At the recent Third Sector webinar on ‘How to keep your charity cyber safe’, in partnership with the National Cyber Security Centre (NCSC), we asked the experts for their golden rules to protect against cyber attacks in a not-for-profit organisation.
1. Get your board to take cybersecurity seriously
Getting buy-in from your board to invest in cyber security can be difficult – especially if it’s a choice between spending money on beneficiaries, or splashing out on new technology. To encourage board members to invest, it’s important to explain the specific risks to your organisation.
“Frame cyber security investment in terms of what could prevent charities from carrying out their work. So, if you are very dependent on technology, think about what would happen if there were a ransomware incident that took out access to your machines. Could you still deliver services to your beneficiaries?,” asks Michala Liavaag, founder and managing director of Cybility Consulting.
Stuart McSkimming, chief information officer at the Royal British Legion added: “Board members are not cyber security experts, but they should understand ‘risk’. Keep it simple and explain what could actually happen, and here’s what we can practically do to reduce the possibility of a cyber attack.”
The NCSC has produced a Board Toolkit which is designed to encourage and support essential cyber security discussions between the board and their technical experts.
2. Encourage an open culture when it comes to reporting an attack
There is often shame and embarrassment associated with falling for a hacker’s scam, so encouraging employees to speak out if they make a mistake is essential.
“Cyber security has grown up in this adversarial war-gaming kind of culture, which is really unhelpful, so make sure you don’t blame people if they click a phishing link,” said Ian Levy, technical director at the NCSC.
“It’s not their fault, so make sure you support your staff.”
3. Reduce the risk of human error with training
Liavaag said that the majority of cyber breaches are related to the human factor, so spending a little money on training, education and awareness could be more valuable than spending thousands of pounds of new technology. “I would like to see that balance shift,” she said. “Think about the people and invest in them – they will make the difference to your organisation.”
Gareth Packham, director of information security & data protection at Save the Children International, agreed: “Our job is not to turn everyone into cyber security experts, but they do need to know how to protect themselves, whether that’s using multi-factor authentication or looking out for phishing emails,” he said.
Check out Cybility’s Cybersecurity Ring of Resources - Charities Edition; it is a collection of useful, mostly free, resources that can help you protect your charity.
4. Save money by talking to your peers
Seeking help from peers in the not-for-profit sector can be a cheap and easy way to stay ahead of cyber threats. “There are a lot of people out there from larger charities who are willing to put some time in to mentor smaller charities, so build up connections with people who can give you some honest, simple advice,” said McSkimming.
Sharing information about current threats with other organisations is also incredibly valuable. Levy says the NCSC organises a Charity Trust Group which cyber leaders in larger charities can join to share information. “It’s one of the best ways to make sure large charities stay on top of the threat as it evolves over time,” he says. The NCSC also publishes a small charity guide, dedicated to helping not-for-profits that may not have the time, money or resources to tackle cyber crime on their own.
5. Protect your passwords
McSkimming said that one of the simplest ways to protect your organisation is using multi-factor authentication for passwords. “I would recommend this to anyone to reduce the risk of cyber attacks,” he said.
Liavaag also suggested using haveibeenpwned.com, which can be set up to check if your employees’ email or phones have been compromised, and immediate action can then be taken to disable those accounts. The NCSC also offers advice on best practice when it comes to setting strong passwords.
6. Create an incident response plan – then test it - and use it!
When thinking about the cyber threats your organisation might face, it’s crucial to make sure you know what your risks are. “It’s so important to have an incident response plan. Innovating during a crisis is not a good idea,” says Levy.
He added that testing your current system is a good first step towards finding out how resilient your charity might be in the event of an attack. “Putting people in a real situation and letting them work through how it actually feels to be the subject of a cyber attack is really constructive,” he said. “The NCSC has a free tool called Exercise in a Box, which takes you through a simulated attack and shows what the impact might be – not just on your services but your brand.”