The National Cyber Security Centre [see below] defines cybersecurity's core function as protecting the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage. It is also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online. It is important because smartphones, computers and the internet are now such a fundamental part of modern life that it has become essential to take steps that can prevent cyber criminals getting hold of our accounts, data, and devices. 

The importance of cyber security is heightened by the recent (29 January 2020) news that a charitable housing association lost more than £932,000 in a sophisticated cyberfraud, involving payments to what they thought were genuine external suppliers. The weak link In its cybersecurity was not the external fraud itself, but human failure to implement the association's own internal procedure which required verification of changes to payments and accounts. For more about this, see  
https://redkitehousing.org.uk/latest-news/2020/january/weve-been-cyberconned, and the
Scottish Housing News article at https://tinyurl.com/rpx222k.

For a similar but much smaller cybercrime involving online payments diverted from a genuine supplier, see T
Top tips for charities when handling fraudulent cybercrime, 
Civil Society, 26 March 2019
http://tinyurl.com/uy5q3a3.

The chair of the charity involved offers the following advice:

  • When you appoint a new supplier, confirm the account details with a small trial amount first and then checking it has been received by the actual supplier.
  • Check, check and check again that you have the correct bank details.
  • Don't be afraid to reach out to your customer base.
  • Be aware of suspicious looking links.
  • Make sure you download the latest anti-virus software.
  • Create strong passwords.
  • Keep sensitive and non-sensitive data separate, and limit access to sensitive data.
  • Don't assume that an invoice sent as a PDF includes accurate bank details, as the PDF could have been changed en route.

Some of the guidance below is intended for charities, but applies equally to any organisation or business.

According to the Fraud Advisory Panel [see Resources, below]: "Cybercrime is often misunderstood and feared simply because the technical language and terminology sounds so frightening. 'Cyber-dependent' crimes are the technically complex offences, frequently using specialist tools and techniques to cripple computer systems and steal data. Examples include ransomware, hacking, PBX/dial-through fraud (when a switchboard is hijacked and used to make expensive calls to premium rate numbers controlled by the fraudsters) and distributed denial of service (DDoS) attacks (when an online system or website is overwhelmed by flooding it with bogus enquiries from other systems previously infected with malware). But by far the most common cybercrimes are low-tech, 'cyber-enabled'. These are things like theft, forgery or shoplifting but which have been carried out with the help of computers or the internet. Since these offences always have a significant human component, they are also susceptible to fairly straightforward defences and remedies."

The Fraud Advisory Panel lists seven top tips for preventing cybercrime:

  • Use anti-virus software and keep it up to date.
  • Use a firewall to block unauthorised access.
  • Don't use the same password for several online accounts.
  • Don't click on links or attachments in unsolicited emails.
  • Always lock your mobile device.
  • Always install software updates.
  • Be careful what personal details you reveal on social media.

Preventing charity cyber crime [see Resources, below], which summarises findings from a major survey of charities in March 2019, identifies the following governance and management actions:

  • Charities should acknowledge the substantial threat of cybercrime and understand the harm it can cause their charity.
  • Charities should clarify responsibility for managing the risk of cybercrime and ensure it's a governance priority for the board.
  • Charities should raise awareness of cybercrime and encourage trustees, staff and volunteers to raise concerns, especially where phishing attacks and malicious emails are suspected.
  • Successful cyber-attacks should be reported to the board and to appropriate external organisations, including the police and Charity Commission.
  • Charities should be open and transparent when dealing with cybercrime, adopting a pro-active approach that priorities detection and prevention.
  • Charities should act early and review prevention arrangements before a cybercrime has occurred.

RESOURCES

Charity Commission

  • Protect your charity from fraud and cyber crime. October 2016, last updated 25 October 2019: 
    https://www.gov.uk/guidance/protect-your-charity-from-fraud
    Includes the annual charity fraud awareness week and hub (next dates 19-23 October 2020); 8 guiding principles for tackling charity fraud; how to report fraud; how to protect against fraud; counter-fraud best practice templates for charity trustees; about cybercrime and reporting a live attack; cybersecurity toolkit for boards; regulatory alerts about fraud; and organisations that combat fraud in charities.
  • Preventing charity cyber crime: Insights and action. 23 October 2019, 10pp: 
    http://tinyurl.com/renx3ya.
    The main findings from the Charity Commission's cybercrime survey of registered charities in England and Wales during March 2019 – including that one-third of charities that were victims of cybercrime did not report it to the police, their bank, the Charity Commission or anyone else outside the organisation. Includes survey findings, conclusions, action points, and charity cybercrime case studies.

Fraud Advisory Panel

  • Tackling charity fraud: Prevention is better than cure. March 2018, 18pp: 
     https://tinyurl.com/vrhtcl5. Especially pp.2-5 on cybercrime, from which the quotes above are taken.

National Cyber Security Centre

NCSC is part of GCHQ, the Government Communications Headquarters. NCSC provides information and advice for individuals and families; self-employed and sole traders; small and medium organisations (up to 250 employees, or larger organisations without a dedicated cyber security officer); large organisations; public sector; and cyber security professionals. Starting points include:

  • Small business guide: Cyber security. November 2018: 
    https://www.ncsc.gov.uk/collection/small-business-guide.
    Covers backing up your data; protecting your organisation from malware; keeping your smartphones and tablets safe; using passwords to protect your data; avoiding phishing attacks; actions to take; and videos. Also similar guidance for small charities, URL as above but with /charity rather than /small-business-guide after the word collection.
  • Stay safe online: Top tips for staff. June 2019: 
     http://tinyurl.com/wg4jbry. - 30-minute online training.
  • Board toolkit. 21 March 2019: 
     https://www.ncsc.gov.uk/collection/board-toolkit.
    Covers what cybersecurity is; what individual board members should be doing; what the board should be ensuring the organisation is doing; starting points for discussions with cybersecurity experts; legal and regulatory aspects of cybersecurity.

 Information Commissioner's Office

  • A practical guide to IT security: Ideal for the small business. January 2016, 18pp:  
    https://tinyurl.com/zsr8nrz.          
    Assess the threats and risks to your business; get in line with Cyber Essentials; secure your data on the move and in the office; secure your data in the cloud; back up your data; train your staff; keep an eye out for problems; know what you should be doing; minimise your data; and make sure your IT contractor is doing what they should be. 

Ecclesiastical Insurance

  • Charity cyber guide: Your defence against digital risk. April 2018, 15pp:  
    https://www.ecclesiastical.com/documents/charity-cyber-guide.pdf
    Covers attacks on charities; ransomware; phishing; malware; DoS and DDoS; password attacks; humans; protecting against data breaches; consequences of a cyber attack; attacks on your reputation; cyber insurance; and further information.

END OF SUPPORT FOR WINDOWS 7

If you are still using Microsoft's Windows 7, you are not alone – at the end of December 2019 about one-third of desktop operating systems were reportedly still using it, including much of the NHS. But after 10 years, support for Windows 7 ended on 14 January 2020. A PC with Windows 7 will continue to work,  but Microsoft will no longer provide software updates, including free security updates, so the PC will become more vulnerable to security risks and viruses. Information from Microsoft about the implications is at 
http://tinyurl.com/y3yadhcy.

For a more objective look at the implications and options, see the excellent briefing Still using Windows 7?
Here's what you need to know 
from the Northern Ireland Council for Voluntary Action (NICVA), 7 January 2020, at 
http://tinyurl.com/ro9c9m7.

source sandy adirondack