The issue of cybersecurity is one that is often shrouded in technical terms such as "attack vectors", "malware", and "ransomware", and too often the emphasis is placed on IT systems and technical solutions. However, a recent ICO fine demonstrates that it's not always the technical systems that let you down - there are also some very simple steps you can take to check and improve compliance that don't involve specialist knowledge.
Risk assess your cybersecurity
This doesn't have to be complicated or overly technical, but the trustees should, as a minimum, understand what risks exist, the steps being taken to mitigate those risks, and how severe the risk is in terms of likelihood and consequence. Some risks will be applicable to all organisations, such as the risk that a malicious individual gains unauthorised access to your systems. Others might be specific to your charity - such as the risks of individuals working from home, or access to information by volunteers.
Are you updating software regularly?
Although updates can be annoying, they generally fix known issues with a product that left un-uploaded, can lead to a weakness in your systems. It's therefore important to ensure that all systems are updated when updates are released, and that you have in place systems to check this.
Are all your systems currently supported?
Once an application or piece of software gets to a certain age, the developer will no longer review and update it, leaving any issues open and ready to be exploited. You will be warned well in advance when "support" is coming to an end, and that's a good time to review the risks involved in not upgrading.
Training for staff
If you suffer a data breach, one of the key questions asked by the ICO is whether the individuals involved have been trained. Its therefore important to not only provide relevant training for all individuals who work with personal data, but also to record the content of the training, who has received it, and how you follow up with those who don't attend.
How do you investigate an issue?
One of the weaknesses in the recent case was around ineffective investigations which either were not followed up, or were not sufficiently detailed to identify an issue. In larger charities, it can help to have a plan for what happens in the event of a cyberattack or data breach so that you know who is responsible for what aspects, but always remember that a policy can be flexible and doesn't need to be adhered to strictly if it would be more practical to do something else in a particular situation.
Access controls
Again, this is a relatively simple method of protecting systems, that can have a huge impact in the event of an issue. If you restrict access to your systems to those who need to have access, then if one individual is compromised, you potentially limit the scope of any unauthorised access. This applies to individual controls, but it is also worth investigating how different parts of your system talk to one another and are linked, so that if one system is attacked, you know which other systems might also be affected.
Checks and policies
Finally, it's a good idea to check/review your risk assessments and policies on a regular basis to make sure that you are complying with them, and to update where necessary. The company that were recently fined had excellent policies in place - they just weren't following them! It's also a good idea to test your systems so that you can spot weaknesses before someone else does.
Cybersecurity is an ever-changing landscape as we utilise more technology and new threats emerge. Whilst there is definitely a technical aspect to protecting your data, there are some smaller steps that charities can take that don't require specialist knowledge, but will provide some mitigation in the event of an issue arising.
Vicki Bowles is a data protection partner at VWV
Related Articles
