Not-for-Profit (NfP) organisations have evolved to utilise various business systems on a par with major commercial enterprises. But not all the NfPs have had the opportunity to get these business systems fully set up creating unintended limitations on agility.
Some of the challenges that an NfP may face as a result include:
Smaller teams of consultants and technical resources employed
Limiting the time to troubleshoot and set up the systems.
Continuous pressure to fulfil the daily service requests. Risk to business operations is prioritised and operation optimisation may not make it to the work schedule in time.
Higher number of Temporary Workers
Although the fundamentals of employee onboarding and offboarding are covered, details around data retention on personal devices may not be fully covered.
Leveraging Microsoft Office 365 (O365) and Azure features, the fundamental capabilities around the data security can be seamlessly configured across the system. Protecting business has never been this simple. Recent product enhancements included within your O365 license subscription means that it has never been easier to implement collaboration and security and examples include:
- Simplifying assignments of features and privileges across all O365 users. It works as a single gateway to your organisation.
- Allowing you to configure security within O365 at app level. Users opening a word document on a personal mobile phone can be limited from copying secure data outside the application.
- Microsoft O365 Advance Threat Protection enables screening of emails based on pattern recognition.
- Microsoft Defender within O365 acts as an antivirus across all the systems enabling users to interact as within a Virtual private network.
Blackwater Tech works in collaboration with Microsoft to enable NfPs across the UK to overcome the above challenges.
A recent Third Sector and NCSC survey with over 120 charities revealed only half are fully aware of the potential consequences of a cyber-attack, leaving the other half open to emerging threats. Alarmingly, 1 in 10 said it is not even on the boardroom agenda, and 1 in 5 said not a single employee was trained to find a cyber-attack.
There was a 105% surge globally in ransomware attacks last year (Source: Fortune)
1 in 5 charities perceive cyber security to be a low priority and said not a single employee was trained to find a cyber-attack.
The type of cyber-attack that has the biggest impact is ransomware attacks, where a cyber-criminal has managed to gain access into your charity’s system. Once they are into your system, they will have a good root around to see what they can find, and they will try to get access to as much as possible. It could be a member of staff or volunteer who clicks on that link, so start with a training plan for all your staff and volunteers.Becca K, NCSC’s Charity Sector Resilience Lead
Only 34% said cyber security is a high boardroom priority that they review regularly.
Alarmingly, one in 10 said it’s not even on the agenda.
40% said their board members have not recently discussed the potential impact of a cyber-attack within the organisation.
By being very specific about the types of threat that we face and how investment can counter those threats and reduce the risk of us suffering a major cyber security incident, it’s a lot easier to explain that narrative to the board and get the buy-in you need. Cyber security isn’t just an IT issue, it’s something that affects the whole organisation and needs to be joined-up approach.Gareth Packham, Director of Information Security and Data Protection, Save the Children International
Go out and seek information from organisations like the NCSC and Charity Commission who have really clear guides of what charities need to be aware of in terms of cybercrime resilience. Understand what you’re doing as a charity to minimise the damage to the charity if it does happen and what you’re doing to ensure you’re building systems and structures that are future-proof.Lyndsey Jackson, Deputy Chief Executive, Edinburgh Fringe Society
Board members are not cyber security experts, but they should understand ‘risk’. Keep it simple and explain what could actually happen, and here is what we can practically do to reduce the possibility of a cyber-attackStuart McSkimming, Chief Information Officer at the Royal British Legion
Frame cyber security investment in terms of what could prevent charities from carrying out their work. So, if you are very dependent on technology, think about what would happen if there was a ransomware incident that took out your access to your machines. Could you still deliver services to your beneficiaries?Michala Liavaag, founder and managing director, Cybility Consulting
The NCSC offers a range of cyber security advice and guidance for charities including this cyber security guide for boards.
Watch the full video on getting buy-in from the board here.
Shifting organisation culture and educating employees
Charities need to think differently about their cyber security culture. Cyber security isn’t just an IT function, it’s an organisational function. It needs to be embedded within the organisational culture. It’s something everyone needs to be responsible for and do their part.
Fewer than half of charities have a dedicated member of staff responsible for cyber security.
70% don’t have plans to deliver cyber security training in the next 6 months.
Our job is not to turn everyone into cyber security experts, but they do need to know how to protect themselves, whether that’s using multi-factor authentication or looking out for phishing emailsGareth Packham, director of information security & data protection at Save the Children International
Cyber security has grown up in this adversarial war-gaming kind of culture, which is really unhelpful, so make sure you don’t blame people if they click a phishing linkIan Levy, Technical Director, NCSC
There are a lot of people out there from larger charities who are willing to put some time in to mentor smaller charities, so build up connections with people who can give you some honest, simple adviceStuart McSkimming, Chief Information Officer, The Royal British Legion
A good incident management plan is about establishing a framework that guides you through the stages of an incident. What does a good incident response plan look like? Will you have to suspend operations after a cyber–attack? What steps should board members take after an attack? And how often should you review your incident response plan?
30% of charities do not have a process in place to respond to a cyber–attack.
39% of charity board members have not recently discussed the potential impact of a cyber–attack within the organisation.
Only 39% of charities have a process in place to respond quickly to a cyber–attack.
50% of charities have not tested their incident response plans in relation to the heightened risk caused by Russia’s invasion of Ukraine.
5 simple steps to protect your charity
Protect your charity from the most common cyber–attacks with these simple low-cost steps:
Back up your data
Keep your smartphones and tablets safe
Prevent malware damage
Avoid phishing attacks
Use passwords to protect your data
Survey respondents feel the three most important elements are: agility and responding quickly to change (55.6%), putting users at the centre of our systems and experiences (49.7%) and automating in-house processes to free up team members to focus on higher value-added tasks (38%).