; in June 2024 the NHS was attacked and several GP surgeries and hospitals were affected causing serious disruption. The British Library were also victim of a cyber attack in October 2023.

 

Slide 5

What is Cybersecurity?

In the opposite way Cyber security is the actions you take to protect your systems and devices from such an attack. By protecting your systems sufficiently, you stand a significantly stronger chance of keeping your systems and charity safe from an attack. Just as the internet is a fundamental part of life in keeping your charity running and accessible to all, so is your cyber-security.

 

Slide 6

Why are Charities and groups at risk?

Charities hold funds (often electronically), personal, financial and commercial data of interest to individuals and often of monetary value to a criminal. Often this data is sensitive, valuable and vulnerable to attack. Think about how your supporters would feel if their data was taken from your systems.

The Impact of a cyber-attack can range from missing data, stopping your operations temporarily or permanently, costs of a breach or lost revenue including the time taken to recover, and finally the reputation of your charity.

A Cumbria-based community charity, The Milom Network Centre, which supports local people with its food pantry, second-hand furniture sales and educational programmes, lost all of its charitable funds in May 2024 when it fell victim to fraud. Scammers emptied its entire bank account. Before the bank agreed to the refund the charity, they faced the very real fear of closure.

 

Slide 7

Who could attack a charity?

Cyber Criminals might attack a charity. This can be either untargeted or targeted. No matter which way it is, it’s usually always for financial gain. There is no information to say charities are specifically targeted over other sectors. However we know criminals scan the internet for organisations that have weak security defences.

If you think about an opportunistic burglar walking down street looking for properties with open windows. The burglar or cyber criminal won’t care if those windows belong to a small or large charity. It’s not just ransomware. Criminals can steal money through other routes like pretending, to be a supplier and asking for urgent payment on an invoice.

Nation States; There is currently no evidence of nation states targeting the charity sector but it is possible to be caught up in un-targeted attack by a nation state.

Lastly the Insider threat. And by that I mean a member of staff, volunteer, or trustee that’s working in the charity. The overwhelming majority of cyber incidents caused by insiders are accidental. However they can still have a significant impact on the operation of the charity. Its really important for charities not to foster a culture of blame for accidental ‘insider’ cyber incidents. It is so easy to make a mistake whether it’s clicking on a suspicious link or opening an attachment which could unleash a virus. The important thing is that staff feel that they can report without fear of repercussions. That way IT can be up and running quicker and data recovered faster.

But there could be a chance that the insider threat could be on purpose. Perhaps a member of staff is disgruntled or a trustee feels they have been ignored.

All these threats, whether targeted or untargeted, accidental or on purpose, can be mitigated by using some key cyber security approaches.

 

Slide 8

How are charities being attacked?

Ransomware is a type of malware that makes data or systems unusable until the victim makes a payment. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible. Following the initial ransomware attack, those responsible will usually send a ransom note demanding payment to recover the data. Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you pay. There is no guarantee that you will get access to your data or computer. Ransomware attacks can have a devastating impact on organisations, with victims spending significant amounts of time and money to reinstate critical services. Often skills need to be bought in from elsewhere. Replacing or upgrading expensive IT equipment is also often required.

The British Library and NHS cyber attacks I referred to earlier were Ransomware attacks.

Malware is malicious software that is designed to interfere with a computer’s normal functioning and that can be used to obtain information and commit cybercrimes.

Phishing is where untargeted, mass emails are sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website. Most of us have heard about not opening suspicious looking attachments or weblinks, but these attacks do still regularly happen. Criminal groups will use charity branding or logos to make the emails look more legitimate, these can be obtained from websites or a simple google search.

A couple of examples on the slide. In May 2024 Companies House sent out an email warning of scam letters being sent out claiming to be from Companies House, the letters claimed that the recipient needed to make payment for Enhanced Web Filing Access.

In June 2024 we at CCVS posted on LinkedIn that we had been made aware by the Cambridge City Council of a fraudulent message aimed at Homes for Ukraine visa holders that was circulating online. The message falsely claimed to be from the Home Office and requested personal data.

 

Slide 9

What can you do to protect your charity?

What can you do to protect your data?

We will look at each area in a little more detail.

  1. Backing up your data
  2. Protecting against malware
  3. Keeping devices secure
  4. Create strong passwords
  5. Defend against phishing

 

Slide 10

What can you do to protect your charity?

1. Back up your data

Backing up your data is your vital first step in your cyber security strategy. You must ensure not only that your charity is taking regular back-ups of important data but test that they can also be restored. This will reduce the inconvenience of any data loss from theft, fire, other physical damage or ransomware.

Identify what needs to be backed up. Usually, this includes documents, emails, contacts, legal information, calendars, financial records and supporter or beneficiary databases.

Ensure the device containing your backup is not permanently connected to your network either physically or over a local network.

Consider backing up to the cloud. This means your data is stored in a separate location (away from your offices/devices), and you’ll also be able to access it quickly, from anywhere. Link to Cloud security guidance from the NCSC is on the slide.

 

Slide 11

What can you do to protect your charity?

2. Protect against malware

Protecting your charity against malware (which is malicious software including viruses) doesn’t have to pricey or complicated, I have listed a few low cost and simple options on the slide

  • Use antivirus software on all computers and laptops. Only install approved software on tablets and smartphones, and prevent users from downloading third party apps from unknown sources.
  • Patch all software and firmware by promptly applying the latest software updates provided by manufacturers and vendors. Use ‘automatically update’ options where available.
  • Control access to removable media such as SD cards and USB sticks. Consider disabling ports, or limiting access to sanctioned media. Encourage staff to transfer files via email or cloud storage instead.
  • Switch on your firewall (included with most operating systems) to create a buffer zone between your network and the Internet.

There is a link on the slide to smartphone and device security guidance from NCSC

 

Slide 12

What can you do to protect your charity?

3. Keep Devices secure

Smartphones and tablets (which are used outside the safety of the office and home) need even more protection than ‘desktop’ equipment.

  • Switch on PIN/password protection/fingerprint and face recognition for mobile devices.
  • Configure devices so that when lost or stolen they can be tracked, remotely wiped or remotely locked.
  • Keep your devices (and all installed apps) up to date, using the ‘automatically update’ option if available.
  • When sending sensitive data, don’t connect to public Wi-Fi hotspots – use 3G or 4G connections (including tethering and wireless dongles) or use VPN’s.
  • Replace devices that are no longer supported by manufacturers with up-to-date alternatives.

There is a link to a NCSC blog post about mobile device management software on the slide

 

Slide 13

What can you do to protect your charity?

4. Creating strong passwords

Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorized people from accessing your devices and data.

  • Make sure all laptops, MACs and PC’s use encryption products that require a password to boot. Switch on password/PIN protection or fingerprint and face recognition for mobile devices.
  • Use two-factor authentication (2FA) for important websites like banking and email if you are given the option. Two factor authentication requires using a password and one other form of protection like a finger print, face recognition, pin or text message
  • Avoid using predictable passwords (such as family and pet names). Avoid the most common passwords that criminals can guess (like passw0rd).
  • Do not enforce regular password changes: they only need to be changed when you suspect a compromise.
  • Change the manufacturers’ default passwords that devices are issued with, before they are distributed to staff.
  • Provide secure storage so staff can write down passwords and keep them safe (but not with the device). Ensure staff can reset their own passwords, easily.
  • Consider using a password manager. And if you do use one, make sure that the ‘master’ password (that provides access to all your other passwords) is a strong one.

Links to further information and resources from the NCSC are on the slide

 

Slide 14

What can you do to protect your charity?

5. Defend against phishing

Phishing attacks are when scammers send fake emails asking for sensitive information (such as bank details), or the emails include links to bad websites and the emails encourage you to click on the links. To defend your charity against phishing attacks you can:

  • Ensure staff don’t browse the web or check emails from an account with Administrator privileges. This will reduce the impact of successful phishing attacks.
  • Scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred. Don’t punish staff if they get caught out (it discourages people from reporting in the future).
  • Check for obvious signs of phishing, like poor spelling and grammar, or low quality versions of recognisable logos. Does the sender’s email address look legitimate, or is it trying to mimic someone you know? This is challenging as emails are increasingly sophisticated

Link on the slide is to 5 top tips to avoiding phishing attacks from NCSC

 

Slide 15

What to do if you are a victim of a cyber attack?

Despite your best efforts, cyber attacks can happen and if you think your charity has been the victim of a cyber attack – an online fraud, scams or extortion, you should report this through the action fraud website, there is a link on the slide.

You must report certain incidents that you’re legally obliged to report to the Information Commissioner’s Office (ICO) regardless of whether your IT is outsourced. This includes a personal data breach under the GDPR or the Data Protection Act.

You will also have to report it as a serious incident to the Charity Commission through the Charity Commission (England and Wales) website.

Reporting incidents will demonstrate that you have taken responsible action to identify problems within your charity. It also helps the Commission to gauge threats that may affect the wider sector and to take steps to address these with targeted advice and guidance.

If you are not sure if you have been attacked or need further advice, you can contact the NCSC enquiries.

 

Slide 16

NCSC Resources

The NCSC has produced a number of tools called the Active Cyber Defence tools or ACD. These are offered to organisations across certain sectors including charities for free. There are 3 tools which are worth looking into for your charity. They are Mail and web check and Early Warning.

 

Slide 17

NCSC Resources and guidance

The NCSC also has a lot of free resources including guides, support and advice. On the slide are a few resources that are useful to smaller charities in particular.

  • Small charity guide
  • Infographics: these are useful if your team has any specific questions or wants to learn more. They are available on the NCSC website and can be downloaded and printed.
  • E learning courses: this includes “top tips for staff”. The training can be completed online or downloaded and built into your own training platform. It takes less than 30 minutes to complete and is deliberately non-technical. This training is aimed at small organisations so some of the terminology is not aimed at charities but it is a useful resource for colleagues who may like some basic cyber skills.

 

Slide18

The Future

The future. Technology is constantly developing at an ever-increasing pace, with policy, legislation, and security furiously trying to play catch up. Plans for future legislation have again been amended with a new labour Government elected in July 2024.

AI briefly appears on the agenda but the focus appears to be on data protection matters and privacy rights.

We plan to update this training transcript with any relevant updates

The link is to the Data Protection Network article July 2024 which discusses possible changes in legislation with the new Labour Government.

 

Slide 19

Here to help

We hope that this training has been of assistance in increasing your awareness of what is cyber security, who is the National Security Council and how you can protect yourself and your charity from possible cyber-attacks. Please do reach out to us directly with any further support needs and do check out our website for further training resources.

 

Guidance and support links:

www.supportcambridgeshire.org.uk

To contact CCVS

enquiries@cambridgecvs.org.uk

To contact Hunts Forum

info@huntsforum.org.uk

National Cyber Security Centre (NCSC) https://www.ncsc.gov.uk/

National Association for Voluntary Community Action (NAVCA) https://www.navca.org.uk/

Action Fraud Website https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime

Information Commission Office (ICO) https://ico.org.uk/for-organisations/report-a-breach/

Charity Commission – reporting a serious incident (RSI) https://www.gov.uk/guidance/how-to-report-a-serious-incident-in-your-charity

 

 

NCSC resource links

NCSC general enquiries https://www.ncsc.gov.uk/section/about-this-website/contact-us

NCSC Small Charity Guide https://www.ncsc.gov.uk/collection/charity

NCSC infographic cybersecurity small charity guide https://www.ncsc.gov.uk/files/Cyber%20Security%20Small%20Charity%20Infographic.pdf

NCSC E-courses for small organisations https://www.ncsc.gov.uk/training/cyber-security-for-small-organisations-scorm-v3/scormcontent/index.html#/

NCSC Active Cyber Defence tools or ACD:

  1. Mail Check – https://www.ncsc.gov.uk/information/mailcheck
  2. Web Check – https://www.ncsc.gov.uk/information/web-check
  3. Early Warning – https://www.ncsc.gov.uk/information/early-warning-service

NCSC Infographics https://www.ncsc.gov.uk/information/infographics-ncsc

NCSC Cyber Security eLearning training https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available

 

NCSC guidance links

NCSC cloud security guidance https://www.ncsc.gov.uk/collection/cloud

NCSC Smartphone and device security guidance https://www.ncsc.gov.uk/collection/device-security-guidance

NCSC blog post: Which Mobile Device Management software is the best? https://www.ncsc.gov.uk/blog-post/ncsc-it-mdm-products-which-one-best-1

NCSC Actionable advice https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email

NCSC Three Radom Words passwords https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

NCSC password managers https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

NCSC avoiding phishing attacks https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks

 

Links to articles:

Charity Digital: An A-Z glossary of cybersecurity terms and definitions  https://charitydigital.org.uk/topics/an-a-z-glossary-of-cyber-security-terms-and-definitions-11473

British Library Blog Post March 2024 Lessons from the cyber attack https://blogs.bl.uk/living-knowledge/2024/03/learning-lessons-from-the-cyber-attack.html

Guardian Article June 2024 Cyber-attack on London Hospitals https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve

BBC News article May 2024 Scammers emptied charity’s account https://www.bbc.co.uk/news/articles/cn40vrpz2v2o

Gov.UK Reporting scams to Companies House

https://www.gov.uk/guidance/reporting-scams-pretending-to-be-from-companies-house?utm_content=&utm_medium=email&utm_name=&utm_source=govdelivery&utm_term=

CCVS LinkedIn post-June 2024. Cambridge City Council warning about fraudulent messages aimed at Homes for Ukraine visa holders

https://www.linkedin.com/posts/cambridge-council-for-voluntary-service_welcome-to-govuk-activity-7209137701105582080-hElO/

Data protection July 2024 Labours plans for data protection, cybersecurity and AI https://dpnetwork.org.uk/labours-plans-data-protection-cyber-security-ai/?utm_source=Data+Protection+Network&utm_campaign=91f7d54770-EMAIL_CAMPAIGN_2023_08_28_04_14_COPY_01&utm_medium=email&utm_term=0_-7337095521-%5BLIST_EMAIL_ID%5D