Keeping your information safe from cyber security threats can be complex, with new threats and new solutions emerging all the time. For many organisations, working with a good IT support provider is one of the best ways to make sure your computers and website are safe.
Achieving intermediate-level cyber security should be a key target for every not-for-profit. Assessing your security against the Australian Cyber Security Agency’s Essential 8 mitigation controls will tell you where your organisation is along the road to being protected.
In broad terms, intermediate cyber security protection can be broken down into four main areas:
Information classification & security
- Classifying stored information into security categories (e.g. sensitive, confidential, public)
- Defining systems and repositories that can be used for each information category
- Educating staff about how and where to securely store different data types
User device management
- Appropriate firewall and antivirus protection (see Network threat detection & alerting, below)
- Secure encryption and password protection of all user devices (PCs, laptops, phones and tablets)
- Capacity to remotely wipe sensitive data.
Network threat detection & alerting
Protecting your organisation’s network generally needs to be done by an experienced IT professional. One of the key ways you can add an extra layer of security to your network is to use a firewall. Firewalls can act as a gatekeeper between the internet and your network or computer.
Many broadband routers will have a firewall built-in with basic settings available to get started quickly. Individual computers may also have firewalls installed as software or operating system.
Depending on your security needs, you may want to purchase more robust firewalls or be more stringent in the settings available to you in any existing firewalls you may already have.
- Centrally managed network firewalls with monitored alerting during business hours, with antivirus and intrusion protection features
- Custom email phishing rules provide additional protections for key staff such as your CEO and CFO
- Automatic action triggers for suspicious account activity
Policies, user education & compliance
- Key security policies are activated, covering acceptable use of technology and cyber security incident response
- These same security policies are effectively covered in the staff induction process
- Bi-annual phishing and network penetration tests are conducted to identify any weaknesses
- Security risks are identified, prioritised and actioned appropriately.