We know that charities are still not fully engaged with cyber threats and the risks they pose; phishing scams, ransomware and accidental loss of data. But now, with policies changing and GDPR looming, inactivity to these threats could soon come with sanctions.
Over the last six months we have delivered a project working with Scottish charities to explore how to build a cyber resilient third sector in Scotland.
During that time we have presented to more than 50 charities about the risks, had over 50 applications for our Cyber Essentials Grants and been able to fund 15 of them to go through Cyber Essentials accreditation.
This is what we have learned:
1. There was a mixed experience with our SCVO Cyber Essentials grants
In November we issued grants of between £500 and £1,500 to help organisations achieve Cyber Essentials – a Government-backed scheme that will help you to protect your organisation against the most common cyber-attacks, and is likely to be a future procurement condition.
We have had a mixed response, some finding it easy, with the relationship between the accreditation body and their IT partner straightforward (“Having our IT partner lead on the process was invaluable”), and others who have struggled to get things off the ground (“the relentless upselling!”).
However, around a third of those we funded have taken the opportunity offered by the grants to do more than simply achieve accreditation. They have implemented policies, re-engaged with their staff around secure passwords and even instigated culture change by improving the ways they work.
We will be publishing the outcomes of the grants programme in the coming weeks.
2. There were more low-level breaches than we thought
We did not set out to discover the volume or nature of cyber incidents throughout the sector, but through the project we have heard similar stories from people who would approach us after our sessions saying: “We lost some money to an online scam.”
The amounts ranged from £2,000 and £15,000.
Anecdotally, the methods used were either basic phishing scams – casting a wide net to hundreds of addresses at once hoping for one bite – or more sophisticated; a domain purchased to look like the organisation’s own domain, seemingly sent from someone senior in the organisation with a legitimate-sounding reason for the money transfer.
These incidents were rarely reported via any official channels, such as via the Action Fraud website and often no action was taken at all to protect against future threats.
3. There are good resources available to help
The good news is that along with our commitment to help the sector, organisations like the National Cyber Security Centre (NCSC) are producing information, such as the Small Charity Guide, which covers “How to improve cyber security within your charity – quickly, easily and at low cost”.
And the SCVO Datawareness campaign brings together resources to help people prepare for GDPR D-day on the 25th May. We are also hosting a data protection conference in conjunction with the Institute of Fundraising Scotland on 1st May.
SCVO member organisations with an income of less than £500,000 can also access up to two hours of free legal advicewhich could be used to review your organisation’s data protection policies and procedures.
4. Board-level awareness is growing, but remains low
Recent inputs into the SCVO Digital Check-up (an assessment we use to benchmark how ‘digitally mature’ an organisation is) includes two questions relating to Cyber Resilience. The assessment shows that for 82% of responses, cyber threats do not feature highly alongside other business risks and priorities. Through our work we know that board-level awareness is growing, but overall it remains low, with many boards just not having knowledge or experience of cyber threats to know where to start.
We also asked “Has training been delivered to staff in any of the following areas?” Hardware security (42%), password security (40%) and data handling (38%) were the top responses, with phishing scams (30%), viruses and malware (22%) and social engineering (8%) being the lowest.
5. Improving staff knowledge can be the easiest and most effective against low level threats
When people disclosed their breaches we would ask: “Have you put any training in place to stop this happening again?”
“No” was a common response.
Phishing or social engineering scams rely on someone from your staff team taking an action to give the fraudster easy access. It is like having the most sophisticated security system and locks on all of your doors, and then opening the door to let a con-artist walk right in.
Giving your staff the knowledge and awareness of simple online threats would stop this and is very easy to do. The NCSC’s Cyber Security: Small Charity Guide, is a good starting point and asks the following questions:
- Ask yourself whether someone impersonating an important individual (a trustee, beneficiary or manager) via email should be challenged (or have their identity verified another way) before action is taken.
- Think about how you can encourage and support people in your charity to question suspicious or just unusual requests, even if they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap.
6. The threats will not just fade away
Through this project we have been able to explore what works in educating and funding charities to be more cyber resilient, and we have discovered low level incidents are perhaps more common than we have previously thought.
We know that, as a sector, we are behind where we need to be to keep our data and finances safe and also that the threats we face will not just fade away. We are working closely with the Cyber Resilience Unit of the Scottish Government and other third sector organisations to look for ways in which we can continue to support the sector in the coming months and years.