DIY Cyber Security On A Shoestring In Just One Month

Posted on

The idea of cyber security can seem daunting. From the horror stories of system hacks and ransom demands, to having to implement what seems like fiendishly technical prevention measures, it can appear overwhelming. This is particularly so when lack of time, resources and experience are also factors. But actually, cyber security can be done DIY following basic rules, and on the cheap. Here is how.

The important steps make a big difference

Multi Factor Authentication

Apply Multi Factor Authentication (MFA) widely, as an extra step for logging into websites and service platforms. The most common format of MFA is based on a code sent to a phone or an app. It is one of the simplest and most effective ways to protect an IT system.

Check if MFA is enabled on email accounts such as Microsoft 365 and Gmail, admin accounts and finance systems. Try and make it mandatory for staff and trustees.

Issue simple phishing awareness reminders

Regularly distribute short internal messages or run simple briefing for staff to make them aware and remind them of realities of phishing. Specific subjects should be

  • Not clicking unexpected links or attachments
  • Checking sender addresses carefully
  • Being cautious with urgent payment requests
  • Always asking IT or a colleague if in doubt about emails provenance

Back up data

Many charities assume their data is backed up, but do not check to confirm it. It is important to do so.

What to check is backed up:

  • Files (SharePoint, OneDrive, servers)
  • Financial systems
  • CRM/donor databases

Check, how often backups are run and data is stored.

Lock down access to IT systems.

This applies particularly to those about to those individuals about to leave an orgnisation, including volunteers

Charities sometimes have a high staff turnover, whether paid or unpaid, plus shared access to systems

  • Review who has access to:
    • Email accounts
    • Shared files
    • Finance or CRM systems
    •  
  • Remove access for:
    • Former staff
    • Former volunteers
    •  
  • Avoid shared logins when possible

Create an emergency plan

Create a simple one page contingency plan. It should include:

  • Who to contact internally
  • Who leads the response
  • Key actions – reset passwords, inform bank, notify IT support service if there is one.

External reporting: Serious incidents may need to be reported to the Charity Commission. Data breaches may also need reporting to the ICO

By undertaking the processes described, VCFSEs will be protected from all but the most sophisticated attacks. It is helpful to be aware that most problems arise from the exploitation of simple weaknesses that can be readily fixed for little or no cost.

By undertaking a few key tasks is possible to reduce risk significantly, protect important data, maintain trust with donors, beneficiaries and other third parties, and keep services running

As ever, if you would like any advice then please contact me at [email protected] , or call me on 01473 345321