What Trustees need to know about Cyber Security

We share the questions that Trustees need to ask to stay on top of their charity’s cyber security

Trustees act as board members and play a very important role in governing the charities they support. The role comes with significant responsibilities, not least of which is ensuring the charity they represent manages their risks around cyber security to a good standard.

Cyber security is, of course, a highly specialised area that is also very high profile. Many Trustees do not have professional cyber security experience, so how do they ensure their charities are conforming to best practice, investing in the right areas, and making best use of technologies at their disposal?

In this guidance article,  IASME team up with one of our Certification Bodies, Smartdesc, who specialise in providing IT Services for non-profits. We share practical advice for Trustees on what questions to raise with their Boards and explore how the core standards of the Cyber Essentials framework can be applied in your organisation.

We are a charity, why would someone attack us?

It is not so much that a criminal would deliberately attack a specific charity (although they might), it is that they randomly attack many thousands of organisations in one go, with no regard to who they are.

Cyber criminals use readily available tools that require next to no skill and work by tricking people to give away their security credentials or by finding weak spots in their IT systems to gain access.

If your charity uses digital technology, you are a potential victim of cyber crime. A good cyber security posture is often as simple as getting the basics right, to make you less attractive than the next organisation; attackers will always go for the lowest hanging fruit.

Surely, I can leave cyber security for the IT manager to worry about?

Cyber security is everyone’s responsibility, including Trustees. If you are lucky enough to have internal IT resource, they cannot be expected to be experts in everything.

A cyber security incident will affect the whole organisation – not just the IT department. It may impact or halt your services, damage your reputation and contractual relationships, put sensitive client and donor information in the public domain and result in legal or regulatory action.

Regardless of who is taking care of the IT, if something went badly wrong, the responsibility for the cyber security controls, the passwords, the accounts, and the potential data breach would lie with the senior management.

Trustees themselves don’t need to be technical experts, but you should be having constructive discussions with key staff to ensure you are confident that cyber risk is being appropriately managed.

If this is an area that you feel very uncertain about, could you introduce an IT consultant or cyber security professional to review your organisations’ cyber maturity? This would ensure that your charity is being proactive in aligning to industry standards and is often done on an annual basis.

What are the key questions we should be asking?

1. Are you and any remote or home workers and contractors accessing your organisation’s network and data in a secure way?

• To help tackle this, you could create a Bring Your Own Device policy for all remote/home workers? Read the guidance on BYOD
• Share a comprehensive password policy with all employees, volunteers, contractors, and Trustees.
• Enable multi-factor authentication for all accounts accessible over the internet? Implementing multifactor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen.
• Ensure all staff use a standard user account to carry out their normal day-to-day work. Staff using admin accounts for everyday tasks is a common facilitator for a cyber breach. An attacker will have the same privileges as the account you are logged in as and if that is an admin account, they will be able perform actions such as install malicious software, delete files, and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.
• Check that all accounts and apps that are not used being used are removed. If certain software is not needed, by removing it from your device it will reduce the risk of there being a vulnerability that can be exploited by cyber criminals.

2. Does your charity regularly back up all its essential data? This is the best way to limit the effects of a ransomware attack.

• Do you keep your back-ups in a different location from your network and systems, with one back up kept off site?
• Do you know how to restore files from the backup and test that your back up system is working?

3. If your charity uses cloud services, do you understand the shared responsibility model?

• This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to. Do not assume your service is secure, be diligent about checking who is responsible for what. Read the guidance on the shared responsibility model

4. Does your charity keep an asset list to help you identify all the devices that access your charities data, plus a list of all the software and cloud services that you use?

• Maintaining an asset inventory helps to track which software you have in use in your organisation and when it becomes unsupported or no longer receiving security updates.

5. Do you avoid using legacy and unsupported software?

• Unsupported software is a key target for cyber attacks. Known vulnerabilities in legacy software left un-patched are easy targets for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.
• All critical and high security updates released by the manufacturer must be applied within 14 days; the easiest way to achieve this is to enable ‘automatic update’ on all your devices.
• For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide. The National Cyber Security Centre has some useful guidance on installing software updates without breaking things

6. Do you train and regularly test your staff on cyber security?

• User error is still by far the most common way an attack is successful. Within that, over 90% of attacks still happen by email.
• Every charity should mandate that staff undertake cyber security training at least once per year, and police this to ensure compliance.

Where can I find more information?

If you are a small charity, the NCSC’s Small Charity Guide can help you nail the basics.

If you are a larger charity, the NCSC’s 10 Steps to Cyber Security will help you to identify what to do within a more complex infrastructure.

The NCSC has also created an Introduction to cyber security for board members.

Cyber Essentials is an effective, government backed baseline scheme that will help you to protect your charity, whatever its size against a whole range of the most common cyber attacks including ransomware. It is a great way to check that you have implemented the five key controls adequately, without overlooking something.

Many charities report that the process of certifying acts like a check list and gives them huge peace of mind. Smartdesc are a licensed Cyber Essentials Certification Body, and have helped dozens of charities achieve Cyber Essentials and Cyber Essentials Plus at affordable rates.

Could this be the year to take the extra step and show your clients and sources of funding that you have prioritised cyber security and have the certification to show for it?

Charity Cyber Essentials Fortnight runs between 6th and 17th November. IASME will be working closely with the National Cyber Security Centre and Charity Digital to educate and support charities about the cyber threat they face and inform them about the benefits of Cyber Essentials. There will be a discount to the price of certification and plenty of cyber security guidance tailored towards the charity sector. Look out for more information by visiting the Charities Cyber Essentials webpage.

If you need help getting started on your Cyber Essentials journey, you can access the free Cyber Essentials Readiness Tool, developed on behalf of the NCSC by IASME.

The Readiness Tool is a free, online tool accessible in the form of a set of interactive questions on our website. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.

Where do I start?

Adam Monks, Chief Executive of Smartdesc, advises Trustees who are unsure where to start when bringing their organisation’s cyber security up to speed to consider the next steps as a starting point.

• Reflect on the Mission, Values and Vision of the Charity organisation – What are the main goals & priorities of your charity?
• Cyber security should not be seen as a separate issue, but as an integral part of your charity’s strategy. Trustees must consider the level of cyber risk that your charity is willing to accept in order to achieve its objectives. It guides your decisions about the measures to take to manage the cyber security risk.
• Once you’ve agreed on how Cyber Security aligns with the Charity’s Missions, Values and Vision, think about how this is then managed and communicated
• Make sure that your charity has adequate policies approved and owned by the board that outline the risk management strategy for the whole organisation, and that cyber security is considered in other relevant policies.
• Once you’ve implemented and communicated the strategy throughout the charity organisation, how is this monitored, and modified when needed?
• Think about how you will maintain the importance of cyber security through ongoing Learning & Development.