Cyber security – how can you protect your charity?

Charities have what criminals want – access to funds, a large amount of donor data and sensitive information about the beneficiaries they support. According to the National Cyber Security Centre (NCSC), “Charities are absolutely not immune to cybercrime – quite the opposite in fact”. Cybercriminals simply do not discriminate between private organisations and not-for-profits.

Last year the Charity Commission, alongside the NCSC, issued an alert containing regulatory advice under section 15(2) of the Charities Act 2011. So what can you do to reduce the risk of cybercrime with your charity?

Know the risks

Back up your data

Consider the consequences of what would happen if you lost part of your data…or all of it! What are the cost implications of this? Do you have a back-up policy? Is your IT team ensuring your data is backed up safely and routinely? Regularly backing up data is the best way to ensure you can continue to operate if you are unlucky enough to be attacked.

Protect your computer from malicious software

Make sure you have antivirus software in place and ensure this is regularly updated.

Don’t forget about your smartphone

Most of us have our work emails on our phones. Make sure you have a policy in place for lost or stolen devices and ensure they can be wiped. All smartphones should be password protected.

Password protection

What would happen if you lost your laptop and someone gained access? How would this impact your charity, donors and beneficiaries? Make sure your password is confidential and unique to you. Change your password regularly to ensure you remain protected.

Keep up-to-date

Technology is a rapidly moving industry and cybercriminals move at a similar pace. Stay up-to-date with the latest risks and guidance in this area. The NCSC website, Charity Commission and the TechTrust are all useful sources of information.

Train staff, volunteers and visitors

Everyone who accesses the internet and computer systems at your charity (including tablets and mobile) needs to be aware of cyber security and the basic ways they can help the organisation to protect itself.

All staff should receive cyber security training. There has been some criticism of training by organisations such as AXELOS due to it often being ‘one dimensional and outdated’. As raised in the previous point – keep up-to-date and ensure, if you are delivering training in-house, this reflects current trends and government guidance.

If you are outsourcing training, whether that be face-to-face or e-learning, find out how the provider stays up-to-date. For example, Virtual College work with subject matter experts, such as Stuart Hyde, who review cyber security content at scheduled intervals to ensure it reflects the latest available research and government guidance.

Volunteers and beneficiaries of your organisation also need to be aware of cyber security. It is just as important that they understand the risks to the charity as well.

Finally – visitors to your site may require internet or IT access. If you don’t already have one in place, consider implementing a policy and procedure to ensure visitors safely access the internet. This could include a written code of conduct which is signed by all visitors.

Create a communications plan

Cyber security needs to be at the forefront of everyone’s mind. Whether they are the CEO or a casual volunteer, your organisation should continue to remind the team about cyber security – simply training once a year will not embed behaviour change. Ensure the team continue to engage with cyber security messaging by including this in your communication plans.

You could do this by:

Including cyber security bulletins in your staff/volunteer newsletter.
Encouraging staff to share examples of best practice in their team meeting.
Using your intranet to highlight key issues.
Making cyber security a standard agenda item.
Sending regular emails to the team reminding them to change passwords and ensure automatic updates are installed on their computers.

If you would like more information about the cyber security resources available from Virtual College, please get in touch with Helen McKay at helen.mckay@virtual-college.co.uk.