This article is sponsored by CoopSys – providing data security services, advice and audits for the UK charity sector since 1987.
With all the competing time and budget demands on charities, cyber security is something that’s often not approached very proactively. This is ironic when you consider the vulnerable nature of a lot of charity service users and the sensitive nature of the data they process. If charities want to meet the Charity Commissions core responsibilities around cyber security for charities, they can’t afford to leave it to chance or shift all responsibility to someone external – it’s a charity’s trustees and leaders who are culpable if the worst should happen (and it happens more often than it should), so it’s their job to have at least a basic understanding of the vulnerabilities their charities face. Fortunately, there are a number of easy to digest and low-cost resources on the web where charities can brush up on their knowledge. We’ve listed the main hubs of cyber security information for charities below. NCSC - Cyber security small charities guide The National Cyber Security Centre (NCSC), part of national security centre GCHQ, provides advice and support for the public and private sector on avoiding data security threats – they are your go-to source for plain English cyber security information. Their guide specifically for small charities summarises low cost, simple techniques to improve cyber security within charities, and is available as a handy PDF guide to download, as well as an infographic with just the main points – worth printing and sticking to the wall! NCSC – 10 steps to cyber security The NCSC’s ’10 steps to cyber security’ are not charity-specific but catered towards the boards of all organisations. The government-issued information on this website revolves around ten key steps to a sound security strategy, such as configuring your systems and networks securely, managing user privileges, educating staff, using the right malware protection, and ensuring data is protected when out and about. There is a high-level PDF as well as more in-depth technical advice sheets on each step, and the site provides a good overview on why protecting your data is a board-level responsibility. NCSC – Cyber Essentials Following on from the ‘ten steps’, the government’s Cyber Essentials scheme offers practical, step-by-step advice on what basic controls to put in place to protect your data, jargon free and on a single webpage – there is also a handy checklist at the end to check your progress. Organisations can apply to be Cyber Essentials certified, working at a pace to suit them, providing certainty to potential partners and service users that their IT is suitably secure (certification is audited every 12 months by the NCSC and costs £300). NCSC video portal Aimed at small organisations looking for a brief overview to the main points of the Cyber Essentials, the NCSC’s video series introduces the five quick and easy steps to data security that your trustee can digest in under a minute each, with some further reading. DDCMS Cyber security among charities report The DDCMS (Department for Digital, Culture, Media and Sport)’s extensive research report into cyber security in the UK charity sector is well worth a read. It looks at awareness and attitudes to data protection, barriers to improvement for smaller charities and case studies. But probably the most pertinent section for trustees looks at the repercussions of not resolving data security issues, with charities relaying stories of real hacks that caused real financial and reputational damage. Get Safe Online Much of the government’s Get Safe Online website is aimed at the general public, but its business section includes a large number of comprehensive explanatory overviews on many aspects of data security, and a jargon-buster section for breaking down many of the terms. It includes a wealth of information in one place and in plain English, on the main regulations, different types of security attacks and risks, types of scams and attacks, hardware and software information, and a section on guidelines for charities with an overview of the specific responsibilities and risks, and what to do if you’re a victim of fraud. Charity Digital Exchange Charity Digital’s Charity Digital Exchange software donation programme has been helping charities save money on essential software for more than 18 years. Registered charities can receive as much as 96% off the retail price of software, including popular security tools from Bitdefender and Symantec, and data back-up suite Veritas. It also helps charities to access cloud-based software such as Office 365 and Google’s G-Suite, which offer cloud-based data storage and document management. These tools meet the NCSC’s guidance for robust data security. NCVO training events The NCVO provides specific training and guidelines for charities around cyber security and regulation for those who want to undertake more in-depth face-to-face learning – go to its website to see the latest courses. Charities Security Forum Formed in 2007, the Charities Security Forum represents over 400 charities across the UK including many household names. Stay updated on the latest issues in data security relating to the charity sector, network with others and learn from others. ISME The IASME governance standard was created during a government-funded project to create a cyber security standard easily affordable to smaller organisations, and as a more achievable standard to the international ISO27001. IASME assesses and certifies organisations against two standards at both the self-assessment and audited levels, with specific certifications in Cyber Essentials for the health and social sector and certifications in GDPR. You can also download a free copy of the standard on their website which is aimed at helping organisations understand their risk profile in detail and see the typical test that you’ll need to pass to be certified.