Cyber security - a growing threat to the third sector
The recent media coverage of the global cyber attack which affected many NHS systems in the UK has brought the debate into boardrooms, offices, homes and pubs across the country. You and your organisation should be taking the threat and risks seriously, but where do you start?
Firstly, it is worth noting that cyber attacks come in many different forms and every system is vulnerable to some extent. Having good computer systems and software isn't enough either - many of these complex systems can be undermined by inadvertent (or sometimes deliberate) actions by people in our organisations. The days of cyber criminals targeting NASA, governments and banks for the notoriety are long gone - modern cyber attacks are indiscriminate and seek to exploit weaknesses in any IT system and will scour the internet looking for vulnerabilities. These are largely fully automated attacks, attacking millions of internet addresses every hour (all devices connected to the internet have a unique address). These attacks are happening every minute of every day.
Some attacks are more obvious - dodgy e-mails asking you to click on a link or open an attachment. Doing that runs the risk of harmful code being run on your device, potentially compromising your whole system and all of the passwords and data stored on it.
Compromises of your IT security can lead to theft, loss or encryption of your files. This may also result in breaches of law which can have financial and legal implications beyond the inconvenience for staff and volunteers, IT costs and potential for negative publicity. Data protection and how you store personal data about your staff, volunteers, members, service users and so on are key considerations. Being a small organisation, or not having technical expertise or, even worse, not really knowing what the various pieces of legislation say or mean, are not acceptable excuses!
This is a complex matter and we can't cover all of the risks and suggestions for managing the risks here. Here's a very brief summary:
Every single computer is at risk of a cyber attack - it's automated and the software doesn't know whether it's a community group or a global bank, so your computers are at risk;
Anti-virus software and a firewall are not enough (the NHS invests heavily in both!);
Attacks can be quick and fairly devastating - destroying all data or stealing usernames, passwords, bank and credit card details (they'll typically also destroy any family photos, personal documents and so on at the same time of course);
Paying a ransom is rarely going to result in you getting all of your data back and your insurers are not always guaranteed to pay out;
The attacks and the code behind them are evolving all of the time to stay ahead of anti-virus software and IT companies - keeping on top of it requires constant diligence and effort;
Many organisations are required by law to ensure appropriate information security arrangements are in place;
Training your people is just as important as ensuring your IT systems are up to date and secure;
Simply installing the latest versions of Windows, security patches/fixes and so on isn't enough;
Attacks can, and do, cost thousands of pounds and significant disruption.
So, what can be done about it?
We strongly recommend that every organisation that users computers conducts a risk assessment and takes appropriate action to manage the risks. Boards/Committees should take responsibility to ensure this happens and actions are implemented. We also list below some basic steps that can be taken straight away to help mitigate against some of the basic risks (please note this is a basic list and is only a small example of the kinds of steps you should be taking):
Ensure software on your computers is up to date - especially Microsoft Windows, Microsoft Office, Adobe Acrobat and anti-virus software;
Ensure you have firewalls in place;
Do not open attachments in e-mails that you were not expecting or click on links in e-mails unless you can be certain that it's legitimate (many e-mails appear to come from people or organisations you know - it is incredibly easy to fake such e-mails);
Ensure you have proper backups of your systems and/or data (and check the backups regularly to ensure they really are doing what you expect them to be doing!);
Use different passwords for your various logins, make the passwords complex and change them regularly (and don't write them down where people can see them!);
Make sure staff and volunteers know how to use computers safely and what they can and can't do (personal use, social media, taking files off-site on memory sticks, encrypting data and so on).
What is FVA doing to help the local third sector?
We're putting together some briefing papers to explore some of these topics in more detail and we'll publish these on our website over the next few weeks.
We're also going to be hosting information sessions for local organisations to come along and hear about cyber security and data protection in a bit more detail, engage in discussion with other organisations and have questions answered. Once dates and venues are identified we'll promote these sessions on our website and in our e-bulletins. You can register interest in these information sessions by dropping an e-mail to [email protected]
So, the best way to find out what's happening and when good practice information is published is to ensure you get our e-bulletins: sign up here.
We're not an IT support provider, but can offer some advice in some circumstances - please contact us if you need help.
In the meantime, you can read more about these topics at the following websites: