The Head of the National Cyber Security Centre, Lindy Cameron, sums up the current cyberthreats to charities in the 2023 NCSC Cyber Threat Report on the charity sector:
More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain. Cyber-attacks affecting services, funds or compromising sensitive data can be devastating financially and reputationally, potentially putting vulnerable people at risk. The NCSC continues to support this vital sector and encourages all readers of this report to implement the guidance within it.
Here at the Eastern Cyber Resilience Centre, we couldn’t agree more. But where do you start?
You could begin your cyber resilience journey by reviewing your organisations approach to passwords since they are a key component in protecting your charity’s integrity and data.
What does a strong password look like?
The below graphic represents the time it would take for a cybercriminal to hack (brute force) a password using current technological capabilities.
Passwords should ideally be in the green section of this table, but if one of your current passwords is in another colour - do not worry. We would just advise that change it to something more secure and unique. With the rapid advancements in processing power, areas in the orange section may look secure right now, but it the next couple of years, they may become much weaker.
The NCSC recommend use three random words followed by punctuation to create a secure and unique password. To find out more about passwords guidance, click here.
Multi Factor Authentication
Two Factor Authentication (2FA) and Multi Factor Authentication (MFA) are incredibly useful in protecting your systems, accounts, and devices.
2FA and MFA are essentially two or more methods that can verify your identity. A cybercriminal may be able to crack your username or password, but they do not have your fingerprint, Face ID, or your mobile phone to authorise a log in attempt on a mobile authenticator app.
2FA follows the idea of using a combination of two of ‘Something you know’, ‘Something you have’, and ‘Something you are’. So, you might have a password that you have remembered, a physical identification token like a badge, and a fingerprint scanner. Often times the ‘something you have’ will take the form of a different device, like a mobile phone, in order to verify your identity when connecting to services online.
By enabling MFA across your systems, accounts, and devices you are providing an additional layer of defence to protect you from a cyberattack.
What can you do?
The Eastern Cyber Resilience Centre is a police company that was established to help charities and small businesses to become more resilient to the threats posed by criminals in the online world. We offer free membership to any organisation or person who wishes to join – so sign up now and take advantage of everything we have to offer. After that…
See what passwords you and your staff have which have already appeared in data breaches and change them as soon as possible. Why not run a poll to see who has the most/least breaches? Haveibeenpwnded.com is a legit website where you can enter your email address and telephone number to see if your information has been captured in a data breach. You can also register your email address or domain and get notified if it appears in another breach.
Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why not make a booking to discuss further?
Enable 2FA and MFA wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is no longer secure. With 2FA or MFA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.
If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – saying goodbye to reused passwords.
The National Cyber Security Centre have also created a really good Small Charity Guide that you can access for free here. Finally, if you wanted to test your and your staff’s knowledge about passwords have a look at the centres free password quiz.
Further guidance & support
You can contact the Cyber Resilience Centre for guidance and support through our e-mail or use our online booking system to make an appointment with one of our team.
Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Reporting Cyber Crime
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).