Jude McCorry, CEO of the Scottish Business Resilience Centre, gives her top cyber resilience tips for the charity sector.
_______________________________________________________________________

No one is immune from the threat of a cyber attack – even organisations seeking to make a positive impact on society. Indeed, third sector insurer Ecclesiastical, recently found that two in five charities (41%) experienced a cyber attack in 2021, an increase of 13% from the previous year. Separately, a government report found that a quarter (26%) of charities estimate that they are targeted by cyber criminals once a week. In the last year alone, high profile charities including the International Committee of the Red Cross and Oxfam Australia have fallen victim to significant cyber incidents.

Irrespective of sector, when a cyber incident occurs it often takes an organisation by surprise and raises questions internally, such as “why us?” or “how might have we prevented this?” With the level of sensitive data that third sector organisations often handle, there is an inherent level of trust from those who engage and interact with them. As a result, being blindsided by such an incident is not an option.

Preparation is key

Aside from building technical defences, charities must be prepared not for IF an attack will happen, but WHEN. The single best way to ensure cyber resilience is to create an incident response plan.

Such a plan doesn’t need to be complex – particularly if you work as part of a small team. But it must lay out the key actions and roles that individuals will play in getting the organisation operational again. It should also clarify:
- the channels to keep staff and stakeholders informed
- relevant contact details for service users and partners
- assignment of team roles and responsibilities
- pre-prepared holding statements
- details on organisations that can be called upon for support as well as organisations that you will need to report to including the Information Commissioner’s Office and your insurance company.

This plan must also be kept in a paper format to ensure it is available should the worst happen, and the attack completely removes access to IT. In addition, conducting regular scenario training sessions will prepare an organisation should an event like this occur – ensuring all in the organisation know how to react and the role they will play.

Know your data and devices

The shift to remote working has brought with it more devices for IT teams to manage and, in some cases, more off-premises IT being utilised like cloud storage services. Given the sensitivity and high value of charity data, central to ensuring your organisation can recover is knowing about your files and hardware. Keeping up-to-date logs and back-ups of staff devices, personnel information, financial details, and supplier and service user details means you’ll quickly be able to assess any losses and respond quickly following an attack occurs.

Invest to protect

Lastly, if you are keen to think more strategically about building cyber resilience into your charity’s operations, then bear in mind it requires investment. Many third sector organisations put limited investment in IT, choosing to prioritise people or services. While these are undoubtedly important, don’t discount the importance of cyber security – particularly as data from Hiscox estimates that a cyber incident costs an organisation on average £11,000 (though given the state of the landscape, this could be at the lower end of the scale).

Another way to reinforce the strength of your systems is to become Cyber Essentials accredited. This is proof that your organisation takes IT security seriously and is increasingly becoming a requirement to work with some public sector organisations and departments.

With every penny within a charity needing to be carefully spent, not investing in IT security now could cost a charity more in the future – both financially and reputationally.

Share Story: