Insights
INSIGHTS
All Topics
What trustees need to know about cyber security
23 Oct 2023by Jane Waterfall
We share the questions that trustees need to ask to stay on top of their charity’s cyber security
Trustees act as board members and play a very important role in governing the charities they support. The role comes with significant responsibilities, not least of which is ensuring the charity they represent manages their risks around cyber security to a good standard.
Cyber security is, of course, a highly specialised area that is also very high profile. Many trustees do not have professional cyber security experience, so how do they ensure their charities are conforming to best practice, investing in the right areas, and making best use of technologies at their disposal?
In this article from IASME – who are the National Cyber Security Centre’s (NCSC) delivery partner for the Cyber Essentials scheme – and Smartdesc, a specialist IT Services Provider for non-profits – we share practical advice for trustees on what questions to raise with their Boards and explore how the core standards of the Cyber Essentials framework can be applied in your organisation.
It is not so much that a criminal would deliberately attack a specific charity (although they might), it is that they randomly attack many thousands of organisations in one go, with no regard to who they are.
Cyber criminals use readily available tools that require next to no skill and work by tricking people to give away their security credentials or by finding weak spots in their IT systems to gain access.
If your charity uses digital technology, you are a potential victim of cyber crime. A good cyber security posture is often as simple as getting the basics right, to make you less attractive than the next organisation; attackers will always go for the lowest hanging fruit.
Surely, I can leave cyber security for the IT manager to worry about?
Cyber security is everyone’s responsibility, including Trustees. If you are lucky enough to have internal IT resource, they cannot be expected to be experts in everything.
A cyber security incident will affect the whole organisation - not just the IT department. It may impact or halt your services, damage your reputation and contractual relationships, put sensitive client and donor information in the public domain and result in legal or regulatory action.
Regardless of who is taking care of the IT, if something went badly wrong, the responsibility for the cyber security controls, the passwords, the accounts, and the potential data breach would lie with the senior management.
Trustees themselves don’t need to be technical experts, but you should be having constructive discussions with key staff to ensure you are confident that cyber risk is being appropriately managed.
If this is an area that you feel very uncertain about, could you introduce an IT consultant or cyber security professional to review your organisations’ cyber maturity? This would ensure that your charity is being proactive in aligning to industry standards and is often done on an annual basis.
What are the key questions we should be asking?
1. Are you and any remote or home workers and contractors accessing your organisation’s network and data in a secure way?
-
-
To help tackle this, you could create a Bring Your Own Device policy for all remote/home workers?
-
Share a comprehensive password policy with all employees, volunteers, contractors, and trustees
-
Enable multi-factor authentication for all accounts accessible over the internet. Implementing multifactor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen
-
Ensure all staff use a standard user account to carry out their normal day-to-day work. Staff using admin accounts for everyday tasks is a common facilitator for a cyber breach. An attacker will have the same privileges as the account you are logged in as and if that is an admin account, they will be able perform actions such as install malicious software, delete files, and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.
-
Check that all accounts and apps that are not used being used are removed. If certain software is not needed, by removing it from your device it will reduce the risk of there being a vulnerability that can be exploited by cyber criminals.
-
2. Does your charity regularly back up all its essential data? This is the best way to limit the effects of a ransomware attack.
-
-
Do you keep your back-ups in a different location from your network and systems, with one back up kept off site?
-
Do you know how to restore files from the backup and test that your back up system is working?
-
3. If your charity uses cloud services, do you understand the shared responsibility model?
-
-
This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation.
-
Who implements which controls will vary depending on the design of the cloud service being subscribed to. Do not assume your service is secure, be diligent about checking who is responsible for what.
-
4. Does your charity keep an asset list to help you identify all the devices that access your charities data, plus a list of all the software and cloud services that you use?
-
-
Maintaining an asset inventory helps to track which software you have in use in your organisation and when it becomes unsupported or no longer receiving security updates.
-
Unsupported software is a key target for cyber attacks. Known vulnerabilities in legacy software left un-patched are easy targets for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.
-
5. Do you train and regularly test your staff on cyber security?
-
-
User error is still by far the most common way an attack is successful. Within that, over 90% of attacks still happen by email.
-
Every charity should mandate that staff undertake cyber security training at least once per year, and police this to ensure compliance.
-
Where can I find more information?
If you are a small charity, the NCSC’s Small Charity Guide can help you nail the basics.
If you are a larger charity, the NCSC’s 10 Steps to Cyber Security will help you to identify what to do within a more complex infrastructure.
The NCSC has also created an Introduction to cyber security for board members.
Trustees can also look into becoming cyber certified as part of Cyber Essentials. Cyber Essentials is an effective, government backed baseline scheme that will help you to protect your charity, whatever its size against a whole range of the most common cyber attacks including ransomware. It is a great way to check that you have implemented the five key controls adequately, without overlooking something.
Many charities report that the process of certifying acts like a check list and gives them huge peace of mind. Smartdesc are a licensed Cyber Essentials Certification Body, and have helped dozens of charities achieve Cyber Essentials and Cyber Essentials Plus at affordable rates. Smartdesc’s sole focus is charities and non-profits, and can provide cost effective Cyber Essentials certification, Cyber Security Training, Independent Reviews, Penetration Testing, and free Microsoft Cloud Security Assessments for your organisation.
Could this be the year to take the extra step and show your clients and sources of funding that you have prioritised cyber security and have the certification to show for it?
Charity Cyber Essentials Fortnight runs between 6th and 17th November. IASME will be working closely with the National Cyber Security Centre and Charity Digital to educate and support charities about the cyber threat they face and inform them about the benefits of Cyber Essentials. There will be a discount to the price of certification and plenty of cyber security guidance tailored towards the charity sector. Look out for more information by visiting the Charities Cyber Essentials webpage.
If you need help getting started on your Cyber Essentials journey, you can access the free Cyber Essentials Readiness Tool, developed on behalf of the NCSC by IASME.
The Readiness Tool is a free, online tool accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.
Where do I start?
Adam Monks, Chief Executive of Smartdesc, advises trustees who are unsure where to start when bringing their organisation’s cyber security up to speed to consider the next five steps as a starting point.
- Reflect on the Mission, Values and Vision of the Charity organisation – What are the main goals & priorities of your charity? Cyber security should not be seen as a separate issue, but as an integral part of your charity’s strategy. Trustees must consider the level of cyber risk that your charity is willing to accept in order to achieve its objectives. It guides your decisions about the measures to take to manage the cyber security risk
- Once you’ve agreed on how Cyber Security aligns with the Charity’s Missions, Values and Vision, think about how this is then managed and communicated
- Make sure that your charity has adequate policies approved and owned by the board that outline the risk management strategy for the whole organisation, and that cyber security is considered in other relevant policies
- Once you’ve implemented and communicated the strategy throughout the charity organisation, how is this monitored, and modified when needed?
- Think about how you will maintain the importance of cyber security through ongoing Learning & Development
Related Articles
Jane Waterfall
Jane Waterfall
More on this topic
Related Content
Related Videos
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
