Well-informed leaders are key to building the strong culture of cyber security that could make your charity more resilient to attacks
The common misconception that cyber security is the sole responsibility of IT teams and technical experts persists across many organisations - including in the charity sector. This attitude can actually be a major contributory factor to an organisation’s failure to properly prepare for or mitigate a cyber attack.
Cyber security is actually a risk like any other that should be owned by everyone in the organisation and managed by the board. That is why the National Cyber Security Centre (NCSC) produced the Cyber Security: Small Charity Guide to help you take some simple, low-cost actions to improve your resilience.
It is the responsibility of everyone within an organisation to take small actions to ensure their role is protected. Any security system is only as strong as its weakest link.
In order for an organisation to adopt this mindset and build a secure culture, charity leaders will need to emphasise the importance of cyber security. This must start with the board.
That’s why the NCSC has also created the Board Toolkit, to help leadership teams in organisations to take a methodical approach to cyber security and lead from the top. We’ve picked out three elements from the Board Toolkit to provide an overview of how to approach the issue.
Charity leaders should consider what is most valuable to their organisation.
We like to call these elements the ‘crown jewels’. Essentially, they are the things you simply couldn’t function without.
These might include bulk personal data for your beneficiaries and supporters; your public-facing website; intellectual property (particularly if you are a research charity); or banking and payment systems.
Once an organisation has defined its objectives and crown jewels, your experts can then begin identifying which parts of your IT estate are critical to delivering those and can prioritise protecting those assets. For example, securing your beneficiary database; ensuring the availability of the website so supporters can engage with you easily, and ensuring the resilience of payment processing systems to ensure the public can donate to you securely.
Your charity should start by establishing a good cyber security baseline.
Attackers often use common methods to attack a network. A lot of these methods can be mitigated by implementing basic cyber security controls.
The NCSC’s 10 Steps to Cyber Security is a good framework for your experts to measure your cyber security against and identify where there are gaps.
As a trustee or senior leader, you might want to ask your experts, “as an organisation, how do we defend against phishing attacks?” You should hear back something along the lines of:
The Board Toolkit includes a series of these type of questions and responses that you can use to generate a conversation on a variety of topics with your experts.
Establishing and maintaining a healthy culture, in any part of the organisation, is about putting people at the heart of structures and policies.
Charity leaders should encourage a ’just culture’ that will enable the organisation to have the best interaction with staff and volunteers about cyber security. People should be encouraged to speak up and report concerns, appropriate action is taken to remedy the situation and nobody seeks to assign blame. This allows your staff and volunteers to focus on bringing the most benefit to the organisation rather than focusing on protecting themselves.
The Board Toolkit demonstrates cyber security is not a solely technical issue, it’s about good governance and understanding the approach to managing risks in your charity. We would encourage all leadership teams to make use of the Board Toolkit, and if you have any feedback please get in touch with the NCSC.