In support of Charity Fraud Awareness Week 2021, this blog by NPC’s Chief Operating Officer, Sarah Broad, details five steps trustees and charity leaders can take to protect their charity’s cyber security. #StopCharityFraud
As trustees and leaders of charities, we accept responsibility for managing risk, both the day to day inherent risks and those low-likelihood risks that could have a massive impact. Two years ago, a global pandemic was just a theoretical, low-likelihood, high-impact scenario on a business continuity plan. Well, thanks to covid, we’ve lived through a live test of that plan and undoubtedly learned some lessons along the way. So, what’s the next low-likelihood, high-impact scenario on your charity’s list? Here at NPC, it’s a cyber-attack that prevents us from accessing our core systems and data for an extended period.
The threat of cybercrime has never been more present, exacerbated by criminals keen to take advantage of new home-based or hybrid working arrangements being trialled by many charities. According to a recent government survey, 26% of all charities and 51% of charities with income over £0.5m reported cyber security breaches or attacks, with 40% of these reporting a resulting negative impact such as lost money or data, wider business disruption, and the diversion of valuable staff time. Of course, that’s just the known attacks. The actual number is likely to be much higher.
At NPC we have less than 50 staff, operate on a tight budget and, like many charities, our operations team have other responsibilities besides cyber security. Responsibility for mitigating the risk of cybercrime is scary, especially for non-specialists, and it can be tempting to adopt a belt and braces approach. But this could mean diverting scarce resource away from other vital activities. So, how do trustees and leaders assess the risk associated with cybercrime and agree those initiatives that are most likely to achieve the biggest impact?
Or, in a nod to Harry Potter, what is our ‘defence against the dark arts’?
1. Use readily available resources to help with the technical stuff
Firstly, cybercrime is complex. An IT team, let alone a dedicated cyber security specialist, is beyond reach for many charities. Luckily, others have designed free or low-cost materials designed specifically to help small and medium-sized organisations. One good, plain English example is the National Cyber Security Centre’s (NCSC) Small Business Guide on how to improve your cyber security. Almost all banks, insurance companies and IT service providers run regular, free briefing sessions for customers and are open to requests for in-house board and staff webinars too.
2. Put it on the board’s agenda
According to the Department for Digital, Culture, Media and Sport, only 27% of charities have a business continuity plan that covers cyber security, and only 23% have cyber security policies that cover home working and the use of personal devices (remember, according to a recent survey, a majority of charities with income over £0.5m reported cyber security breaches or attacks). In our report Above and beyond in trusteeship, NPC noted that charities often need the support of their trustees in order to take a bold approach in times of change—something that requires strong leadership and a solid confidence in governance. Managing cyber security risk doesn’t need to be a complex, technical exercise. NCSC has a Board Toolkit with questions designed to help non-specialist trustees and leaders work with their IT provider, in-house or outsourced, to better understand current practice and make informed, risk-based decisions about where to deploy available resources.
3. People first
People is one of the four essential pillars for success identified in NPC’s What makes a good charity report. Creating a culture of awareness amongst staff and volunteers requires little technical expertise and is an effective way to mitigate the risk of inadvertently engaging with cyber criminals. For example, encouraging people to think twice before clicking on an unknown website link sent via email. Charities of all sizes can make use of free training materials and incorporate these into induction and training plans. The NCSC provides a cyber security training package that can be used on its own or incorporated into an organisation’s own training platform. Action Fraud provides short guides on how to protect your business from fraud.
4. Communicate little and often
Awareness training is important but, realistically, how much information do we retain from one session? Keeping cyber security front of mind with small but frequent reminders to staff and volunteers, using a range of communication channels, requires little technical expertise and resource. Examples might include posters around the office, bite-sized refreshers at staff meetings or in newsletters, and sharing tips and tricks on the intranet. Again, there are several free resources available to help you here, such as the Information Commissioner’s Office privacy toolkit for charities and the Fraud Advisory Panel’s supporters pack.
5. Set and work towards a clear goal
Achieving best practice on cyber security may not be within reach for some charities today, but this Cyber Essentials readiness toolkit can help trustees and charity leaders define a work plan against which they can monitor progress towards a clear and externally recognised goal. Cyber Essentials accreditation is a government-backed scheme that can be used by charities of all sizes to provide assurance to donors, trustees, staff and other stakeholders that your charity has achieved a recognised standard on cyber security. Indeed, some government contracts require this accreditation.
We hope these tips encourage trustees and leaders of charities of all sizes to evaluate the risk associated with cybercrime and to develop their own ‘defence against the dark arts.’ Here at NPC, we’re learning too. We’d love to hear from others about their experiences and those initiatives they believe are most likely to achieve the biggest impact.