Of the 26% of charities who reported having cyber security attacks in the last 12 months, one in five ended up losing money, data or assets as a result. However, more than a quarter of charities report having taken no action to prevent further breaches since their most disruptive breach.
The beginning of the pandemic saw a shift to home working for many organisations and the survey found that only a quarter of charities have cyber security policies that cover home working.
Organisations have understandably found it more difficult to directly monitor staff who are working remotely and the survey highlighted concerns from interviewees that this could potentially delay organisations from catching and dealing with cyber-attacks. Despite this, 80% of charities said that cyber security was no more important to them than before the start of the first UK lockdown in March 2020.
One of the areas where charities could take more action, whether staff are working remotely, on-site or a blend of both, is in staff awareness and training. Only 18% of charities surveyed have undertaken training or awareness raising activities in cyber-security over the last 12 months.
The National Cyber Security Centre (NCSC) website has a lot of practical guidance on cyber-security. The NCSC's 10 Steps to Cyber Security is a good starting point. The 10 Steps focus on incident management, malware prevention and managing user privileges.
The NCSC has also released helpful guidance for how to help staff protect the organisation when working from home.
The annual survey has consistently found that staff vigilance is of significant importance when it comes to cyber-security, and most breaches continue to be those which come from staff user accounts. To reduce the risk of and safeguard against phishing and ransomware attacks, charities should consider focusing on raising staff awareness in particular.
If your organisation does not already provide cyber security training and guidance for staff then implementing this should be a high priority. Cyber security training should be provided as part of wider staff data protection training. If it has been a few years since your last staff training (and many charities may not have refreshed on this since the GDPR was implemented), and/or the charity has seen a change in the way that staff members are working as a result of coronavirus, then we suggest carrying out refresher training, as well as reviewing and adapting policies and procedures to support the training. Refresher data protection training should be provided at least once every other year.
Another key safeguard charities can put in place is having a plan for an attack, including thinking about your procedures for detecting and responding in the event of attack. Identifying key members of staff to take ownership of the response process, and ensuring that all staff are aware of who they are, can assist in timely detection and action.
A resource which may be of assistance with this is the NCSC guidance on mitigating malware and ransomware.
According to the NCSC, key areas which attackers regularly exploit are:
The key here is for the charity to ensure that it has both organisational and technical measures in place to safeguard against cyber-attacks. Organisational measures will include the training and ongoing guidance that staff can refer to. Technical measures are things such as having back-ups in place and secure firewalls which are up-to-date.
When assessing whether an organisation is in breach of the UK GDPR information security principles, as part of an investigation, the ICO will often have regard to the NCSC guidance. It is also important to keep in mind charities' obligation to promptly report any serious incidents to the Charity Commission.