NCSC’s Simple Advice: Protecting Yourself from the Effects of Data Breaches

The National Cyber Security Centre (NCSC) and The FSI are working together to help charities protect themselves from cyber attacks. As we approach the end of the year, we would like to provide you with some simple advice to share with your staff, trustees and volunteers to help protect them and your charity from the effects of data breaches.

2018 has been a year of many data breaches, with personal information falling into the hands of criminals. In this blog, we’ll talk about why this matters for your small charity, how staff and volunteers can check if their details have been exposed and what simple steps they can take to minimise the harm that might result.

In the last 12 months, companies including MyFitnessPal; British Airways; Uber; Marriot Hotels; and Carphone Warehouse have reported data breaches affecting millions of UK citizens, with information including names, email addresses, passwords, addresses and bank details affected.

If your personal information falls into the hands of criminals, they may use it to send malicious emails to you, for example trying to get you to click on a link which infects your device with malicious software. Alternatively they may try and access your online accounts such as emails, online shopping accounts, social media or others. If the your staff or volunteers have had their work credentials stolen in a data breach, this could mean an increased risk for your charity.

If you are worried that your personal or work credentials may have been compromised in a data breach, you should first check the advice the affected company is providing to customers. You can also use services such as www.haveibeenpwned.com to check your credentials against lists of compromised data. This will tell you if your private information has ever been made public, and even alert you if it happens in the future.

If you discover that a website you have an account with has been compromised and your personal data may have been stolen, there’s no need to panic, but there are some sensible precautions you can take to minimise the harm that may result from this:

  • Change your password on this website, and on any other account where you have used the same password. For advice on creating and storing passwords, see CyberAware and the NCSC’s advice on password managers.
  • Enable 2-factor authentication if you can, so an attacker cannot log in to your account even if they have your password. See https://www.turnon2fa.com/ for help. However, not all providers offer this service.
  • Be on guard for emails that could be using your stolen information to appear more convincing, and which try to get you to click on a link, provide personal details or open an attachment that may contain malicious content. See https://www.ncsc.gov.uk/guidance/phishing-threat-following-data-breaches
  • If you spot a suspicious email, flag it as Spam/Junk in your email inbox. This will take it out of your inbox, and will also tell your email provider you’ve identified it as potentially unsafe. Report suspicious emails, phone calls or SMS messages to Action Fraud.

You can read The NCSC’s quick, simple, free or low costs steps to protect your small charity by visiting www.ncsc.gov.uk/charity or attending one of sessions at The FSI’s regional training events or conferences.