Community Leisure UK ezine
May 2022
Charity cyber risk assessment: A guide from Endsleigh

05 Jan 2022

There’s never a good time for a cyber-attack in any business. But with a heavy reliance on fundraising and volunteers, it can seem particularly catastrophic for charities and not for profit organisations.

As a leading UK charity insurer, we help protect over 3,000 charities (both large and small). So it’s safe to say we know a lot about the key things that are important to them. For this reason, we’re going to explore cyber risk assessments, so you can do everything in your power to protect your charity from a cyber-attack.

What is cyber security?

Cyber security is where measures are put in place to protect an organisation from cyber-attacks. Attacks could take place on networks, systems, programs, devices and data. These attacks could result in irrecoverable damage (financial, legal and reputational) for the charity involved.

Under the General Data Protection Regulations (GDPR), there is also a legal requirement to have appropriate measures in place to protect personal data. The measures put in place include different processes, controls and technologies, and these all aim to reduce risk when it comes to cyberattacks.

Types of cyber attacks

There are various types of cyber-attacks to be wary of, and charities could be affected by any of them - especially if they’re embracing the digital world. These could include:

• Phishing – Where the attacker tries to get staff to hand over specific information (such as bank details).

• Malware – Where an application is placed on digital devices and malicious activity is carried out.

• Malicious apps – Where sensitive data could be stolen, files could be encrypted with ransomware etc.

• Various other types of attack such as ‘man-in-the-middle’ (MITM), distributed-denial-of-service (DDoS), SQL injection, zero-day exploit, DNS tunnelling and more.

Importance of risk management in cyber security

The startling thing about many cyber-attacks is that with the right measures/training in place, they could have been prevented. This is the main reason why it’s so vitally important to focus on risk management when it comes to cyber security. A risk assessment will help you mitigate risks in your organisation and therefore prevent attacks. This will, in turn, reduce costs for your organisation (via the prevention of potential attackers’ financial gain, any fines you may incur as a result of an attack or by loss of income via reputational damage).

Cyber risk management will also protect your charity’s reputation. A cyber-attack doesn’t look good for any organisation, and despite it not directly being your charity’s fault, in retrospect, there may have been measures you could have taken to prevent it.

How to conduct a cyber risk assessment

A good first step in conducting a cyber risk assessment for your charity is to find a template you can use. This should outline all the areas you may need to consider, plus you could adapt it to include additional areas unique to your organisation.

If your charity doesn’t have someone dedicated to looking after your cyber security, you can find free templates and resources online to work with.

Once you have your template, as a general overview, you’ll need to:

• Consider the scope of the risk assessment

• Identify the key areas that are a cause for concern

• Analyse the risks and potential impact

• Prioritise those risks and document them

• Identify measures to mitigate the risks highlighted and document those too

How to reduce cyber risk

There are lots of things you can do and practices you can implement to help protect your charity from cyber-attacks. Here are a few ideas.

• Review your current security system

Best practices are always changing, and chances are, even if you updated your security system six months ago, you could probably make more updates now. Reviewing your current systems to tighten your cyber security will help maximise controls.

This review could include areas such as:

- Limiting browsers

- Turning off unneeded services

- Limiting access to certain website categories e.g. retail

- Requiring permission to access certain website categories e.g. social media

• Get smarter with password policies

Did you know that although it’s recommended to use a different password per platform, only 21% of people do this? That could mean that 79% of your staff are unknowingly putting your organisation at risk. However, this may not be their fault. If they’ve never had cyber security training, or your charity doesn’t have password policies in place, how are they supposed to know what’s right and wrong?

Getting up to date with password best practices and implementing policies is a good place to start. For example, advising staff to have different passwords for every platform, implementing password managers to support staff in remembering their passwords etc.

• Enforce software updates and security patches

Software updates occur for numerous reasons, however the most important being the enhancement of security features. It’s therefore essential for all staff to update their devices as soon as there is a software update available. This is to prevent risks such as ransomware attacks, data breaches and other online threats that make charities much more vulnerable when working with out-of-date software.

• Taking special measures for remote working

With 47% of organisations opting to give employees the choice of working remotely once the pandemic is over, it’s a good time to mention that increased online working means increased cyber security risks. You should consider the risks involved and develop remote working policies and procedures. Some things to think about include:

- Office-based IT systems mean a high level of security. However, when we move to working from home, we rely more heavily on the internet and Cloud-based systems as staff need to access files and data online – growing your attack surface and therefore risk of cyber-attack.

- In addition, there are other considerations such as increased risk of phishing attacks. In fact, did you know that a recent report found that there’s been 600% increase in reported phishing emails since the end of February? With many of these attempts piggybacking off pandemic uncertainty!

Ideally, staff should be encouraged to use their work laptop which has the relevant remote access and security controls. This will reduce the chances of cyberattacks, ensure the right defence tools are in place and allow IT to respond efficiently and appropriately should the worst happen.

If your volunteers don’t have work laptops/phones, it may be worth investing in them, further considering the risks involved with using personal devices (particularly when personal/sensitive data is involved) and putting plans in place to mitigate risk.

- Naturally, tired employees make mistakes. And did you know that a recent survey found that remote staff worked on average five hours a week more than office-based staff. This could be due to remote staff over-compensating for the flexibility given to them, or because they can catch up on work in their spare time at home.

If remote workers are putting in more hours, they may grow tired which could result in mistakes. This could mean saving documents in incorrect places, using the wrong data to contact a member, or handing over confidential information to an attacker. Therefore, promoting the importance of staff wellbeing is a vital step in reducing cyber risk.

These are just a few things to consider when thinking about implementing remote working policies.

• Team training

Once you’ve implemented your policies and guidance, you’ll need to make sure staff are kept up to date. This could include regular training courses to ensure they’re fully aware of all the latest best practice and how this coincides with your charity’s policies.

• Data encryption

Storing sensitive data in text format can cause huge security risks for your charity. A solution to this can be encrypting your data which will protect it against hackers. If you have an IT team, they will be able to help with this. And if you don’t have an in-house IT team, it may be worth speaking to a specialist for some specific advice.

• Do not store credit card information

This may seem like a simple point, but you’d be surprised by the amount of people who still store financial information on their computers. Whether it’s staff who don’t want to keep troubling stakeholders for access to the credit card, or team members who aren’t familiar with cyber security best practices, tying this into your training is an extremely important step in mitigating cyber risk.

• Limit login attempts

A common way for hackers to gain entry to your charity’s systems is via staff passwords. Limiting password login attempts (for example, three strikes and you need to speak to IT) can help you prevent attacks and keep your systems safe and secure.

This may be frustrating for staff if they’re known for forgetting their passwords and locking themselves out, but implementing the password manager we mentioned above should hopefully help maintain productivity as well as keep your charity’s systems safe.

• Implement a suspicious activity escalation plan

It’s a good idea to have a process in place for when suspicious activity is observed. Depending on your charity’s structure, this could involve your in-house IT team immediately being able to shut down access to servers etc. or contacting the agency who manages your IT with an urgent request to follow the ‘kill switch’ protocol!

• Have a crisis management plan in place

In the event where an attack does take place, having a crisis management plan and team dedicated to dealing with the issue is a sensible idea. This could include outlining responsibilities for briefing IT, communicating to staff, communicating to members/customers etc., liaising with PR agencies, providing updates and so on. It would ideally provide guidance on every step of the crisis management plan from start to finish.

• Consider cyber insurance

An additional step to help safeguard your charity from the implications of a cyber-attack is investing in cyber insurance. Cyber insurance covers loss of income, legal protection and compensation claims following a cyber-attack, plus social engineering or phishing attacks.

These types of attacks are an increasing threat in the digital age and all types of organisations should take the threat seriously.

With over 30 years’ experience and over 3,000 not-for-profit customers in the UK, we’re able to provide competitive coverage, expert consultation and specialist advice for charities, community groups and not-for-profit organisations.

If you’re interested in cyber insurance for your charity, speak to one of our specialist team and get a quote today.

Cyber security guidelines

Once you have your risk management plan mapped out, you’ve identified your risks, how to mitigate them and communicate this to your staff, you’ll likely need to put some cyber security guidelines in place to allow your teams to follow the specific policies.

It may be a good idea to create a hub of cyber security policies easily accessible to all staff and implement some training to complement these policies. For example, cyber security training overarched by:

• Password policy

• Software update for digital devices policy

• Data encryption policy

• Remote working policy

As a charity, you may not consider it a priority to commit vast amounts of resource to cyber protection. However, a sensible approach would be weighing up the implications of a potential attack on your charity and putting measures in place to mitigate the risks.

A good starting point for small charities who may not want to commit the resource could be the Cyber Security small charity guide from the National Cyber Security Centre (NCSC). This guide provides tips on improving cyber security quickly, easily and most importantly, at low cost.

You can also read more about cyber threat to the UK charity sector here.

Latest member news
The Pelican Centre, Tyldesley, celebrates 10 years of community ownership
Community leisure and fitness centre and registered charity the Pelican Centre in Tyldesley, Greater Manchester, celebrated its 10th anniversary last month.

Hyndburn Leisure Centre cuts carbon emissions by 74 per cent with £2m eco grant
Hyndburn Leisure has announced an ambitious action plan to cut carbon emissions by 74 per cent with a complete energy infrastructure transformation of its Church- based facility.

Healthy lifestyle pop-up clinic launches at Clements Hall Leisure Centre
A healthy lifestyle pop-up clinic has launched at Clements Hall Leisure Centre, managed by Fusion Lifestyle on behalf of Rochford District Council.

Nonagenarian still stepping it out for health
An Edinburgh nonagenarian and aerobics fanatic has celebrated reaching his 90th birthday on 26th April 2022, by taking part in one of his four weekly step class, followed by cake and a celebratory cup of coffee with his fellow steppers.

Breaking barriers and defying the odds: the remarkable story of young swimming star Heidi Rogerson
After being told “so many times that she would never be able to swim”, 14 year old Flint resident Heidi Rogerson has defied the odds and “rocketed through” Aura’s Learn to Swim programme to become a fantastic swimmer as well as one of Flint Swimming Club’s newest members.

Cancer support programme for men launched in Suffolk
A new cancer support programme for men has been launched in Suffolk to help keep male cancer patients active throughout their cancer journey.

Trilogy Leisure Announces Partnership with the University of Northampton
Trilogy Leisure and the University of Northampton have signed a memorandum of understanding (MOU) which will see the organisations collaborate in areas including research, education, knowledge exchange, project funding and business support.

The magnificent Redbridge Outdoor Arts returns to Ken Aston Square
Vision RCL’s Redbridge Outdoor Arts (ROA) programme presents a summer of arts and culture in Ken Aston Square on Barkingside High Street. A programme for all ages to enjoy, where everyone in the community is welcome and all events are FREE of any charge.

Lauren’s charity fitness challenge gets boost from DCLT
Lauren Weston is taking on an exhausting endurance fitness challenge to raise money to fight childhood cancer.

CHAPS Free Men's Health Checks Supported by Impulse Leisure
Impulse Leisure was the proud sponsor of an event supporting men’s health and wellbeing at The Civic Hall, located next to their Blackshots leisure centre in Grays, Essex. On the 22nd of February, local men were invited to receive a free men’s health check, which included diabetes checks, skin cancer screenings, heart disease screenings and more.

Online archive of stories from across the Highlands and Islands
A new website from Spirit of the Highlands and Islands, filled with stories from across the region, is now available to visit.

SLT’s double health & safety accolade yet again
Sandwell Leisure Trust (SLT) has once more been awarded the highest possible accolade in the internationally-renowned Royal Society for the Prevention of Accidents (RoSPA) 2022 Health and Safety Awards.

Historic finds under the rafters at Stamford Library
The initial phase of renovation works at Stamford Library, which is operated by charitable social enterprise GLL, has been completed, meaning the landmark, Grade 2 listed building, which now boasts a new roof, will reopen on 3rd May following a six-month closure.

Refurbishment of former Northfield Swimming Pool well underway
The Northfield community will soon have access to one of the best health and wellbeing facilities of its kind in the city, with progress well underway for the revamp of the former Northfield Swimming Pool, based at Kettlehills Crescent.

Renfrewshire Leisure completes transformation into OneRen
The transformation of Renfrewshire Leisure to OneRen has been met with a tremendous response - reinforcing the charity’s significant role in its community.

Aura Wales reflects on a Winter season packed full of wellbeing activities
Throughout February and March 2022, Aura was delighted to provide free activities across our leisure centres and libraries as part of the Welsh Government’s ‘Winter of Wellbeing’ initiative.

more Community Leisure UK member news >>
Latest industry news from
Researchers crack the code for exercise motivation
Exercise scientists at the Les Mills Research Lab have identified the trait of automaticity – turning exercise into a habit like brushing your teeth – as the key differentiator between active and inactive people.
06 May 2022
Research provides new evidence of how exercise can counter diabetes damage
Being physically active can counter the damage of diabetes by enabling the activation of a natural system that grows new blood vessels.

04 May 2022
1Rebel snaps up Core Collective in pre-pack administration deal – reveals international growth plans
1Rebel has acquired two Core Collective clubs as part of a pre-pack administration deal, along with London studio Sweat It which it bought from liquidators in February.

27 Apr 2022
Egym acquires Gymlib to expand corporate fitness portfolio
Fitness tech firm Egym has acquired French corporate fitness and wellbeing business Gymlilb for what has been described as a 'high double-digit million' purchase price.

22 Apr 2022
New David Lloyd club is revamped Virgin Active
David Lloyd Leisure (DLL) has opened a new club in Cricklewood Lane, London. The launch completes phase one of a £5.25m redevelopment initiative that forms part of the company’s mergers and acquisitions strategy.

21 Apr 2022
Pure Gym plans to double in size by 2030
Pure Gym has revealed it's planning to double the number of clubs in its portfolio, with a target of reaching more than 1,000 clubs by 2030.

14 Apr 2022
New baking course teaches recipe for mindfulness
Baking is the focus of a new one-day course designed to help people learn about mindfulness in the wake of the pandemic

07 Apr 2022
Final report from UK Active shows health clubs beating COVID
UK Active has released its final report on COVID-19 cases among health club, leisure centre and swimming pool customers.

06 Apr 2022
Deloitte says European fitness sector is recovering: memberships and number of clubs up in 2021
The number of people with a gym membership in Europe increased by 1 million (or 2 per cent) during 2021 – from 55.2 million in 2020 to 56.3 million by year-end 2021.

more industry news >>
All weekly HR and finance meetings have been ceased. For more information about Special Interest Group and regional / national members meetings, please contact [email protected]
General Meetings & Conferences
General Meeting, London
18 May
Regional Meetings
North East & Yorks Regional Meeting
25 May 2022
Special Interest Groups
SIG – Health (England)
10 May 2022
SIG – Safeguarding
17 May 2022
SIG – Chairs and Trustees (England & Wales)
25 May 2022
Job vacancies
Aquafit Instructor
Salary: £13.18 0 £14.26 per hour + 10% market supplement
Location: Melksham, UK
Company: Wiltshire Council
Read more and apply
Leisure Assistant/Lifeguard
Location: Flitwick, Bedford, UK
Company: Stevenage Leisure Limited
Read more and apply
Swimming Teacher
Location: Letchworth Garden City, UK
Company: Stevenage Leisure Limited
Read more and apply
General Manager
Salary: £27,000 - £30,000pa OTE £30k-£33k
Location: Bow, London, UK
Company: énergie group
Read more and apply
Lifeguards: full-time and part-time
Salary: £19,264 - £20,043 pro rata
Location: Melksham, UK
Company: Wiltshire Council
Read more and apply
Fitness Consultants: full-time and part-time
Salary: £20,043 - £20,852 pro rata
Location: Melksham, UK
Company: Wiltshire Council
Read more and apply
Swimming Teachers
Salary: £13.18 0 £14.26 per hour + 10% market supplement
Location: Melksham, UK
Company: Wiltshire Council
Read more and apply
Sports Centre Manager
Location: Devizes, UK
Company: Dauntsey's School
Read more and apply
Salary: £19,264 - £20,043 pro rata
Location: Wiltshire, UK
Company: Wiltshire Council
Read more and apply
Operations Manager
Salary: £28,000pa
Location: Highgate, London, UK
Company: Highgate School
Read more and apply
Kingston Wheels for All Co-ordinator
Salary: £20,020 FTE - £8,080pa for 14 hrs per week
Location: Kingston upon Thames, UK
Company: Wheels for All
Read more and apply
Salary: £17,901 - £18,530 pa + shift allowance
Location: Liverpool, UK
Company: University of Liverpool
Read more and apply
Sports Assistant / Lifeguard
Salary: £19,209 - £20,092 + 10% shift allowance + benefits
Location: Bath, UK
Company: University of Bath
Read more and apply
Leisure Attendant / Lifeguard
Salary: £20,174pa
Location: Moreton-in-Marsh, UK
Company: Capita Plc.
Read more and apply
Sports Development Officer
Salary: £24,100 - £26,264 FTE
Location: Pontefract, UK
Company: New Collaborative Learning
Read more and apply
more job vacancies >>
Diary dates
15-16 Jun 2022
London, United Kingdom
30-30 Jun 2022
Active Uprising 2022
Birmingham , United Kingdom
12-13 Sep 2022
2022 Salt Therapy Association Conference
Lake Buena Vista, United States
21-21 Sep 2022
National Fitness Day
London, United Kingdom
25-28 Oct 2022
25-28 Oct 2022
Synergy - The Retreat Show
Ibiza, Spain
01-07 Dec 2022
World Leisure Congress 2022
Dunedin, New Zealand
17-18 Mar 2023
PerformX Live 2023
London, United Kingdom
more diary dates >>
Business partners
Contact Community Leisure UK

Kirsty Cumming, Chief Executive

Tel: 020 7250 8263
[email protected]
Submit news

The Community Leisure UK ezine is published in association with

Please email news and images for consideration to [email protected]
Your subscription

To add a colleague to this mailing list click here

This e-zine is produced and distributed on behalf of Community Leisure UK by Leisure Media, publisher of Leisure Opportunities, HCM and Sports Management