Cyber security is the practice of defending computers, mobile devices, cloud services, electronic systems, networks, and data from malicious attacks. It is vital to protect the privacy of SLSC members, prevent any SLSC data from being stolen or used for malicious purposes, and avoid legal action or fines.
There are a few areas of cyber security to consider.
- Application security – protecting software data assets.
- Disaster recovery and business continuity plans – protecting business continuation while trying to operate without specific resources in response to a cyber security incident.
- End-user education – protecting the SLSC by teaching members good cyber security practices, such as deleting suspicious email attachments and not plugging in unidentified USB drives.
- Network security – securing a computer network asset from intruders, targeted attackers or opportunistic malware.
- Operational security – procedures for handling, storing and protecting data assets.
For consideration:
The following information includes a few practical things to consider when implementing effective ICT governance, management and cyber security:
Ensure SLSC systems are patched, that all software systems are up to date and have active virus protection.
Set all personal computers (PCs), laptops, tablets, and other digital devices to auto-update and regularly check to make sure this is happening. Avoid ‘snoozing’ your PC. Your computer needs to reboot to apply update notifications, so shut down at the end of the day and reboot it with the updates (which often include bug fixes). Also, set your mobile digital devices to automatically update mobile applications and regularly check your device’s app store to ensure they are being updated as expected.
Back up files regularly
Back up files to at least two different locations and test that you can restore files from your backup. Think what would happen if your SLSC’s office had a fire or a key administration laptop had a critical failure—how much data could you recover? You should aim to have your backup data regularly synchronised online to an enterprise-grade cloud storage solution. Also, ensure that is secure and not accessible to anyone who should not have access.
Where practical, use enterprise-grade cloud storage
As charitable not-for-profit (NFP) organisations, SLSCs can often access enterprise-grade IT services for free or at a heavily discounted rate. Avoid free online cloud storage sites that use your data for marketing purposes, as their terms and conditions do not consider it private, e.g., Google Drive.
Regularly review who has access to what devices and SLSC accounts
Use the principle of the least required permission for the person to complete the task required.
Consider:
- Has someone recently exited the SLSC or stepped down from an officer role?
- Does someone still need access to the SLSC and member details in SurfGuard, the SLSC’s email or banking systems?
- How does the SLSC monitor and manage what system permissions are granted to which SLS volunteers and staff?
Ensure that passwords are not written down, shared or easy to guess, and are regularly updated
Once a password has been shared, you have effectively lost control of who has access to the password-protected resource. Ensure that a password is not on any ‘most common passwords’ list and regularly update them; e.g., SurfGuard will ask you to update your password every 20 days to protect SLS member information.
Where possible, use ‘named accounts’
Avoid generic named accounts after SLSC roles as these are more vulnerable to phishing attacks and do not allow other members to identify information about the account owner immediately. For example, use President2020-21@slsc.com.au instead of president@slsc.com.au to identify the SLSC President, requiring president access to the SLSC accounts for the 2020/21 season only. This will help secure your SLSC’s ICT resources.
Use unique passwords and secure password management tools
Ensure that the same password is not used for multiple resources, e.g., do not use the same password for the SLSC’s Facebook page and Internet banking. Take the time to explore the use of reputable, free, secure password management tools that are available to assist businesses and SLSCs in monitoring and managing their IT system passwords.
Use multi-factor authentication (MFA) wherever possible
MFA requires a second factor to be presented when logging in as an extra layer of security. This can often be a code generated from an authentication app, a text message to a mobile phone or a unique and time-sensitive code sent to an email address that helps protect your data. It also lets you know when some unauthorised person attempts to log into your account
Be aware of what is considered private versus personal information
There are legal obligations to protect the personal information collected, especially about how and what is collected and how it is securely stored. Be sure to always stay current with the legal privacy obligations for organisations, especially regarding the personal details of children under the age of 18 years. Ensure you are familiar with the Office of the Information Commissioner’s Information Privacy Principles.
Ensure key ICT assets are physically secured
Store the SLSC’s key ICT assets in a climate-stable environment. Electronic devices do not like dramatic changes in humidity and temperature and especially do not like salty air. Safe storage protects them from damage, extends their usage, and reduces maintenance costs.
Reinforce that everyone is responsible for IT security. Encourage and educate SLSC members to understand the risk of phishing and how to recognise fraudulent requests and your SLSC’s ‘Acceptable Use of IT Policy’. If someone accidentally provides their login details to a phishing website, they must immediately change their password wherever used to maintain security.