CST – Cyber/IT Security
As you are probably aware, more than 200,000 organisations are thought to have been affected by a recent cyber security attack known as Ransomware. When an IT system is infected with Ransomware, its data becomes encrypted and is only released on payment of a “ransom”.
Extortionate Ransomware became prominent in 2005, and with the introduction of Bitcoin digital currency (which allows anonymous transfer of money), returned to prominence in late 2013.
Although it is virtually impossible to protect IT systems fully from hackers and other types of cyber-attacks, there are many measures that organisations can easily take to protect themselves and greatly reduce the risk of a successful attack.
Communal organisations need to consider the different risks they face if they become infected with Ransomware or come under other forms of cyber-attack. These include:
- Loss of data (possibly permanent), or data theft which may identify service recipients, donors, financial information or other sensitive material
- Denial of service, preventing access to your computer systems and data
- Reputational damage from loss of data
- Significant fines imposed by the Information Commissioner for a breach of data protection laws caused by a cyber-attack
CST does not give specific IT security support for individual organisations. However, we urge you to read this basic guidance and then take professional IT advice as appropriate.
Ideally, you should use a professional IT consultant to address the IT security for your organisation. IT consultants will design the security requirements for the organisation and introduce ongoing security policies, procedures and training to minimise the risks to your IT infrastructure.
There are basic measures that should be in place at any organisation. These include:
- Use only genuine licensed software and operating systems.
- Install regular software updates from software manufacturers. Often referred to as ‘patches’, these are designed to ‘patch’ potential security weaknesses which have been identified in software or operating systems.
- Use Firewalls to prevent unauthorised remote access to your computers. Some firewalls have anti-virus engines that require a subscription. If this is an option, it is a valuable first line of defence to your network.
- Install good quality anti-virus software on all computers. This is sometimes called anti-malware. Free software from the internet (‘Freeware’) rarely provides the level of protection an organisation requires.
- Virus-check USB storage keys and other portable media before using them on your computers. USB keys are a common way that viruses transfer from one machine to another. A USB device that has been plugged into an infected computer will probably be infected itself. If you then plug that USB device into your computer, your computer will be infected. Do not assume that your home computers or other computers outside your organisation are free from viruses.
- An email-filtering software or service can protect your organisation from viruses and malware delivered by email, as well as unwanted emails (often called spam). This is probably one of the most valuable tools to protect you against Ransomware attacks currently.
CARE WITH EMAILS
A common method of cyber-attack is by phishing or spear-phishing. In these attacks, the attacker sends an email with an attachment or a link within the email. Once the link or attachment is clicked on, it enables the attack to begin, often without any visual signs until after the attack has completed e.g. in the case of ransomware, after the data is encrypted.
Educate your staff to avoid clicking on links or attachments that they are not expecting. Phishing attacks often use email addresses that appear to come from known companies or organisations.
Prioritise backing up your data on removable disks or to a secure cloud facility. Regular backups protect you against data loss from cyber-attacks and computer failure. If you store backups on removable disks, the disks should be swapped regularly and some of them stored securely offsite. Alternatively, effective cloud-based backup solutions are available which are secure and easy to manage. Either way, you should test backups regularly to ensure that they have been successful.
IF YOUR ORGANISATION SUFFERS A CYBER ATTACK
If your organisation suffers a cyber attack, please report it to CST as soon as possible. The attack you have experienced may be part of a wider pattern against the Jewish community and CST can warn other communal organisations to take precautions. Visit our website for contact details: https://cst.org.uk/contact-us
FURTHER INFORMATION Information on cyber/IT security is widely available. CST strongly recommends the following:
- The Little Book of Cyber Scams – Police advice on protecting your business from cybercrime - https://www.met.police.uk/globalassets/downloads/fraud/the-little-book-cyber-scams.pdf
- The National Cyber Security Centre - https://www.ncsc.gov.uk/
- City of London Police - https://www.getsafeonline.org/cityoflondonpolice/
- Charity Commission - https://www.gov.uk/government/news/ransomware-threat-keep-yourcharity-safe
- Information Commissioner’s Office - https://ico.org.uk/