 |
Charity cyber risk assessment: A guide from Endsleigh
05 Jan 2022
There’s never a good time for a cyber-attack in any business. But with a heavy reliance on fundraising and volunteers, it can seem particularly catastrophic for charities and not for profit organisations.
As a leading UK charity insurer, we help protect over 3,000 charities (both large and small). So it’s safe to say we know a lot about the key things that are important to them. For this reason, we’re going to explore cyber risk assessments, so you can do everything in your power to protect your charity from a cyber-attack.
What is cyber security?
Cyber security is where measures are put in place to protect an organisation from cyber-attacks. Attacks could take place on networks, systems, programs, devices and data. These attacks could result in irrecoverable damage (financial, legal and reputational) for the charity involved.
Under the General Data Protection Regulations (GDPR), there is also a legal requirement to have appropriate measures in place to protect personal data. The measures put in place include different processes, controls and technologies, and these all aim to reduce risk when it comes to cyberattacks.
Types of cyber attacks
There are various types of cyber-attacks to be wary of, and charities could be affected by any of them - especially if they’re embracing the digital world. These could include:
• Phishing – Where the attacker tries to get staff to hand over specific information (such as bank details).
• Malware – Where an application is placed on digital devices and malicious activity is carried out.
• Malicious apps – Where sensitive data could be stolen, files could be encrypted with ransomware etc.
• Various other types of attack such as ‘man-in-the-middle’ (MITM), distributed-denial-of-service (DDoS), SQL injection, zero-day exploit, DNS tunnelling and more.
Importance of risk management in cyber security
The startling thing about many cyber-attacks is that with the right measures/training in place, they could have been prevented. This is the main reason why it’s so vitally important to focus on risk management when it comes to cyber security. A risk assessment will help you mitigate risks in your organisation and therefore prevent attacks. This will, in turn, reduce costs for your organisation (via the prevention of potential attackers’ financial gain, any fines you may incur as a result of an attack or by loss of income via reputational damage).
Cyber risk management will also protect your charity’s reputation. A cyber-attack doesn’t look good for any organisation, and despite it not directly being your charity’s fault, in retrospect, there may have been measures you could have taken to prevent it.
How to conduct a cyber risk assessment
A good first step in conducting a cyber risk assessment for your charity is to find a template you can use. This should outline all the areas you may need to consider, plus you could adapt it to include additional areas unique to your organisation.
If your charity doesn’t have someone dedicated to looking after your cyber security, you can find free templates and resources online to work with.
Once you have your template, as a general overview, you’ll need to:
• Consider the scope of the risk assessment
• Identify the key areas that are a cause for concern
• Analyse the risks and potential impact
• Prioritise those risks and document them
• Identify measures to mitigate the risks highlighted and document those too
How to reduce cyber risk
There are lots of things you can do and practices you can implement to help protect your charity from cyber-attacks. Here are a few ideas.
• Review your current security system
Best practices are always changing, and chances are, even if you updated your security system six months ago, you could probably make more updates now. Reviewing your current systems to tighten your cyber security will help maximise controls.
This review could include areas such as:
- Limiting browsers
- Turning off unneeded services
- Limiting access to certain website categories e.g. retail
- Requiring permission to access certain website categories e.g. social media
• Get smarter with password policies
Did you know that although it’s recommended to use a different password per platform, only 21% of people do this? That could mean that 79% of your staff are unknowingly putting your organisation at risk. However, this may not be their fault. If they’ve never had cyber security training, or your charity doesn’t have password policies in place, how are they supposed to know what’s right and wrong?
Getting up to date with password best practices and implementing policies is a good place to start. For example, advising staff to have different passwords for every platform, implementing password managers to support staff in remembering their passwords etc.
• Enforce software updates and security patches
Software updates occur for numerous reasons, however the most important being the enhancement of security features. It’s therefore essential for all staff to update their devices as soon as there is a software update available. This is to prevent risks such as ransomware attacks, data breaches and other online threats that make charities much more vulnerable when working with out-of-date software.
• Taking special measures for remote working
With 47% of organisations opting to give employees the choice of working remotely once the pandemic is over, it’s a good time to mention that increased online working means increased cyber security risks. You should consider the risks involved and develop remote working policies and procedures. Some things to think about include:
- Office-based IT systems mean a high level of security. However, when we move to working from home, we rely more heavily on the internet and Cloud-based systems as staff need to access files and data online – growing your attack surface and therefore risk of cyber-attack.
- In addition, there are other considerations such as increased risk of phishing attacks. In fact, did you know that a recent report found that there’s been 600% increase in reported phishing emails since the end of February? With many of these attempts piggybacking off pandemic uncertainty!
Ideally, staff should be encouraged to use their work laptop which has the relevant remote access and security controls. This will reduce the chances of cyberattacks, ensure the right defence tools are in place and allow IT to respond efficiently and appropriately should the worst happen.
If your volunteers don’t have work laptops/phones, it may be worth investing in them, further considering the risks involved with using personal devices (particularly when personal/sensitive data is involved) and putting plans in place to mitigate risk.
- Naturally, tired employees make mistakes. And did you know that a recent survey found that remote staff worked on average five hours a week more than office-based staff. This could be due to remote staff over-compensating for the flexibility given to them, or because they can catch up on work in their spare time at home.
If remote workers are putting in more hours, they may grow tired which could result in mistakes. This could mean saving documents in incorrect places, using the wrong data to contact a member, or handing over confidential information to an attacker. Therefore, promoting the importance of staff wellbeing is a vital step in reducing cyber risk.
These are just a few things to consider when thinking about implementing remote working policies.
• Team training
Once you’ve implemented your policies and guidance, you’ll need to make sure staff are kept up to date. This could include regular training courses to ensure they’re fully aware of all the latest best practice and how this coincides with your charity’s policies.
• Data encryption
Storing sensitive data in text format can cause huge security risks for your charity. A solution to this can be encrypting your data which will protect it against hackers. If you have an IT team, they will be able to help with this. And if you don’t have an in-house IT team, it may be worth speaking to a specialist for some specific advice.
• Do not store credit card information
This may seem like a simple point, but you’d be surprised by the amount of people who still store financial information on their computers. Whether it’s staff who don’t want to keep troubling stakeholders for access to the credit card, or team members who aren’t familiar with cyber security best practices, tying this into your training is an extremely important step in mitigating cyber risk.
• Limit login attempts
A common way for hackers to gain entry to your charity’s systems is via staff passwords. Limiting password login attempts (for example, three strikes and you need to speak to IT) can help you prevent attacks and keep your systems safe and secure.
This may be frustrating for staff if they’re known for forgetting their passwords and locking themselves out, but implementing the password manager we mentioned above should hopefully help maintain productivity as well as keep your charity’s systems safe.
• Implement a suspicious activity escalation plan
It’s a good idea to have a process in place for when suspicious activity is observed. Depending on your charity’s structure, this could involve your in-house IT team immediately being able to shut down access to servers etc. or contacting the agency who manages your IT with an urgent request to follow the ‘kill switch’ protocol!
• Have a crisis management plan in place
In the event where an attack does take place, having a crisis management plan and team dedicated to dealing with the issue is a sensible idea. This could include outlining responsibilities for briefing IT, communicating to staff, communicating to members/customers etc., liaising with PR agencies, providing updates and so on. It would ideally provide guidance on every step of the crisis management plan from start to finish.
• Consider cyber insurance
An additional step to help safeguard your charity from the implications of a cyber-attack is investing in cyber insurance. Cyber insurance covers loss of income, legal protection and compensation claims following a cyber-attack, plus social engineering or phishing attacks.
These types of attacks are an increasing threat in the digital age and all types of organisations should take the threat seriously.
With over 30 years’ experience and over 3,000 not-for-profit customers in the UK, we’re able to provide competitive coverage, expert consultation and specialist advice for charities, community groups and not-for-profit organisations.
If you’re interested in cyber insurance for your charity, speak to one of our specialist team and get a quote today.
Cyber security guidelines
Once you have your risk management plan mapped out, you’ve identified your risks, how to mitigate them and communicate this to your staff, you’ll likely need to put some cyber security guidelines in place to allow your teams to follow the specific policies.
It may be a good idea to create a hub of cyber security policies easily accessible to all staff and implement some training to complement these policies. For example, cyber security training overarched by:
• Password policy
• Software update for digital devices policy
• Data encryption policy
• Remote working policy
As a charity, you may not consider it a priority to commit vast amounts of resource to cyber protection. However, a sensible approach would be weighing up the implications of a potential attack on your charity and putting measures in place to mitigate the risks.
A good starting point for small charities who may not want to commit the resource could be the Cyber Security small charity guide from the National Cyber Security Centre (NCSC). This guide provides tips on improving cyber security quickly, easily and most importantly, at low cost.
You can also read more about cyber threat to the UK charity sector here.
back
|
| Latest member news |
 |
|
Edinburgh Leisure Appoints New Chief Executive
Edinburgh-based physical activity charity, Edinburgh Leisure, has announced the
appointment of a new Chief Executive.
read more...
Withington Baths Receives Sports England Grant to Accelerate its Carbon Footprint Reduction Efforts
Love Withington Baths, the non-profit organisation that operates Withington Baths
and co-working space Withington Works, has announced exciting plans to
significantly reduce its carbon footprint and enhance energy efficiency thanks to
a £105K grant secured from Sport England under the Government’s Swimming Pool
Support Fund.
read more...
GLL Celebrate £140k Arts Council Funding
VR headsets, IT hublets and improved seating, shelving and flooring are on their
way to Lye Library, Dudley thanks to funding from the Arts Council.
read more...
Much-Loved Library to Receive Grant Funding of Nearly £400,000
One of Redbridge's most popular libraries will benefit from a significant
modernisation programme after being awarded nearly £400,000 in grant funding.
read more...
Horizon Leisure Scoops Prize at Portsmouth Business Awards
Horizon Leisure, which operates Havant leisure Centre and Waterlooville Leisure
Centre, was crowned Community Business of the Year at the Portsmouth Business
Awards earlier this year.
read more...
Portsmouth Tennis Centre celebrated for bringing tennis to all
Portsmouth Tennis Centre has been recognised by the LTA Tennis Awards for bringing
tennis to under-represented groups and communities throughout the city.
read more...
Wellness Hub Breaks Down Barriers to Tackle Health Inequalities in North East Lincolnshire
A new report on Lincs Inspire’s Wellness Hub has revealed the difference it is
making to community health.
read more...
|
|
Grant from Parkinson’s UK Gives Green Light to New Cycle Classes
Everybody Health & Leisure has launched a dedicated group cycling classes for
people living with Parkinson's Disease.
read more...
Doncaster Culture and Leisure Trust score partnership with Club Doncaster
Doncaster Culture and Leisure Trust (DCLT) and Club Doncaster have agreed a
partnership that will see DCLT as an official sponsor of the Dons RLFC and sponsor
of two Belles players.
read more...
BPL Achieves Swim England’s Water Wellbeing Accreditation
AWARD winning community leisure trust BPL has achieved Swim England’s Water
Wellbeing accreditation.
read more...
Edinburgh Leisure Scale New Heights Following £100,000 Boost
Edinburgh Leisure’s flagship climbing arena at Ratho has benefitted from a major
funding investment from sportscotland’s Sport Facilities Fund.
read more...
78-year-old George’s marvellous weightlifting medicine
Almost an octogenarian, George Travis is still hammering out kettle bell classes
as an Active Tameside fitness instructor.
read more...
Cefn Hengoed Leisure Centre Gets Massive Makeover
A Swansea leisure centre has been totally revamped with a £7.5 million investment.
read more...
GLL Starts 10-year Deal to Operate Newham Leisure Centres
The UK’s leading leisure and cultural charitable staff-owned trust, which runs
services under the Better brand, has begun a new 10-year partnership with Newham
Council that promises to increase physical activity levels and improve the
customer experience for residents in one of London’s fastest growing boroughs.
read more...
|
| Business partner news |
|
|
|
|
09 Apr 2024
Oxygen Consulting deep dives into padel with forthcoming report
Oxygen Consulting is about to launch its first UK Padel Report, which
investigates this fast-growing sport.
read more...
05 Apr 2024
Ronaldo crashes the app store with launch of new wellness, fitness and health app, Erakulis
Portugese footballer, Cristiano Ronaldo, has launched a health and wellness app that harmonises
advice on fitness, nutrition and mental wellness in one seamless experience.
read more...
04 Apr 2024
New research shows BMI fails as a measure of childhood obesity, leading to flawed policy
Waist circumference-to-height ratio is a more reliable measure of obesity in children and
adolescents than BMI according to a new study, published in Pediatric Research.
read more...
28 Mar 2024
4Global and UK Active launch private sector health club benchmarking
The first annual Private Sector Benchmarking report was released today (27 March). A
collaboration between UK Active and 4Global, the aim of the research is to provide accurate
insight into the state of UK-based private sector health clubs.
read more...
|
|
27 Mar 2024
Egym snaps up Hussle as it moves to dominate the corporate wellness market with its Wellpass product
Egym, has signalled its intention to become a dominant force in the corporate wellness sector
with the acquisition of UK-based aggregator, Hussle.
read more...
26 Mar 2024
Total Fitness turns a profit as it beats pre-COVID membership
Total Fitness has released results for its most recent financial year (to June 23), which saw a
return to pre-COVID membership levels following a year-on-year uplift in membership numbers
of 5 per cent.
read more...
25 Mar 2024
Entrepreneurs share secrets of building a fitness business at PerformX
Enjoy building your business because the journey can be as good or better than the destination
was one takeaway of the industry titans’ panel on empire building, comprised of three industry
entrepreneurs.
read more...
22 Mar 2024
Myzone removes the hardware barrier with launch of MZ-Open, making its system available on smart watches
Myzone is now available on smart watches, allowing Android and AppleWatch wearers to record
workouts without an additional device, and taking the tech company into the multi-billion dollar
smart watch market.
read more...
|
|
|
|
| General Meetings |
 |
|
CLUK General Meeting
15 May 2024: Glasgow
|
| Special Interest Groups |
|
|
Social Value
16 April 2024
|
Volunteering
24 April 2024
|
Finance
2 May 2024
|
|
For more information about Special Interest Group and regional / national members meetings, please contact [email protected]
|
|
| Job vacancies |
|
|
Duty Manager
Salary: £30,000pa + local Govt pension + attractive benefits package
Location: Kirkwall, UK
Company: The Pickaquoy Centre
Read more and apply
|
Team Leader (Harrow School Fitness Club)
Salary: £13.71 per hour
Location: Harrow on the Hill, Harrow, UK
Company: Harrow School
Read more and apply
|
Centre Manager (Leisure)
Salary: £40,221 - £42,403pa + pension + benefits
Location: Exeter, UK
Company: Exeter City Council
Read more and apply
|
Director of Operations
Salary: £61,000 - £64,000 + exceptional pension + excellent benefits
Location: Luton, UK
Company: Active Luton
Read more and apply
|
Membership Manager
Salary: £29,605 - £32,982pa + pension + benefits
Location: Coventry, UK
Company: University of Warwick
Read more and apply
|
Chief Executive Officer, Mount Batten Centre
Salary: c£65,000pa + pension + benefits
Location: Plymouth, UK
Company: Mount Batten Group
Read more and apply
|
|
