A common misconception of many small charities is that cyber security is only really crucial for established businesses. In reality, cyber criminals are as likely or more to attack smaller organisations. This is because they’re generally perceived as easier targets.
In this article we have explored why online security is crucial for your organisation and ways to improve your online safety.
Why is online security important for charities?
Charities collect a lot of data – from donation forms, research surveys, meeting records, mailing lists, to audio/video recordings. This can include contact information or sensitive and personal information. These could be some of the most vulnerable people such as risk exposed refugees, people experiencing homelessness or those escaping domestic violence.
Your organisation have a responsibility to protect the privacy, integrity, and safety of the people you have listed, including your donors and funders. Without proper protection, your data is not only open to cyber criminals, but also to government surveillance and corporate hacks. The more data you gather, the more it becomes a necessity to look after it correctly.
Potential threats to security:
Luckily in the UK there are set laws that regulate the privacy of data and allow for encryption. Nonetheless it has been revealed on multiple occasions that Government intelligence is in action. Data is collected from around the world either deliberately or indiscriminately in the form of metadata. Governments actively monitor social media and can request and receive data related to specific people.
This is significant to be aware of for organizations that deals with refugees, activists from different countries with poor human rights records, or are involved in political activities such as protests.
Corporate Information Collection
Corporate social services such as Google or Amazon collect data and metadata related to organisations. This may be for use or for sharing with third parties for targeted advertising.
Large businesses have, in the past, conducted surveillance on activists who have had potential to threaten their interests. For example, environmental activists have been surveyed by large oil and gas companies to monitor activity.
Malware is short for malicious software and is designed to attack your PC for information. It comes in various forms, including spyware, viruses or worms; it encompasses any type of malicious code. The tricky thing about this is that new types of malware are created daily so your protection software needs to stay one step ahead.
When attacks occur, it’s because hostile or intrusive software are used to access your private information, including emails, websites, or social media accounts. These attacks can vary in size from data snooping to a large data breach. Worse yet, they can be done with the user being none the wiser, and it’s for this reason that sufficient protection is crucial.
Physical security is one threat that is often overlooked, but they can still be just as damaging if you aren’t careful.
A common example is leaving a password of your computer on sticky notes or written in a notepad by your desk. Anyone with physical access can instantly log in to your computer containing sensitive information.
Smaller charities may be sharing office space or working remotely in public spaces should be especially vigilant. Though it is unlikely, being aware is one of those small precautions that can make a huge difference in ensuring data security, as it’s difficult to monitor people’s access at their workplace.
Security Measures for Nonprofits
Use password management tools
Setting up strong passwords wherever possible is fundamental first step for ensuring your data is safe. We understand how painful it can be when websites ask you for capital letters, numbers, punctuation and pretty much everything else on the keyboard, but they are at least doing it for your own good. As a general rule, they are right. Passwords should be at least 10 characters long and should include upper and lowercase letters and numbers.
This can be overwhelming, but fortunately there are now a variation of password management programs. These allow you to have one password that grants you access to all your other password protected applications. They all work slightly differently, but most set you a complex password for each app; you don’t need to remember, or even know it.
Manage user access
Charities should definitely have a system in place which segregates users and allocates access based on these roles. Example roles at some charities may include:
- Administrative staff
- Marketing and outreach
- Senior administrative staff
- Case workers
In such scenario, case workers would need access to confidential client or case information that administrative and marketing staff wouldn’t need and shouldn’t have access to. Equally, senior administrative staff may require access to financial documents that others wont need.
Your charity should set user roles that suit you best. You and your staff will know what they do and don’t need access to and the access can be managed and tailored over time with frequent reviewing to ensure relevance.
Google Apps, Microsoft’s Office 365 or other cloud productivity suites can set up these roles and grant specific access easily. They’re great offerings for many charities, especially since they’re free for charities.
Many charities unfortunately don’t properly utilise user privileges when using apps. Here are some tips to maintain control:
- Define user roles and permission before you use your cloud suite
- Check who has access to your spreadsheets and documents, and which users can grant access to your files
- Remember to revoke access to old projects for staff members who have left and external contractors whos contribution is finished
Follow good computer practice
Good security practices are also directly linked to good security. Your charity can keep employees and volunteers informed on good practice to help minimise risk of threats as much as possible. Some examples of good practice include:
- Keep operating systems and application updated – tt-exchange fortunately offer software assurance with lots of software to help with this
- Use Antivirus, Malware, and Firewall software – Some popular examples are Bitdefender or Symantec
- Password protect your computer – this is even more crucial if you work in a shared office
- Use an email provider that offers Secure Sockets Layer – These keep your information encrypted, which you can read more about here
- Don’t use any unknown USBs – these could potentially carry malware so only use USBs given by someone you trust
- Be wary of phishing emails – reread links before clicking as authentic websites will never asks for the personal information unless you ask them
- Avoid pirate copies – Steer clear of any unofficial copies of software, even if they seem like a good deal.
While mobile devices offer a lot of flexibility for staff, they’re also a source of sensitive information. This means they can be vulnerable to hacks, especially on unsecured public networks. You can improve your mobile devices’ security by:
- Updating the operating system of your mobile device
- Making frequent encrypted backups
- Using strong passwords or use complex pattern codes
- Checking for permissions before allowing apps to access your device
- Disabling ad-tracking
- Using a secure VPN when connecting to public Wi-Fi networks
- Using encrypted messaging services such as Signal, Telegram, WhatsApp, Threema, etc.
Last but definitely not least: make sure you back up! Always keep at least two encrypted back-ups for which access is password protected for all your databases and necessary documents.
Set yourself backup days and put them in the calendar so that they become routine. Look into what sort of hard-drive you might need and which are the best ones. You may think the cheaper the better but some are more prone to fail so this is worth doing some research on. Here we have a list of some of the better ones to go for.