Business and charity

Charity cyber risk assessment: A guide


There’s never a good time for a cyber-attack in any business. But with a heavy reliance on fundraising and volunteers, it can seem particularly catastrophic for charities and not for profit organisations. As a leading UK charity insurer, we help protect over 3,000 charities (both large and small). So it’s safe to say we know a lot about the key things that are important to them. For this reason, we’re going to explore cyber risk assessments, so you can do everything in your power to protect your charity from a cyber-attack.

Cyber Crime Assets-2-#692702094.jpg

What is cyber security?

Cyber security is where measures are put in place to protect an organisation from cyber-attacks. Attacks could take place on networks, systems, programs, devices and data. These attacks could result in irrecoverable damage (financial, legal and reputational) for the charity involved.

Under the General Data Protection Regulations (GDPR), there is also a legal requirement to have appropriate measures in place to protect personal data. The measures put in place include different processes, controls and technologies, and these all aim to reduce risk when it comes to cyberattacks.

Types of cyber attacks

There are various types of cyber-attacks to be wary of, and charities could be affected by any of them - especially if they’re embracing the digital world. These could include:

• Phishing – Where the attacker tries to get staff to hand over specific information (such as bank details).
• Malware – Where an application is placed on digital devices and malicious activity is carried out.
• Malicious apps – Where sensitive data could be stolen, files could be encrypted with ransomware etc.
• Various other types of attack such as ‘man-in-the-middle’ (MITM), distributed-denial-of-service (DDoS), SQL injection, zero-day exploit, DNS tunnelling and more.

Cyber-Crime-Asset-1-#692702094-v1.jpg

Importance of risk management in cyber security

The startling thing about many cyber-attacks is that with the right measures/training in place, they could have been prevented. This is the main reason why it’s so vitally important to focus on risk management when it comes to cyber security. A risk assessment will help you mitigate risks in your organisation and therefore prevent attacks. This will, in turn, reduce costs for your organisation (via the prevention of potential attackers’ financial gain, any fines you may incur as a result of an attack or by loss of income via reputational damage).

Cyber risk management will also protect your charity’s reputation. A cyber-attack doesn’t look good for any organisation, and despite it not directly being your charity’s fault, in retrospect, there may have been measures you could have taken to prevent it.

How to conduct a cyber risk assessment

A good first step in conducting a cyber risk assessment for your charity is to find a template you can use. This should outline all the areas you may need to consider, plus you could adapt it to include additional areas unique to your organisation.

If your charity doesn’t have someone dedicated to looking after your cyber security, you can find free templates and resources online to work with.

Once you have your template, as a general overview, you’ll need to:

• Consider the scope of the risk assessment
• Identify the key areas that are a cause for concern
• Analyse the risks and potential impact
• Prioritise those risks and document them
• Identify measures to mitigate the risks highlighted and document those too

Document illustration 3.jpg

How to reduce cyber risk

There are lots of things you can do and practices you can implement to help protect your charity from cyber-attacks. Here are a few ideas.

• Review your current security system

Best practices are always changing, and chances are, even if you updated your security system six months ago, you could probably make more updates now. Reviewing your current systems to tighten your cyber security will help maximise controls.

This review could include areas such as:

o Limiting browsers
o Turning off unneeded services
o Limiting access to certain website categories e.g. retail
o Requiring permission to access certain website categories e.g. social media

• Get smarter with password policies

Did you know that although it’s recommended to use a different password per platform, only 21% of people do this? That could mean that 79% of your staff are unknowingly putting your organisation at risk. However, this may not be their fault. If they’ve never had cyber security training, or your charity doesn’t have password policies in place, how are they supposed to know what’s right and wrong?

Getting up to date with password best practices and implementing policies is a good place to start. For example, advising staff to have different passwords for every platform, implementing password managers to support staff in remembering their passwords etc.

• Enforce software updates and security patches

Software updates occur for numerous reasons, however the most important being the enhancement of security features. It’s therefore essential for all staff to update their devices as soon as there is a software update available. This is to prevent risks such as ransomware attacks, data breaches and other online threats that make charities much more vulnerable when working with out-of-date software.

• Taking special measures for remote working

With 47% of organisations opting to give employees the choice of working remotely once the pandemic is over, it’s a good time to mention that increased online working means increased cyber security risks. You should consider the risks involved and develop remote working policies and procedures. Some things to think about include:

o Office-based IT systems mean a high level of security. However, when we move to working from home, we rely more heavily on the internet and Cloud-based systems as staff need to access files and data online – growing your attack surface and therefore risk of cyber-attack.

o In addition, there are other considerations such as increased risk of phishing attacks. In fact, did you know that a recent report found that there’s been 600% increase in reported phishing emails since the end of February? With many of these attempts piggybacking off pandemic uncertainty!

Ideally, staff should be encouraged to use their work laptop which has the relevant remote access and security controls. This will reduce the chances of cyberattacks, ensure the right defence tools are in place and allow IT to respond efficiently and appropriately should the worst happen.

If your volunteers don’t have work laptops/phones, it may be worth investing in them, further considering the risks involved with using personal devices (particularly when personal/sensitive data is involved) and putting plans in place to mitigate risk.

o Naturally, tired employees make mistakes. And did you know that a recent survey found that remote staff worked on average five hours a week more than office-based staff? This could be due to remote staff over-compensating for the flexibility given to them, or because they can catch up on work in their spare time at home.

If remote workers are putting in more hours, they may grow tired which could result in mistakes. This could mean saving documents in incorrect places, using the wrong data to contact a member, or handing over confidential information to an attacker. Therefore, promoting the importance of staff wellbeing is a vital step in reducing cyber risk.

These are just a few things to consider when thinking about implementing remote working policies.

endsleigh_illustrations_online_chat_with_endsleigh_buddy.jpg

• Team training

Once you’ve implemented your policies and guidance, you’ll need to make sure staff are kept up to date. This could include regular training courses to ensure they’re fully aware of all the latest best practice and how this coincides with your charity’s policies.

• Data encryption

Storing sensitive data in text format can cause huge security risks for your charity. A solution to this can be encrypting your data which will protect it against hackers. If you have an IT team, they will be able to help with this. And if you don’t have an in-house IT team, it may be worth speaking to a specialist for some specific advice.

• Do not store credit card information

This may seem like a simple point, but you’d be surprised by the amount of people who still store financial information on their computers. Whether it’s staff who don’t want to keep troubling stakeholders for access to the credit card, or team members who aren’t familiar with cyber security best practices, tying this into your training is an extremely important step in mitigating cyber risk.

• Limit login attempts

A common way for hackers to gain entry to your charity’s systems is via staff passwords. Limiting password login attempts (for example, three strikes and you need to speak to IT) can help you prevent attacks and keep your systems safe and secure.

This may be frustrating for staff if they’re known for forgetting their passwords and locking themselves out, but implementing the password manager we mentioned above should hopefully help maintain productivity as well as keep your charity’s systems safe.

• Implement a suspicious activity escalation plan

It’s a good idea to have a process in place for when suspicious activity is observed. Depending on your charity’s structure, this could involve your in-house IT team immediately being able to shut down access to servers etc. or contacting the agency who manages your IT with an urgent request to follow the ‘kill switch’ protocol!

• Have a crisis management plan in place

In the event where an attack does take place, having a crisis management plan and team dedicated to dealing with the issue is a sensible idea. This could include outlining responsibilities for briefing IT, communicating to staff, communicating to members/customers etc., liaising with PR agencies, providing updates and so on. It would ideally provide guidance on every step of the crisis management plan from start to finish.

• Consider cyber insurance

An additional step to help safeguard your charity from the implications of a cyber-attack is investing in cyber insurance. Cyber insurance covers loss of income, legal protection and compensation claims following a cyber-attack, plus social engineering or phishing attacks.

These types of attacks are an increasing threat in the digital age and all types of organisations should take the threat seriously.

With over 30 years’ experience and over 3,000 not-for-profit customers in the UK, we’re able to provide competitive coverage, expert consultation and specialist advice for charities, community groups and not-for-profit organisations.

If you’re interested in cyber insurance for your charity, speak to one of our specialist team and get a quote today.

Laptop.jpg

Cyber security guidelines

Once you have your risk management plan mapped out, you’ve identified your risks, how to mitigate them and communicate this to your staff, you’ll likely need to put some cyber security guidelines in place to allow your teams to follow the specific policies.

It may be a good idea to create a hub of cyber security policies easily accessible to all staff and implement some training to complement these policies. For example, cyber security training overarched by:

• Password policy
• Software update for digital devices policy
• Data encryption policy
• Remote working policy

As a charity, you may not consider it a priority to commit vast amounts of resource to cyber protection. However, a sensible approach would be weighing up the implications of a potential attack on your charity and putting measures in place to mitigate the risks.

A good starting point for small charities who may not want to commit the resource could be the Cyber Security small charity guide from the National Cyber Security Centre (NCSC). This guide provides tips on improving cyber security quickly, easily and most importantly, at low cost.

You can also read more about cyber threat to the UK charity sector here.

Read our content disclaimer.