Multi-factor authentication is not the “silver bullet” for a charity’s digital security that it used to be, a cybersecurity expert has warned.
Speaking during a panel discussion at the Charity Finance Group conference in central London last week, Paul Salter, senior information security consultant at the IT company Smartdesc, said charities needed to find more complex solutions to protect against MFA being bypassed more easily.
Salter said cybersecurity was an organisational problem rather than an IT issue, and responsibility lies with trustees.
“I used to sit here and say MFA is a silver bullet that will solve everything and if you have MFA in place, your accounts won’t get compromised,” Salter said.
“That used to be true, it’s not true anymore and the last three incidents I’ve seen have all had successful authentication through MFA.”
Panellists at the session said ransomware, business email compromise and phishing remained the greatest risks to charities’ cybersecurity.
Steve Cross, group technical director at PIB Insurance Brokers, said charities could utilise “brilliant” free educational programmes provided by the National Cyber Security Centre to protect themselves from these risks.
“Charities should make these programmes a mandatory part of employee training at every level, ideally twice a year,” Cross said. “Certainly for new starters in their first 12-week induction programme, because they are going to be some of the brute force that’s going to stop some of these attacks.
“When I think of one of the most significant attempted attacks on PIB, we were able to foil them because of a good trainer that we had deployed, which cost us nothing.”
Harley Morlet, director of the cybersecurity consultancy Storm Guidance, said charities should focus on controls when deciding where to direct their time, money and attention.
“There are a small subset of controls every business should have in place, no matter the size, whether you’re a small SME, major or multinational,” Morlet said.
“These controls are standard and the only thing that changes is the scale on which you implement them.”
Morlet said there is a list of 12 questions charities should cover when working on improving their cybersecurity, including having effective back ups, two-factor authentication and disaster recovery plans.
“I’ve spoken to several organisations that say 12 questions is too much for them,” Morlet said.
“In response to that I say let’s take a step back and just make sure you’ve got these very obvious things in place.
“If you are explaining to the Information Commissioner’s Office that you’ve had an incident and you don’t have them in place, it will look very negatively towards you.”