Cookies on Knowhow Nonprofit

We use cookies in order for parts of Knowhow Nonprofit to work properly, and also to collect information about how you use the site. We use this information to improve the site and tailor our services to you. For more, see our page on privacy and data protection.

OK

Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

How to use more secure IT systems

Charities are as exposed as any organisation to threats to their computer systems, whether the threats are software-based – such as viruses, worms, malware and spyware in downloads or even on websites – or come from direct human intervention through hacking.

Smaller charities, however, may be more exposed than most because they don’t have the investment or skills necessary to bring their IT security up to a level that is among the best. Here are some important measures that organisations should undertake, along with guidance on how enterprise-level security can be made affordable.

See also the guide 'How to protect your charity with security software' which covers the steps you can take by running anti-virus software and keeping your system files up to date.

Things you'll need

  • Your computers - running Windows, Apple iOS or Linux.
1

Check your equipment’s physical security

The security of the property that a charity’s computer system is housed in is a basic check. Is the building or room secured with smoke and burglar alarms? Can people walk in and out without being checked? Are your computers secured to their desks or are all portable items locked away from sight when not in use?

A mobile device (such as a laptop) should never be the sole place where your important data is stored and should always be password protected. Better still is to encrypt the data held on the computer.

When travelling with your mobile device be extra vigilant and don't take any risks when using it in public places such as cafes or on public transport.  

For more information on keeping your equipment safe, check out this guide by our Trusted Supplier Workplacelive on 5 steps to IT security.

If you need to connect to the internet from a public WiFi hot-spot always check it is a trusted network or via a reputable supplier and be cautious about making financial transactions over these networks.

2

Use strong passworrds

After the physical security of your office, passwords are the next most important thing to consider. Use strong passwords with a combination of uppercase and lowercase characters, numbers, and symbols. This will help you defend against hackers who make random and systematic guesses that are based on commonly used words.

Use different passwords for different websites, use password management software (e.g.LastPass) to help you remember them. To thwart unauthorized password recovery that’s based on commonly known information (your date of birth, the model of your first car, or your pet’s name), consider whether you can use related but nonsense answers, for example the colour of your friend's car or name of your neighbour's pet. 

Don't write down your passwords and put them in your drawer or attach to your monitor on a sticky-note!

3

Ensure robust user authentication and firewall protection

Enhanced security can also come about through a process called dual factor authentication (2FA), which identifies individuals through a combination of user name, password and information known only to them.

As for firewalls: the best come at an enterprise level price, but – as with all aspects of security – small and medium size charities absolutely shouldn't be left out as discounted firewall software is available through the Technology Trust. 

4

Get the right security software

Another basic is the software needed to safeguard not only data and information, including passwords etc but also the computers themselves. Malware can make computers run very slowly; viruses can render them unusable.

Off-the-shelf security products, or their free versions, can be very useful but enterprise-grade equivalents, which also make life more difficult for hackers and automated hacking programs, are a step up. See this guide on protecting your charity with security software.

Another improvement from the basics is high end online filtering, which protects staff, data and information from malicious websites. Even innocuous-looking websites can contain threats that need to be neutralised. A trusted website might have been compromised by malware, which is ready to infect any computer that accesses it over the internet. 

5

Establish good practice policies

All staff and volunteers should receive induction into the security policies of the organisation when they join. You should have in place:

  • A password policy which requires staff to keep passwords secure, out of sight and secret.
  • An acceptable use policy for computers and mobile devices. The policy should also discuss replacement for lost or stolen devices.
  • If staff use their own devices for work purposes then a BYOD (Bring Your Own Device) policy will be required. This should explain what users can do with their devices, what’s allowed to be installed on them and actions you may need to take to erase their device should it be lost or stolen.
  • A data protection policy will cover all the aspects of how the organisation stores, processes and manages the data it holds. With GDPR fast approaching, NCVO members can access free guidance on writing a data protection policy in the tools and resources section on this site.
6

Safe browsing

Educate staff to not forward on spam e-mails to colleagues or open suspect attachments. Don't click on spoof phishing links (even though they may seem plausible) and don't believe all the Facebook links that are just tricks or which are promising the earth! If in doubt check this helpful referencing site

7

Consider moving data to the cloud

The cloud is a great leveller, bringing data storage prices down to affordable levels and enabling organisations of any size to share in the same levels of technology security. It has achieved that by allowing charities and other organisations which have outsourced their IT to share all costs, including those of the physical security of the data centre, where the data and information is kept.

Using a cloud services provider that is ISO 27001 accredited will ensure that all processes during and after the move to cloud computing are compliant with it. This accreditation offers assurance that standards are adhered to.

However, exercise caution when accessing cloud services or granting access to another person for your files. Satisfy yourself that the cloud service provider is legitimate and will take good care of your data. Also check where data is stored, both physically in a well-protected data centre and geographically in the UK.

Make sure all staff use individual logon passwords to cloud based websites.  

More information can be found in the how-to guide on moving to the cloud.

8

Keep offline backups

Be prepared for cloud services to occasionally unavailable. Consider data that you want to put in the cloud, and how the inaccessibility of that information would affect your organization’s ability to operate.

There’s often an audit trail of changes for online documents. Periodically review changes to see if there is unusual behavior.

Make a secure off-line backup copy of your most important data so that you can access it even if the cloud service is unavailable. However, don't simply store this on a USB pen drive and carry it around in your bag or pocket! Backup copies of files should be made to an external hard drive which is encrypted and stored off-site or kept in a lockable fireproof safe. 

Further information

WorkPlaceLive are Trusted Suppliers to the NCVO and hold the ISO 27001 accreditation. If you would like to discuss the security of your data and IT in more detail, please get in touch. A discount is available for NCVO members.

Some information in this How-To is based on the TechSoup Guide "12 Tips For Being Safer Online" guide.

The Get Safe On-line (UK) and Stay Safe On-line (US) websites contain many resources, sheets and articles to help keep your IT systems protected

Contributors

Page last edited Mar 26, 2018 History

Help us to improve this page – give us feedback.

1 star 2 stars 3 stars 4 stars 5 stars 3/5 from 1031 ratings