Charities have what criminals want – access to funds, a large amount of donor data and sensitive information about the beneficiaries they support. According to the National Cyber Security Centre (NCSC), “Charities are absolutely not immune to cybercrime – quite the opposite in fact”. Cybercriminals simply do not discriminate between private organisations and not-for-profits.
Last year the Charity Commission, alongside the NCSC, issued an alert containing regulatory advice under section 15(2) of the Charities Act 2011. So what can you do to reduce the risk of cybercrime with your charity?
Consider the consequences of what would happen if you lost part of your data…or all of it! What are the cost implications of this? Do you have a back-up policy? Is your IT team ensuring your data is backed up safely and routinely? Regularly backing up data is the best way to ensure you can continue to operate if you are unlucky enough to be attacked.
Make sure you have antivirus software in place and ensure this is regularly updated.
Most of us have our work emails on our phones. Make sure you have a policy in place for lost or stolen devices and ensure they can be wiped. All smartphones should be password protected.
What would happen if you lost your laptop and someone gained access? How would this impact your charity, donors and beneficiaries? Make sure your password is confidential and unique to you. Change your password regularly to ensure you remain protected.
Technology is a rapidly moving industry and cybercriminals move at a similar pace. Stay up-to-date with the latest risks and guidance in this area. The NCSC website, Charity Commission and the TechTrust are all useful sources of information.
Everyone who accesses the internet and computer systems at your charity (including tablets and mobile) needs to be aware of cyber security and the basic ways they can help the organisation to protect itself.
All staff should receive cyber security training. There has been some criticism of training by organisations such as AXELOS due to it often being ‘one dimensional and outdated’. As raised in the previous point – keep up-to-date and ensure, if you are delivering training in-house, this reflects current trends and government guidance.
If you are outsourcing training, whether that be face-to-face or e-learning, find out how the provider stays up-to-date. For example, Virtual College work with subject matter experts, such as Stuart Hyde, who review cyber security content at scheduled intervals to ensure it reflects the latest available research and government guidance.
Volunteers and beneficiaries of your organisation also need to be aware of cyber security. It is just as important that they understand the risks to the charity as well.
Finally – visitors to your site may require internet or IT access. If you don’t already have one in place, consider implementing a policy and procedure to ensure visitors safely access the internet. This could include a written code of conduct which is signed by all visitors.
Cyber security needs to be at the forefront of everyone’s mind. Whether they are the CEO or a casual volunteer, your organisation should continue to remind the team about cyber security – simply training once a year will not embed behaviour change. Ensure the team continue to engage with cyber security messaging by including this in your communication plans.
You could do this by:
If you would like more information about the cyber security resources available from Virtual College, please get in touch with Helen McKay at firstname.lastname@example.org.