Websites are essential in todays digital led world and for charities.

They have become a portal for supporters to keep up to date with what is going on, obtain donations but also communicate with those that need help. And all of the data that websites generate is precisely what cyber criminals want, and the website is an obvious starting point.

What could a cyber criminal do if they attack a website?

• Steal data entered by users of the website. This could be login details, sensitive details from enquiry forms or payment details.
• Change the content. This could be changing telephone numbers to redirect legitimate donors or cause distress by putting inappropriate content on there.
• Upload a virus. If you have a portal which allows uploads, then you could be allowing files with malicious content to be sent to your server which then could infect your system. A ransomware attack on your server could stop your charity from being able to function and then you have the question of whether to pay or not.

Common issues with websites

1. Weak passwords so criminals just log in to your systems. If you want to know more about what a weak or strong password is, take a look at our short video.
2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.
3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!
4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.
5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access someone else’s data.

What can you do?

• Speak to your website developer and ensure that security is at the heart of what they build for you.
• Get a vulnerability assessment. The ECRC offers affordable web application vulnerability assessments. We work with university students who are trained and mentored to carry out the testing and provided you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here.
• Make sure everyone involved in your website is using strong passwords and MFA when available.
• Update your website, including all those little plugins, as soon as possible when a new release comes out. Most sites will have auto-update functionality so unless advised otherwise, use it so you don’t have to worry about.

Further Guidance and Support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our free membership provides:

• Threat alerts both regionally and nationally
• Signposting to free tools and resources from both Policing and the NCSC
• Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience
• Discussion area to meet and discuss other companies

We're here to help - join us today.