Being cyber resilient is both the prevention of cyber breaches and also making sure that if a breach occurs you are able to respond without losing business continuity. A cyber breach isn’t necessarily a ‘hack’, but it is any incident in which data is lost or stolen, including; accidental loss or theft of hardware, social engineering or phishing. The types of data could include financial data, security data or personal data – such as your customer’s contact details.
For many charities actions are only taken once a serious threat occurs. In other words: closing the stable door once the horse has bolted. We are working with Scottish charities to attempt to build commitment from third sector leaders to assess and improve their cyber resilience.
To test the ability of third sector organisations to achieve Cyber Essentials accreditation, we have a small scale grants programme of up to £1,500 to help cover the application and IT support costs needed to achieve accreditation. The programme opened at 9am today (21 September) and further details for applying are available on our website.
It is the high profile cyber breaches that hit the headlines and inform public opinion, such as the recentWannacry ransomware attack which affected thousands of NHS machines. But for the vast majority of charities, you will not be targeted in an international act of espionage. In a recent small business survey, 48% of business who have experienced a breach said the root cause was a “negligent employee or contractor”. A cyber breach is not always a cyber-attack.
With 40% of charities rating their skills in cyber security as ‘low’ or ‘very low’ we’re aware that third sector organisations often lack the knowledge to assess and discuss cyber threats properly, and that’s why we are working on a series of projects to help the third sector be better prepared than ever before.
The important thing is to have considered the risks before something happens and to know what to do when it does. Remember; it takes the same amount of effort to close the stable door before and after the horse bolts – but if you do it before; you still have your horse.
In the meantime, here are some practical pointers to help you consider cyber resilience:
- – Having up to date software and privileges If you are purchasing new computers and software, they should be up to date or update second hand systems. When setting up your new systems, get admin privileges nailed from the outset. If you are using part-time and temporary staff then consider who really needs to able to access sensitive data. Have a clear outgoing process that can be followed when someone moves on.
- – Passwords & personal security As you bring on volunteer, part-time or full-time staff, make sure that cyber awareness is part of the induction process.
- – Using secure websites Having a secure, trustworthy site is important for security and reputation. Using https as the prefix to your website URL shows that your website is secure, as opposed to plain old http. Do not send information over a site that doesn’t seem secure.
- – Data security and backup Think about how you store, handle and backup your data. There are lots of options available; backing up to the cloud is very cost effective, or you may want to work solely from the cloud via services such as Google Drive, Sharepoint or OneDrive.