Act now to plug digital capability gaps

John Fitzgerald, digital evolution manager for the Scottish Council for Voluntary Organisations (SCVO), has some top tips for charities to enhance their cyber security capabilities. 

5 October 2022

"Today, ransomware attacks are the key issue for charities, with cyber criminals using subterfuge and software to ‘hijack’ critical data and demand money to ‘release’ it back."

The growing use of digital technology combined with the huge shift to life online and remote working, means charities increasingly need to ensure their IT capabilities are up to scratch. 

Naturally, that includes putting strong security measures in place to protect organisations from the ever-growing risks of data theft and fraud at the hands of increasingly sophisticated cyber criminals.  

We are all too aware that familiar fraudster techniques such as CEO impersonation, invoice fraud, phishing, and tricking people into downloading harmful illegal software (malware) can inflict serious financial and reputational damage on any organisation. 

Today, ransomware attacks are the key issue for charities, with cyber criminals using subterfuge and software to ‘hijack’ critical data and demand money to ‘release’ it back. Around a quarter of charities suffered ransomware attack in 2020 according to the Office of National Statistics. 

Fortunately, as John Fitzgerald at SCVO points out, there are some relatively easy steps that charities can take to make themselves more ‘cyber fit’. 

Look to the cloud

One key action John recommends charities to start pursuing immediately – if they are not doing so already – is switching from using conventional ‘in-house’ IT systems to ‘cloud-based’ digital work platforms, like Google Workspace and Microsoft Office 365. 

These are easy to use, come with effective integrated security and back up features, useful desktop and mobile tools and applications that make it safe to share and collaborate on documents and other work without setting up costly and complex VPN or remote desktop systems.  

Cloud platforms are good for charities working from multiple locations and those that support remote working and offer considerably more control over individual access to documents and data. 

These services are available for a relatively affordable regular subscription fee, with minimal integration costs compared to the, often hefty upfront outlay required for ‘on-location’ systems that are more vulnerable to physical damage from flood, fire and water. 

John says it also pays to check over your systems to identify, assess and address the security risks of any temporary ‘digital duct tape’ fixes that might have been made to IT systems just to keep things working during the heat of pandemic, particularly in relation to data collection and storage.  

Seven ways to beat cyber crime 

Aside from cloud solutions, John has seven top tips for charities looking to improve their cyber capabilities through some relatively quick wins. 

- Enable two-factor authentication for all log-ins, across the whole organisation. This is one of the most important steps to take and should be applied to access to all email accounts, applications, software, IT systems, data storage, work platforms, financial systems and documents – on both mobiles and desktops. This can bring about a significant step change in your security. 

- Make sure your people update apps and software as soon as they become available. This is one of the best ways to protect against new or emerging security weaknesses and viruses. Ideally, appoint a person or a team to be specifically responsible for keeping on top of the latest updates, sending out reminders and ensuring they’re implemented. 

- Create secure back-ups of all digital systems, files, documents and data. John says it’s surprising how many organisations don’t do this properly. Specifically, backups should never be directly connected to your main systems and always be fully encrypted and given the best possible digital protection.  

- If using a cloud-based system or migrating to one, create strong processes around user access and controls to strictly manage who can access what, and where from. Smaller charities might be tempted to fix IT issues locally by giving a number of people admin access to their systems, but this significantly increases security vulnerability. 

- Improve personal device management. Where staff or volunteers are working on personal computers, phones or tablets, ensure they can only access data through apps the charity controls and that allow you to remotely delete any data held if necessary. 

- Create a paper record of key contact details for your IT providers or IT security specialist, and ensure the right people know where to find them. Storing such information in digital form only has proved disastrous in practise for organisations hit by server failures, major cyber attacks or power outages. 

- Ensure all your data is encrypted – always

Getting help 

While it’s good to go for quick wins, from a long-term, strategic perspective John says it’s important to carry out an assessment of cyber strengths and weaknesses to establish a baseline and then do this on an ongoing basis to measure progress. 

SCVO offers a free, 20-minute digital check-up service, that will give charities in Scotland, England and Wales a holistic view of their cyber capabilities and includes a free follow-up consultation. 

"The Small Charity Guide from the National Cyber Security Centre (NCSC) is a good starting point for organisations wanting to start developing their cyber security in more depth."

The Small Charity Guide from the National Cyber Security Centre (NCSC) is a good starting point for organisations wanting to start developing their cyber security in more depth. 

Charities can also sign up for the Government’s Cyber Essentials programme, which offers an online self-assessment for identifying capability gaps and action required to achieve certification for the UK’s IASME Cyber Assurance Standard. 

John’s final piece of advice is that, when recommendations are made to boost your cyber security, be sure to act on them swiftly.