We look at some of the simple ways your team can remain engaged, educated, and enthusiastic about enforcing cyber security
Your staff may be motivated to work for your charity for a wide variety of reasons, but the desire to thwart cyber criminals probably isn’t one of them. That’s a problem because, like it or not, thwarting cyber criminals has to be a key part of their jobs – and one that they think about every day.
There are many existing cyber security threats and new ones are expected to emerge in 2021, so a failure to take them seriously will inevitably lead to damaging cyber security incidents.
These could initially appear to be minor, such as a hacker gaining access to a staff member’s email account. But even a seemingly minor security breach can have major consequences, such as enabling a hacker to gain access to more critical computer systems and steal confidential data.
Serious cyber security breaches can lead to huge damage to your charity’s reputation, along with huge remediation costs, and ultimately, they can threaten your charity’s continued existence.
That means it is important that your team is aware of threats to cyber security. Here are some key tips to get your staff invested so that they can play their part in keeping your charity safe.
If your staff understand that the threat from cyber criminals is real, they are much more likely to become invested in the effort to keep them at bay. So give staff some examples of cyber security breaches suffered by charities or other organisations of a similar size to your own.
This should not be hard, as organisations including charities of all sizes are regularly breached. Over a quarter of all charities experienced cyber security breaches of some form, according to the government’s 2020 Cyber Security Breaches Survey. About a fifth of charities reported that they had faced cyber-attacks every week.
The message that the threat of cyber-attacks is real can be reinforced by explaining to your team what the impact of a security breach on your charity’s activities, the people it aims to help, and even staff members themselves would be.
A ransomware attack, for example, could lock your charity out of its data for several days or weeks, until it can be restored from backups. During this time the charity may be unable to contact constituents, fundraising activities might be forced to cease, and in some cases service delivery may be partially or completely interrupted.
Staff may believe that cyber security is handled solely by the IT department and by anti-virus features of endpoint security software, such as Bitdefender GravityZone. But it is important that staff know that this software, along with other cyber security systems such as firewalls and VPNs, can’t prevent every type of cyber security threat.
In particular it is important that your team understands that, according to the EU Agency for Cybersecurity, the biggest cause of cyber security breaches is when staff members unwittingly click on malicious links on phishing emails that can lead to ransomware and other malware infecting computer systems.
Team members could be forgiven for being scared by all the information that they have been given about cyber threats and for being worried that they might unwittingly cause a disaster.
That’s why it’s important to reassure staff that there are simple steps they can take to prevent cyber crime and that they will receive all the training they need to enable them to do their part in keeping the charity safe.
Many people are far more engaged with training if they see that they personally can benefit from what they learn. For that reason, it is sensible to include tips about how team members can keep their own data safe, as well as how they can keep the charity’s data safe.
New recruits to a charity team usually start with onboarding and induction. This is the ideal stage to introduce cyber security awareness and training. By starting at the point when an employee joins your charity, security becomes an integral part of working for the charity.
Cyber security becomes, in other words, part of your charity’s culture, and this is exactly what you should aim towards. Don’t forget that training shouldn’t be a one-off event: you need to hold regular cyber security sessions to keep security firmly in team members’ minds and to introduce new information as new threats emerge.
It’s all very well training team members to use long complex passwords, but it’s not so easy in practice to use these types of passwords. As long as that’s the case, it will always be tempting to use a simple password like “password1234”.
By providing staff with a cyber security tool such as a password manager, which can make it easy to use complex passwords, you are much more likely to get them into the habit of using such passwords.
One of the most effective ways of encouraging team members to be invested in cyber security is to reward them for their interest. So, for example, provide rewards when staff members take cyber security training courses, detect phishing emails, or volunteer to become “cyber security advocates”.
The reward could come in the form of a pay bonus or extra paid leave, or it could be recognised less formally in your staff newsletter or other internal communications.