Cybersecurity is a growing risk for all organisations, and it’s clear that charities and religious organisations are a target for those wishing to perpetrate fraud or hackers just as other businesses are. Last year, the government’s Cyber Security Breaches Survey 2019 revealed that around 20% of charities have experienced some form of data breach or cyber-attack in the past 12 months, highlighting the vulnerability of the sector. The Charity Commission has emphasised the importance of taking a proactive approach, prioritising detection and prevention of cyber-attacks.
Protecting personal data is probably the biggest challenge facing organisations. Keeping data secure is difficult, even when that data is handled within the charity’s own offices, but that task becomes even more difficult when it is handled offsite.
In accordance with the Data Protection Principles, organisations have a legal obligation to implement appropriate technical and organisational measures to ensure that personal data is adequately protected. This is particularly important where staff are working remotely. Use of personal devices for work purposes, unsecured Wi-Fi networks, and scams targeting remote workers, to name but a few, all pose potential threats and must be considered.
Here are some top tips which are particularly relevant during the COVID-19 pandemic due to different working practices, for example, much higher numbers of employees working from home. A data breach or cyber-attack can not only seriously affect your organisation’s finances but also have a detrimental impact on its reputation, which can be challenging to repair.
Make sure your Data protection policy and Anti-fraud policy are fit for purpose, reviewed to ensure that any necessary updates to reflect the current situation are reflected, implemented by senior leaders and communicated effectively to others within the organisation. It is a good opportunity to review or implement remote working and Bring Your Own Device (BOYD) policies, to ensure that adequate arrangements are in place.
- Training and good practice
Charities should ensure that all staff working from home have had (or are directed to) appropriate training to ensure that they understand their data protection obligations and how to reduce security risks. Ensure staff are aware of their environment when working at home to prevent inadvertent data breaches e.g. locking computers when away from their screen, taking care when speaking on the telephone or in video conferences that virtual assistant listening devices, such as Alexa and Google Assistant, are not listening or recording. Where staff have to use personal devices, organisations should ensure that they have adequate and up-to-date security arrangements in place. The National Cyber Security Centre has published some useful guidance on how to ensure organisations are prepared for home working. Make sure everyone in your organisation is aware of the different types of cybersecurity risk. These are constantly changing. Look out for phishing emails: the COVID-19 outbreak has unfortunately led to a surge in phishing scams targeting home workers, and staff should be provided with information to help identify such scams to as to protect personal data.
- Risk Management
To be effective, you need to embed cyber risk management within your organisation at every level. Ensure cybersecurity and risk are standing items on trustees’ meeting agendas. Ensure risk management is ‘live’ and reactive to developing areas of risk – ensure your risk register reflects risks identified and actions to be taken with any deadlines noted. Review regularly. During the pandemic, this needs to include risks of employees/volunteers working at home. It isn’t possible for an organisation to eliminate all risks, so risk management is a question of balancing identified risks against the seriousness of the impact of that risk and the likely outcome/impact on the organisation. Consider whether you have appropriate expertise to recognise the risks and insurance in place to cover loss as a result of a cyber incident. If not, you should take action.
- ICO Guidance
The ICO has recently published guidance around the security measures you should take to protect your systems. The guidance hasn’t changed very much from the previous guidance, but it is clear that hackers are stepping up their attacks in light of the pandemic – especially as more people are working from home, using personal devices and may not be deploying sufficient security measures.
- Common themes
Consider the common themes of charity fraud – might these apply to your organisation and what steps could you take to reduce or mitigate any risks identified?
- Excessive trust
- A lack of “challenge”
- It’s not possible to put in place all the controls required to prevent fraud
- Trustees and volunteers are not experts – how can we expect them to be?
- Absence of oversight or a suitable segregation of duties
- Financial controls
Make sure you have a clear procedure (particularly important whilst not in the office) on use of cheque books and online accounts. Who has authority to make payments, do different amounts require different levels of authorisation, who has oversight of the accounts and monies going in and out etc? You should ensure that there is restricted access to records and systems by requiring a two-factor authorisation.
- Personal data
Regularly review the personal data that your organisation has stored and ensure that personal data is only retained where necessary (in accordance with the Data Minimisation Principle). This both reduces the risk that the personal data becomes irrelevant, excessive, inaccurate or out of date, and ensures that such data is stored appropriately to reduce vulnerability to a cyber-attack.
Ensure that back-up systems are stored separately and safely, so that malicious software cannot prevent all access in the case of a cyber-attack. Also make sure all firewalls and anti-virus software are up to date and working optimally. In addition, staff should be appropriately trained in how to deal with spam emails and downloads safely.
- Incident response plans
Put in place an incident response plan which should plan should go through the following phases: monitor & detect; analysis of the threat; containing and repairing any threat identified; investigating the root cause and then remediation of the root case. The plan should include pre-approved decisions and actions to expedite the response to any cyber-breach in order to mitigate the risk and impact of the breach and to ensure that individuals within your organisation know who has responsibility for what. The National Cyber Security Centre (NCSC) has issued useful guidance on how to develop a response plan. The plan should include:
- Pre-approved authority for your IT team (or a third-party provider) to take down all production services where there is suspicion of a cyber breach. You will need to agree the level of suspicion that there needs to be before this can be actioned. If you are reliant on a third-party provider, you should ensure that you are clear about the service that they will offer in relation to cyber related threats.
- Agreement that any ransom demands will not be paid.
- An internal communications plan with standard pro-forma wording already drafted to inform end users of the breach and giving information about what action they need to take and what they must not do.
- An external communications strategy.
- Reporting to the regulators
Report allegations or incidents of fraud and cyber-crime to Action Fraud via its online reporting tool, the National Phishing Line, and to the NCSC using the Suspicious Email Reporting Service ensuring you obtain a crime reference number and making clear that you’re representing a charity. Where an incident occurs, consider whether you need to report it to the Charity Commission in line with its serious incident reporting guidance. One of the main categories of reportable incident, if judged ‘serious’ in the context of your charity, is financial crimes which includes fraud, theft, cyber-crime and money laundering. Where a data breach occurs, you will need to report to the Information Commissioner.