Many charities – no matter their cause or size – will have likely been using technology more since the coronavirus outbreak. From the cloud services used to store important data to the devices allowing people to connect with one another, moving operations online has been part of the solution to managing these challenging times.
But with this increased digital reliance comes additional cyber security risk. Charities can look like attractive targets for cybercriminals because of the data they hold and the significant money they raise. The Department for Digital, Culture, Media and Sport’s Cyber Breaches Survey 2020 found that the number of charities reporting a cyber security breach or attack has risen, with 26% now reporting an incident annually, up from 19% in 2018.
However, with some straightforward cyber security protections in place, charities can significantly reduce their chances of falling victim to cybercrime, saving themselves from lost income, reputational damage and missed productivity.
A common myth around cyber security is that it is a technical subject that only IT staff must deal with. But it is about managing risks appropriately – including financial risks – and using technical expertise to make informed decisions.
Trustees have a central role as they are accountable for putting risk management strategies in place. That’s why the NCSC developed its free Board Toolkit resource, which sets out structured questions trustees should ask their technical staff, such as:
• What cyber security measures do we have in place?
• What assets do we care most about?
• What technical controls might be needed?
• How can we effectively test our defences?
While the guidance is designed for board members, charity finance teams are encouraged to embed this structure into their own work. When staff across all departments take the same approach to managing online risks, the organisation benefits from an increasingly positive cyber security culture.
One of the key recommendations is to practise your charity’s response to a cyber incident. The NCSC’s free cyber exercising tool Exercise in a Box is designed to help with that, by facilitating quick and practical sessions where staff can safely test their responses to different scenarios. These include dealing with ransomware attacks, responding while working from home, and losing devices such as laptops.
While decision-makers and IT staff should lead these sessions, it’s important that all relevant staff members participate. Finance teams are often involved with recovery after a cyber incident, so it’s better that they are prepared for the role through exercising.
One cyber security decision which often falls to finance professionals is purchasing cyber insurance. While cover can’t stop a cyberattack, some organisations might find that it helps with managing costs after the fact. The NCSC recently published eight key questions for decision-makers to consider when weighing up whether to get cyber insurance.
Staff as first line of defence
Improving cyber security is not something that should be looked at in isolation. Cyber incidents can impact the operations and business of the whole organisation, so everyone should play a part in boosting their charity’s cyber resilience – everyone is more tech-savvy than they realise.
For instance, most people will have come across an email which makes them suspicious that it’s a scam (known in cyber circles as a phishing attack). It’s not unusual to see phishing attacks – in fact, in the DCMS survey, 85% of charities identified having suffered a phishing attack in the past year.
It is essential that staff and volunteers know how to deal with this threat and are encouraged to report. Employees can be an effective first line of defence if helped to spot phishing messages and shown how to report them internally – even while working from home. They can also report emails to the NCSC’s Suspicious Email Reporting Service. By simply forwarding to [email protected], staff can check emails for malicious content and take action against scams if found.
Avoiding phishing attacks is one of the key areas covered by our free Top Tips for Staff e-learning package, which provides a baseline understanding of good cyber hygiene behaviours to adopt. This online resource focuses on everyday business, such as using strong passwords and securing devices.
Larger organisations might tend to have more resources to spend on cyber security defences, but that doesn’t mean that smaller charities have to lose out. The NCSC’s Small Charity Guide offers tailored advice for these organisations, helping them to strengthen their defences at low cost, and the Top Tips for Staff package is designed to be accessible to all.
The NCSC is committed to supporting charities to strengthen their security practices and enhance preparedness for cyber incidents. While cybercrime remains a perennial threat, charities can significantly boost their resilience by ensuring they have a practised cyber incident response and stay alert to common attacks. This is something all staff should play a part in – including finance professionals.
Sarah Lyons is deputy director for economy and society engagement at the National Cyber Security Centre