How to stay cyber secure with volunteers

NCSC cyber security training for charities

More than one in ten people in the UK volunteer for a charity. Their work allows charities to deliver more services, reach more people, and raise more money for their mission, becoming advocates for a cause as well as actively contributing to it.  

But working with volunteers can also add extra cyber security risks.  Depending on the nature of their work, volunteers may be provided with access to your online systems, which are home to valuable data. Volunteers are more likely to access these systems using their own devices, meaning they are potentially not covered by the same level of cyber security as devices looked after by a charity’s own IT department.  

Volunteers also may be less able to spot cyber security attacks if they are less familiar with working online or more used to giving away data in return for a service. Research has found that both younger and older age groups are  more vulnerable to cyber attacks, but for different reasons. Younger age groups tend to be more relaxed with technology and therefore are more likely to divulge data more easily. Older age groups, on the other hand, are likely to be less experienced with digital and therefore less familiar with cyber breach tactics. But staying safe online is a key part of digital inclusion, making sure everyone can safely access the internet when, where, and how they need to.  

In order to address this challenge, charities can raise their volunteers’ awareness of cyber security and the most common cyber threats they may experience online. Whether their understanding of technology is second nature or entirely new, making volunteers aware of the tactics cyber criminals use and how to prevent them from accessing your charity’s sensitive information is crucial. 

Below, we explore how charities can maintain their cyber security by empowering their volunteers, with help from the National Cyber Security Centre (NCSC) and its wealth of free resources.  

How to stay cyber secure with volunteers 

Understand the challenge 

Cyber attacks can occur wherever a charity connects to the internet, including through banking services, donation platforms, and cloud services. One of the best ways to prevent cyber attacks, or to mitigate the effects should one occur, is to become familiar with how they happen.  

The NCSC is home to a range of free resources that charities can use to educate themselves about the risks of a cyber attack to empower them to make the right choices and better support volunteers.

The Small Charity Guide is a short guide to help charities improve their cyber security, quickly, easily, and at low cost. It includes chapters on how to back up data, how to keep smartphones and tablets safe, and best practice for creating passwords. It also has a handy infographic summary to help readers digest the information more easily and a glossary of terms to demystify any cyber security jargon that might otherwise seem daunting. 

The Cyber Threat Report: UK Charity Sector aims to help charities understand current cyber threats, the extent to which the sector is being affected, and where charities can go for help. The report outlines who might target charities, why the sector is vulnerable, and much more.  

Not only does the report set out the facts around cyber security in the charity sector (30% of charities identified a cyber attack between 2021 and 2022), it also signposts readers to guidance to suit charities of all sizes. It forms a one-stop shop for charities to find more information in a variety of formats, including webinars run in partnership with Charity Digital.  

Training 

Anyone can be the target of a cyber attack and anyone can miss the signs of one. It is important not to play a blame game but to make volunteers aware of the protocols should they suspect they’ve clicked on a suspicious link or downloaded a suspicious attachment from an email. Reporting such an event quickly to the person who looks after their IT can allow charities to minimise the impacts (for example, disconnecting from the internet, changing passwords) and have a clearer idea of the damage done.   

Charities should also consider offering their volunteers cyber security training in order to help them identify potential cyber breaches. A third of charities who said they had positive change in attitude or behaviour towards cyber security after the pandemic said it was due to receiving more training, according to research from Charity Digital and the NCSC. However, two thirds of volunteers said they hadn’t received cyber security training when asked.  

Training doesn’t have to be costly. The NCSC has a bank of free information for small and medium size charities, including training for staff and volunteers, and its Exercise in a Box toolkit, which provides realistic scenarios to help organisations practise and refine their response to cyber security incidents in a safe and private environment. 

For more in-depth training, the NCSC also has a NCSC Certified Training Scheme, which is designed to assure high quality cyber security training courses. You can find out a list of courses and providers to suit your needs here. 

Bring Your Own Device policies 

Charities are more likely than other organisations to rely on staff using their personal IT devices, which are less easy to secure and manage than centrally issued IT, according to the NCSC’s Cyber Threat report. Research has shown that 64% of charities report their staff regularly using their own devices, compared to 45% of businesses. 

The NCSC recommends implementing a Bring Your Own Device (BYOD) policy to manage what volunteers are accessing on their own devices. Charities should start by establishing their policy’s goals, such as what tasks volunteers be permitted to perform using their own devices and what service,  programs, or apps will be used (e.g. users can look at emails on their phone with access to Microsoft Outlook).  

Limiting what access volunteers have to what they need is also known as Access Control, which is one of the five core controls set out in the Cyber Essentials certification scheme to protect charities against the most common cyber attacks. Access control means that, by creating accounts with different levels of access, charities can limit the damage from a potential breach arising from any user.  

Charities should also ensure that their volunteers’ devices and their operating systems and software are patched and up-to-date before connecting them to their network. Software updates fix bugs which cyber criminals could otherwise exploit to access your systems and data. In a BYOD policy, the devices that have access to your systems should be reviewed regularly and when volunteers leave, all access to your systems should be revoked.  

No one expects volunteers to become cyber security experts in your organisation, but an understanding of cyber threats can go a long way to preventing them from occurring. Everyone within a charity has a stake in looking after its cyber security and, with clear training and policies in place, everyone can be in control of staying secure online.