Today marks the beginning of Cyber Scotland Week – a first of its kind for cyber in Scotland. From today, Monday 22 April until Sunday 28 April, organisations big and small will come together to show the sector’s innovative practices, demonstrate what good cyber resilience is and promote the industry and its opportunities.

The Wise Group is a third sector cyber catalyst – an ambassador for cyber awareness and resilience amongst our third sector community in Scotland.

This Cyber Scotland Week, we’re sharing how the third sector can understand the cyber threat and what our fellow third sector organisations can do to manage the risk from those threats.  The Cyber Breaches Survey 2019 showed that 52% of charities with income of over £500k or more experienced breaches or attacks over the past year, with the average annual cost for all charities that lost data or assets after breaches being £9,470. However, organisations quoted figures of £300 to £100,000 depending on the severity of the breach.

Due to some high profile cases, as well as the introduction of the General Data Protection Regulations (GDPR) in May 2018, the sector is beginning to understand the importance of cyber security. 94% of charities with an income of over £500k; 82% of charities with an income of between £100k-£500k and 68% of charities with an income under £100k now see cyber security as a high priority.

This Cyber Scotland Week, we’re promoting the 5 topics that all charities should focus upon as a basis for good cyber practice, courtesy of the NCSC’s Small Charity Guide. These are easy and either free or inexpensive to implement ways that third sector organisations can utilise to better protect data, assets – and reputation.

1. Back up your data away from your location

All charities, no matter their nature or size, should regularly backup their important data. First, identify what data is essential and that your charity couldn’t function without – emails, contacts, legal information, calendars, financial records and supporter or beneficiary databases.

Keep a backup of this vital information separate from your computer so that they are not accessible by all staff or volunteers, and are not permanently connected (either physically or over a local network) to the device holding the original copy. Consider using cloud storage for both work and your important personal data. Using cloud storage means a service provider stores your data on their infrastructure and keeps your data physically separate from your location.

2. Protect from malware

Malware is software or web content that can harm your organisation – with the most well-known form being viruses. These are programs that infect legitimate software.

Antivirus software is often included free within popular operating systems and should be used on all computers and laptops.

Another good way to protect your organisation from malware is to keep all software and IT equipment up to date. An easy way to do this is to set all your operating systems, programs, phones and apps to “automatically update” if there is this option.

3. Keeping your phone protected

One of the simplest ways to protect your phone from a data breach is to avoid connecting to unknown Wi-Fi hotspots. When you use Wi-Fi hotspots in public spaces – such as hotels, coffee shops, or public transport – there’s no easy way to find out who controls the network, or to know if it’s secure. If you need to connect to public Wi-Fi, keep in mind what you’re viewing or accessing, and what private login details that apps and web services maintain whilst you’re logged in. The safest option, however, is to use your phone’s 3G or 4G mobile data network.

4. Change default passwords

An easy mistake that can put you at risk of a data breach is leaving the manufacturer’s default password that smartphones, laptops or other types of equipment are issued with. Before devices are issued within your organisation, change default passwords. When setting a password, make it as strong as possible. A good practice to get into when setting passwords is to use three completely random words with no association to each other or yourself, and follow the NSCS guidance – just don’t use any of these most common passwords!

5. Avoiding phishing attacks

Phishing attacks are when scammers send ‘fake’ emails to thousands of people, suggesting they should follow a link to reset a password or to visit a common website when, in actuality, the link takes you to a website containing malware or one that extracts sensitive information, such as login credentials or banks details.

In the past, phishing emails were commonly easy to spot. However, the attackers have become more sophisticated and even the most observant users can find themselves falling for them.

You can’t expect all of your colleagues to be able to identify and delete every phishing email. However, you can share the most obvious signs with them. These include: spelling, grammar and punctuation mistakes; low quality graphics and logos; the email being addressed to “valued customer” or  simply “colleague” and not specifically to you; a sense of urgency or veiled threat like “send these details within 24 hours” or “you’ve been a victim of a crime – click here immediately”; emails from a senior employee requesting that payment is made to a particular bank account.

A good rule of thumb is: if it sounds too good to be true – like a large donation in return for your details – then it probably is.

As well as the NCSC’s Cyber Security Charity Guide, the NCSC website at https://www.ncsc.gov.uk contains a great deal of guidance for individuals and organisations, large and small and should be regarded as a trusted source of definitive cyber security information.

In future blogs on this site we’ll aim to cover other aspects of cyber security and explain how the Wise Group’s current transformation project – with technology as an essential enabler and foundation for change – has the need for cyber security and data protection at its heart.