Superhighways runs a monthly free one hour introduction to Cyber Security session designed for all staff, volunteers and trustees at small community charities and community groups. Education of the users of your IT systems is one of the most important ways of improving your organisation's security. If you would like to attend one of these sessions, visit our website training page.
So that more people can access the content, we've summarised the course below. We've also created a Microsoft Sway, a presentation tool that works really well on laptops, phones and tablets.
Why is this important for charities?
The UK has circa 166,000 registered charities that process £48 billion each year. They also have around 800,000 workers and 14 million people volunteer each year in the UK. (see How Charities Work and Volunteers Week)
In the 2023 DCMS Cyber Security Breaches Survey:
- 24% of UK charities had experienced a cyber attack in the last 12 months
- 38% attacks had affected their service
- 19% attacks caused harm
All businesses face cyber threats, but there are a few reasons charities may be more vulnerable:
- Charities may spend money and time on front-line services rather than enhancing cyber security
- Charities tend to have a higher turnover of staff and volunteers with many being part-time, so less provision is given to ensuring all are aware of cyber security
- Charities often have lots of people using their own devices whether that's phones, tablets or laptops and desktop PCs
How can everyone reduce the chances of their charity suffering an attack?
We focus on some key principles that everyone in the organisation can get to grips with.
- Use strong Passwords
- Defend against Phishing Attacks
- Secure your Devices
- If in doubt, ask someone else
Passwords & Multi Factor Authentication
Use strong passwords
Use three random words to create strong, long and memorable passwords
- For example: carrot phone window
- Add punctuation and/or numbers as necessary: 20carrot.phone.window24
- Don't use any predictable words e.g. your pets, children's names, favourite football teams etc
Read the National Cyber Security Centre(NCSC's)logic behind the three random words
Don't reuse passwords
Don't use the same passwords for personal and work accounts and ideally, have unique passwords for all of your accounts, but especially for:
- Work device accounts
- Email accounts
- M365 or Google Workspace accounts
- Financial accounts
- Social Media accounts
Keep your passwords safe
- Don't reveal your passwords to anyone. If you do need to write them down, keep them securely away from your device.
- You could use a password manager - read guidance from the NCSC here to find out more.
- When you're logging into your online accounts, most web browsers (such as Chrome, Safari and Edge) will offer to save passwords for you. It's safe for you to do this on your own device if you have a secure login. Do not do this on shared devices, unless everyone logs in with their own account and always logs out.
Use Multi Factor Authentication
When you use Multi Factor Authentication (MFA) on something like your M365 account, you reduce your chances of the account being hacked by 99.99%
MFA is a method of verifying a user's identity using more than one piece of evidence. Typically, MFA involves a combination of:
- something the user knows (such as a password)
- something the user has (such as a smartphone or a token)
- something the user is (such as a fingerprint or a face scan)
Popular MFA methods:
- SMS codes - good but the other methods are more secure
- Authenticator Applications on your phone - Microsoft Authenticator or Google Authenticator (both can be used) and downloaded from your app store
- Biometrics - great on your own devices but may raise privacy concerns elsewhere
- Hardware Tokens - need to be bought so not commonly used in charities
For more information about implementing solid passwords and Multifactor Authentication, visit Cyberaware at the NCSC.
Use Windows Hello
Windows Hello is an authentication feature that allows you to sign into a Windows device with your face, fingerprint, or a PIN.
It's more secure than a password as it'll only work on that device. The information is securely encrypted on the device and isn't stored elsewhere and if e.g. someone sees you add your PIN - they woudn't be able to log on to your account from their device.
Defend against Phishing attacks
Phishing is when someone pretends to be someone else to get your personal information
or harm your device.
They might send you a fake email, message, text or call and ask you to share your details
or click on a bad link or file. Some are just trying their luck; others are more clever and
sneaky.
How to spot a phishing email
Whilst you used to just have to look for bad spelling and grammar, cyber criminals have got much more sophisticated, so watch out for these three signs:
- Urgency - the message makes you feel like you must act fast and not think about other
things. - Authority - the sender tries to trick you by acting like someone you trust or respect, so
you believe the message is real and you should act on any instructions. - Imitation - using common things you do or see at work to make you open a message.
Look at who sent the email, if it says 'friend' or 'valued customer', they might not know
you.
What else should you check for?
Here are some tips on how to spot a potential phishing email once you have it open on
your laptop:
- Check the email address. Is it from a trusted domain, such as your bank, your
employer, or a reputable company? Or is it from a suspicious or unfamiliar domain, such
as a random combination of letters and numbers, or a misspelt version of a legitimate
domain? If the sender's address looks fishy, it probably is.
- Check the subject line and the message body. Is the email personalised with your name,
or does it use generic salutations, such as "Dear Customer" or "Hello User"?
- Check the links and attachments. Before you click on any link or open any attachment in
an email, hover your mouse over it and look at the URL that appears on the bottom left
corner of your screen. Does the URL match the sender's domain, or does it redirect you to
a different or unknown website?
- Does the URL start with "https", which indicates a secure connection, or with "http",
which is not secure?
This is a great quiz from a team at Google that shows you what to look for in different potential phishing emails.
But if you do click on a suspicious link
If you think you have been phished, do these things as soon as possible:
- Write down what happened, what information you shared, and where it happened (for
example, Teams or Outlook) - Tell someone at your charity and your IT support service if you have one
- Change your passwords for all the accounts that may be affected, and use different
passwords for each account when you reset them - Sign out of accounts on any devices (this can often be done automatically e.g. if you are using Microsoft 365)
- Turn on Multi Factor Authentication for your accounts. This means you need more than
just a password to sign in, such as a code or a fingerprint and will safeguard your accounts even if your password has been compromised - Run a virus scan on your device
See also this guidance from the National Cyber Security Centre.
Securing your devices
How to protect your computers, phones and other devices from common cyber attacks.
Always lock your devices
- Ensure that you have to log in to all your devices, using a PIN, Password, Fingerprint or Face recognition.
- Set your devices to log out if not used for a while.
Run software updates
Keeping your software up to date ensures that the latest security patches are installed, which can fix vulnerabilities and prevent hackers from exploiting them.
- Always run updates for your operating systems on your phone, laptop, tablet and desktops e.g. Windows, Android or iOS and set these to happen automatically to always be up to date.
- Use a supported version of the operating system (IOS or Android), i.e. a version that is still getting security updates. Information on the latest supported versions of IOS and Android can be found here Apple IOS and Android. Versions highlighted in red are out of support and do not meet the requirements, so must not be used.
- Don't ignore other notifications e.g. your anti virus updates!
Only install official software
- Only download computer software from vendors you trust and from their official websites
- You should need Admin permissions to install software on your devices. Although sometimes it's frustrating when this request pops up and you need to contact your IT lead or provider, it's not good practice to have Admin permissions for the everyday user account you log into, as if you click on a link which downloads some bad software, it would be able to automatically install and spread through your network
- Only download apps from the Google or Apple Stores; don't download apps from unknown vendors and sources
Security requirements specific to smartphones
- Use a PIN or preferably Biometric (Face ID or Touch (Fingerprint) ID) for login, not shared with anyone
- As above - ensure the Operating System and all Apps are updated
- Do not download any work files with personal or sensitive data onto the device
- Do not add your work email as an account to your device mail app. Only use the Outlook app (if using M365) or browser for email instead.
Finally, if in doubt, check with someone else
Reporting potential attacks promptly can help reduce the amount of damage caused.
Don't assume someone else will or has spotted the problem.
And if you have clicked on a bad link (or think you might have), always tell someone so that it can be checked out. There should be no blame attached to being a victim of an attack.
Further information about cyber security
The National Cyber Security Centre has developed a range of resources specifically for small charities. These include:
- NCSC - Small Charity Guide
- NCSC - Small Charity Guide Infographic Summary
- NCSC - What is phishing
- NCSC - CyberAware
- NCSC - Cyber Security Training for Charities
- NCSC - Exercise in a Box
and Which Magazine have a useful blog with details the latest scams.