Here are five basic, fundamental security measures that you can address to provide your not-for-profit with a minimum standard of adequate protection.
1. Implement multi-factor authentication on Microsoft 365/Google Workspace and sensitive internet facing systems
One of the first and most valuable changes your organisation can make is to enforce multi-factor authentication (MFA) for all accounts. Enabling MFA dramatically reduces your cyber security risk and should be completed quickly to minimise the potential for data breaches.
“One simple action you can take to prevent 99.9 percent of attacks on your accounts.”
Melanie Maynes - Senior Product Marketing Manager, Microsoft Security.
Also, ensure that shared user accounts are eliminated or minimised and effectively managed (e.g., pswd vault). System access should be reviewed on a scheduled basis.
To view how Microsoft 365 or Google Workspace addresses MFA read our guide: What every not-for-profit should expect from Microsoft 365 and What every not-for-profit should expect from Google Workspace.
2. User Education
Employees who don’t know what they should be doing are more likely to make innocent mistakes – you don’t know what you don’t know! Ensure that the end-user security policy is socialised with and understood by staff, covered at induction and included in an annual training refresh.
Without staff training, email can be a point of vulnerability. Phishing continues to be the most common and highly effective means by which information is compromised. If something looks wrong, staff should feel encouraged to call it out rather than ignore it.
We offer a series of free webinars that your staff can attend. At the conclusion of the webinar the presentation, as well as a link to the recording are emailed. You can read our upcoming webinars on this topic here: Information Security webinars.
3. Information classification and security
Identify your important information stores, and confirm your backup regime is appropriate, and works correctly. This often includes a simple data recovery test on an annual or more regular basis. Example systems that you should be considering are finance, email, files, HR, client data etc. Read the guide Information Security policy for not-for-profits to get started.
4. Device and network management
Ensuring your devices are secure is extremely important. By devices we mean laptops, phones, tablets, servers, servers and network infrastructure (such as switches, routers, etc).
Vulnerabilities are often identified by vendors, who then release security patches to fix these vulnerabilities. Patches are reliant on you installing them to ensure your environment stays secure.
- Windows PCs should have antivirus protection (Windows 10/11 has Windows Defender included, it is enabled by default if no other antivirus product is active)
- Ensure only vendor-supported operating systems and applications are used
- Device OS and applications are reliably patched through manual or auto-update processes. Both Windows and Mac propose OS updates as they become available, and many applications will also notify users of available updates. Users should allow updates to proceed in a timely fashion.
- Default infrastructure admin passwords have been changed to a strong, secret password.
5. Policies, risk management and compliance
Policies, risk management and compliance ensure we prioritise and address the most critical threats in a timely manner, and then shift focus to continual improvement over time. Our Why cyber security is so important and Cyber security: What it is and why it matters guides, provide useful information and guidance on this topic.
As a foundation, you should ensure:
- End-user security, information security and privacy policies exist within your not-for-profit (our Privacy guidelines for not-for-profits, Information security policy for not-for-profits and DIY end user security policy guides can help get you started in this space)
- Third parties with access to the organisation’s information are also keeping information safe
- Cyber security risks and protections are discussed at the executive level at least twice annually
- There is a designated role or roles within the organisation with information security and privacy responsibilities, authority, and accountability.