Do you feel confident to manage one of the most contemporary risks to your charity – a cyber attack? Kate Sinnott, head of charity engagement at The National Cyber Security Centre raises the question and bust some myths.
With many charities increasingly reliant on IT, losing access to that technology, having funds stolen or suffering a data breach through a cyber attack could be devastating, both financially and reputationally.
The findings from Cyber Security Breaches Survey 2019 shows just how many charities are coming under cyber attack:
- 65% of charities (£500k+ income) recorded a breach or attack in 2018
- 40% of those charities reported attacks or breaches occurring at least once a month
- Fraudulent (phishing) emails occurred in 81% of affected charities
- Cost of a breach between £300 – £100,000, with an average of £9,470
Charity leaders have a pivotal role to play in improving the cyber security of their organisation but, fortunately, this doesn’t mean that you need to be a technical expert. However, you do need to know enough about cyber security to be able to have a fluent conversation with your IT staff. To enable this, it’s important to know the right questions to ask and be confident the answers you are receiving are appropriate. So…
What is cyber security?
Cyber security is the protection of devices, services and networks – and the information on them – from theft or damage via electronic means.
What do I need to know about cyber security?
There are three common myths concerning cyber security. Understanding why they’re incorrect will help you understand some key aspects of cyber security.
Myth #1: Cyber is complex, I don’t and won’t understand it.
Reality: You don’t need to be a technical expert to make an informed cyber security decision.
We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works. Boards regularly make financial or risk decisions without needing to know the details of every account or invoice. The board should rely on its IT experts to provide insight so that the board can make informed decisions about cyber security.
Myth #2: Cyber attacks are sophisticated, I can’t do anything to stop them.
Reality: Taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce the risk to your organisation.
The vast majority of cyber attacks are still based upon well-known techniques (such as phishing emails) which can be defended against. Some threats can be very sophisticated, using advanced methods to break into extremely well-defended networks, but we normally only see that level of commitment and expertise in attacks by nation states. Most charities are unlikely to be the target of a sustained effort of this type, and even those that are will find that even the most sophisticated attacker will start with the simplest and cheapest option, so as not to expose their advanced methods.
Myth #3: Cyber attacks are targeted, I’m not at risk.
- Reality: Many cyber attacks are opportunistic and any organisation could be impacted by these untargeted attacks.
The majority of cyber attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of the WannaCry attack in 2017 on organisations across the globe being a good example. If you’re connected to the internet then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation including your charity – will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.
Encouragingly, the Cyber Security Breaches Survey showed that 75% of charities now see cyber security as a high priority. And, here at the National Cyber Security Centre, we want to do everything we can to help charities translate this priority into action – to help charity leaders enhance your cyber security even further.
A big part of this is the launch of our new Board Toolkit. This has been created to encourage essential discussions about cyber security to take place between an organisation’s leaders and their technical experts. We want to help charity leaders manage the risks of cyber security in a way that works for them and their charity. To do that, we need to get boards to get just a little bit technical if they are going to do this job effectively.
The Board Toolkit covers a range of cyber security topics, starting with an introduction to cyber security specifically written for board members. Other topics include understanding the threat, collaborating with suppliers and partners, and planning a response to a cyber incident. Each topic is filled with straightforward guidance and helpful questions that board members can ask their technical teams.
Please do visit our website to explore the toolkit in more detail and start to use it to facilitate that essential cyber security discussion with your IT team.
 Department for Digital, Culture, Media and Sport – Cyber Security Breaches Survey 2019