Cyber criminals are targetting charities too. PA Consulting's David Rees provides some simple steps to promoting security.
What would happen if your charity let a client’s personal data fall into the wrong hands? Not in terms of legal penalties or reputational damage, but in terms of the impact on that person’s life. Would leaked data put someone who is already vulnerable at risk of harm, financial loss or even blackmail?
If you think cyber criminals don’t target charities, I’m afraid to say you’re wrong. Last year, the Information Commissioner’s Office reported that the charity sector was responsible for 21 data security incidents in just one quarter.
The consequences can be devastating. Just imagine abusers getting information held by a charity looking after victims of domestic violence. The impact of data breaches on individual lives must be a key concern in any discussion by charities of data protection, cyber security and the EU General Data Protection Regulation (GDPR).
Seriousness of the threat
The UK government’s National Cyber Security Centre (NCSC) has become involved in that discussion via its presence at a recent event for charities to examine the situation. The NCSC’s involvement shows how serious the threat to the sector is.
During the event, certain key areas of cyber security were hotly discussed with certain key questions and conclusions emerging:
- - Are charities at special risk of cyber attacks? There’s no evidence that charities are a specific target for cyber attacks. But that doesn’t mean they won’t be hit. Millions of attacks occur every day and criminals see value in hitting all types of organisations. What could put a charity at increased risk is a trusting nature or a degree of naivety.
- - Cyber security is everyone’s business. It has been said for many years that people are the weakest link in cyber security. To mitigate this, a number of charities undertake security training and awareness campaigns for employees. However, it is proving difficult due to the culture of charities and number of volunteers involved to embed the behavioural changes needed to support effective cyber processes within the organisation.
Powerful engagement
Thinking about what it’s like to let clients down can be a powerful way to engage staff, volunteers and trustees with cyber security and data protection. Many – especially volunteers less comfortable with technology – struggle to see why cyber security and data protection procedures apply to them. Drawing the connection between following rules and protecting clients can cast a new and helpful light.
Getting everyone to understand the role they play in keeping data safe is vital. This is because cyber security is only ever as strong as the weakest link. All too often that weakest link is human behaviour. Having systems and security software (such as firewalls and anti-virus solutions) set up in the right way is vital, though these are tasks for the IT colleagues
To help individuals play their role in cyber security, there are three actions which are and easy to implement and which everyone, from trustees and senior management to operational staff and volunteers, can undertake:
- - Be clever with your passwords. Incredibly, as The Daily Telegraph reported in January 2017, the most popular password in 2016 across America and Western Europe was “123456”, with nearly 50% of people using one of the 25 most common passwords. A simple step to improve security is to avoid references to favourite sports, birthdays and years of birth and try to use seemingly random characters. Ideally use different passwords for different sites and, should that make remembering them difficult, consider using password manager software.
- - Protect smartphones and tablets. These devices, which are used when out and about, need even more protection than desktop PCs. Simple things like switching on a PIN or password brings vulnerability. Beware of configuring devices so that they can be geo-located, remotely locked or wiped. Avoid public Wi-Fi hotspots for sending sensitive data is key.
- - Avoid becoming a victim of phishing attacks. In phishing attacks, scammers send fake emails asking for sensitive details or to encourage a user to click on a link to corrupt websites. Phishing emails often contain poor spelling, grammar and punctuation. They frequently start with “Dear valued customer” or “Dear colleague” and contain a request which looks urgent. Look out for emails from senior colleagues asking for information and action out of the ordinary, or from third parties suggesting that a large donation will be made in return for banking details.
- - Is cyber security the right place to spend? Investing in cyber security and data protection is frustrating when you could direct the same resources to support your mission directly. Thinking through the implications of a major data breach brings everything into perspective. The reputational damage can be catastrophic. Donors may withdraw support and other agencies could become reluctant to partner with you. Even the people you want to help might think twice about turning to you for support.
Only option
So investing in strong cyber security and good data protection is the only option. On the upside, getting the right controls and culture in place can help you protect data more efficiently. You’ll be freer to focus on your mission.
To help those with stretched resources, the NCSC has created a Cyber Security Small Charity Guide which gives simple, free (or low cost) steps that will help protect your charity. If there’s one investment to make, it’s in spending time reading this.
The EU GDPR is forever. If you’ve already invested in getting your cyber security and data protection in shape, you could be well on the way to meeting the new GDPR requirements. They are an evolution of existing requirements, with a few new ones around unambiguous consent and the right to be deleted thrown in.
If your preparations are less advanced, the race to become GDPR-compliant could Induce a mild panic. In truth, the date the regulations come into effect marks the start of a journey. Beyond it, every organisation in every sector will need to continue developing its data protection policies and procedures to reflect technological advances.
With more data comes more responsibility. Data-driven technologies are reshaping society. Some, like telecare for older people, are already helping make lives easier. Others, like the Join Dementia Research portal or the National Institute for Health Research collaboration hub, are accelerating research into conditions that affect millions. Data can be used for good. To operate in this data-rich world and reap the benefits for clients, charities need to take data protection seriously.
David Rees is head of charity and third sector services at PA Consulting Group