Cyber Security Guide - Managing
You’ve taken steps to make your organisation more cybersecure. Now you should do two more things:
- Maintain that security
- Capitalise on it
Like any security process, cybersecurity will need to be maintained. This section will provide some straightforward guidance to help with that, including how to get insurance, how to make sure your board has proper oversight, and how to make sure your staff and volunteers help with cybersecurity in appropriate ways.
It will also help you capitalise on your new and improved security. You’ve made your organisation safer and more robust, which is great.
You could, and probably should, get accreditation. You should definitely tell funders that your organisation is well prepared for modern ways of working, modern opportunities - and modern threats.
This section will take you through everything you need to do.
If your organisation is run entirely by one person, or by a small group of people who all took a full part in helping you become cybersecure, there is no need for broader communication with other staff and volunteers.
In all other circumstances, it is important to make sure that everyone involved in the organisation’s day-to-day work has a basic understanding of the steps you have taken and what any new processes are. Everyone will need to know:
- A simple overview of how the charity has become cybersecure
- Their own role in maintaining this new security
The first part should be straightforward. A brief outline of the steps taken by the organisation will do the trick.
The second might differ from person to person, depending on their role within the organisation. If they use secured accounts, they will need to know how to stick to the new password policy. If they use devices, let them know how to keep those secure, keep apps up to date, and how to spot phishing. If they are involved in handling data, tell them how to follow your security policy – and also how to back up information, if that is part of their job.
Communicating your security policy clearly is itself part of having a good policy. For instance, you could have a great process for keeping devices secure in theory, but unless everyone handling those knows what this policy is, your cybersecurity is at risk.
The National Cybersecurity Centre (NCSC) has an online lesson aimed at staff members and volunteers that covers the basics. It takes around half an hour to complete and any beginners should feel more confident if they use this service.
You will want your board to know how you have become cybersecure.
While board members are not usually involved in day-to-day operations – and, if any of them are, the basic tips for staff and volunteers applies – their role in scrutinising the organisation is vital. This includes an ability to assess cybersecurity.
Board members don’t need to be technical experts, but they need to know the basics about what cybersecurity is and about how being cybersecure will boost your organisation’s work and lower its risks. This will allow them to perform their role as scrutineer and help them set targets, as appropriate.
Questions that board members should feel confident in asking include:
- What has our organisation done to make itself cybersecure? Is this sufficient?
- Who has responsibility for ongoing maintenance of our cybersecurity?
- How are we going to assess that cybersecurity is maintained on an ongoing basis? Have we established a baseline, do we need to set any targets, and what structures are in place to make sure we can assess whether our cybersecurity is effective in future?
- Do we, as a board, fully understand how cybersecurity affects not just the organisation, but also our role in overseeing it?
This NICVA guide is a good starting point for anyone who wants to know about cybersecurity. Our tips should allow them to ask important questions about how you are adapting to the digital age, in the same way it will help you prepare your organisation for modern risks.
Board members should also be aware that, as senior people within an organisation, they themselves could be the target for cyberattacks. We recommend that, as well as establishing a cybersecurity baseline for your organisation, they make sure their own digital security is up to date.
While they are usually not involved in daily tasks, your board will have an active role to play in response to any cyberattack or breach of cybersecurity. They will need to act quickly, working with staff and volunteers, to ensure your incident response plan is rolled out smoothly and effectively. They may also be part of that plan, for example in telling stakeholders (including service users, regulators, funders and the media) what has happened, what the consequences are, and what is being done to repair any weaknesses and fix any damage.
For that reason, board members should be just as knowledgeable as your staff and volunteers, when it comes to your cyber incident response plan.
The National Cybersecurity Centre (NCSC) has produced a toolkit aimed at board members. This guide provides a more extensive set of advice than is found here. While the NICVA toolkit should cover all essentials, for any board member who wants to know more, the NCSC resource is highly recommended.
The NCSC also goes into some detail about the legal and regulatory aspects of cybersecurity. This should be useful for any board members – although they should also be aware that cybersecurity is an area of rapidly-changing best practice. What is deemed sufficient now might not tick all the boxes next year. As such, board members should be aware they may need to periodically refresh their own knowledge.
Cyber insurance is like any other form of insurance. It is a safety blanket. In the same way that building insurance can be a huge help in the event of a fire, cybersecurity will offer you help in the event of a data breach, phishing attack, or other type of incident.
Like any form of insurance, cyber insurance will not solve all problems and will itself offer no protection against a breach. It can, however, greatly mitigate risk.
In fact, you may already have cybersecurity insurance.
If your organisation has any form of insurance policy, ask your providers if they cover cyberattacks.
When looking to either get your first insurance policy that covers cybersecurity, or to update your current policy, approach things in the same way as with any other insurance.
The most important things are that your policy is comprehensive and affordable.
To ensure a policy addresses all your organisation’s needs, it is important to ask providers the rights questions. These might include:
What does the policy cover, and what does it not cover?
This does not just mean whether a policy covers for different types of breach, such as a phishing attack or a lost laptop, but also the extent to which the consequences of a cyberattack are covered.
For instance, a ransomware attack could mean your digital systems become unavailable for a period of time, while a malware attack could cause a significant loss of data that itself both disrupts operations and requires that data to be collected again from other sources.
It is important to know whether your insurance covers the costs accrued indirectly following an attack, as well as direct losses such as a phishing attack resulting in a loss of funds.
Furthermore, cyberattacks are developing – and becoming more sophisticated – over time. Check whether your policy offers a reasonable cover for types of attack that might not even exist yet.
What cybersecurity services are offered as part of the policy?
Insurers may offer consultancy services or risk management as part of their policy. This may include providing resiliency planning in addition to financial protection.
This could be extremely useful, especially if you do not have these skills in house or find the cost of outside consultancy to be prohibitive.
However, while there isn’t really such a thing as being too secure, insurance is about balancing risk. Check the costs. Ultimately, the two core criteria for any insurance policy is that it comprehensively covers your organisation’s own individual needs, and that it is affordable.
What conditions are placed on the organisation in order to comply with the policy?
Insurers will also have questions of their own, including about the steps you have taken to minimise your organisation’s risk of a cyber breach, and what process you have in place to regularly bring your cybersecurity up to date.
Our section on how to communicate that you are cybersecure should help you answer their queries. If you need more information, read below.
When dealing with insurers, you might find the fine details of their policy to be difficult to understand. This might require a professional level of understanding, either of cybersecurity or of insurance law. The NCSC has published its own guide on this insurance, which may be of help, but if any conversations become too technical, and the insurers own customer service team is unable to make you confident about your understanding of their policies, then make sure you get some expert advice. Don’t sign up for anything you don’t understand.
Launched in 2014, the UK’s main scheme for cybersecurity accreditation is called Cyber Essentials.
Cyber Essentials was developed by the National Cybersecurity Centre (NCSC), in partnership with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF).
Organisations can gain certification that they have taken basic steps to protect themselves against common online threats. There are two tiers of accreditation, Cyber Essentials and Cyber Essentials Plus.
- Cyber Essentials is suitable for all organisations, of any size, in any sector. It involves self-assessment, and currently costs £300.
- Cyber Essentials Plus involves hands-on technical support from experts. The costs will vary depending on the size of your organisation and the technical expertise and workload involved in checking your security.
- Accreditation is the clearest way for any organisation to show their cybersecurity is up to date.
The core Cyber Essentials certificate requires self-assessment, and the process is designed to be as easy to use as possible. Between NICVA’s toolkit and the accessibility of Cyber Essentials, most organisations should be able to handle this themselves. Further support is available in the NCSC’s large volume of cybersecurity tips. The IASME is also available to provide advice.
Bear in mind that Cyber Essentials accreditation is time limited. Certificates expire after 12 months. However, it should be noted that this is both understandable, and potentially useful. Cybersecurity is a fast-evolving area. Refreshing your security processes regularly is important. Reviewing your policies and practices on an annual basis, as a minimum, is highly recommended. Indeed, the technical requirements for Cyber Essentials accreditation have already been updated once in 2022.[RM2]
All funders want to see best practice. This applies as much to organisational structures as it does to frontline services. And what is meant by “best practice” changes over time.
As cybersecurity becomes more mainstream, it will become part of organisations’ proper due diligence.
Funders, and other supporters, will want to know that charities are as secure as is reasonable and practicable.
The best way to do this is simple: tell them what you’ve done.
If you’ve followed NICVA’s starter tips you will have:
- Backed up your data
- Good password security
- Protected your organisation from viruses and malware, and have a simple process to keep apps and other software cybersecure
- A policy in place to protect devices like laptops, phones and tablets
- Awareness of how to spot phishing and other scams
- Have a plan to respond to a possible cyber breach
As well as being a checklist of things your organisation should do to stay secure, this is also a list of ways you can illustrate your own cybersecurity.
If you’ve used this NICVA starter guide, you can mention that. If you’ve delved deeper into resources from the NCSC (especially its Cyber Essentials accreditation scheme), mention that. The same for the Northern Ireland Cybersecurity Centre, or any reputable consultancy firm you have worked with on your organisation’s cybersecurity.
If you’re accredited in any way, flag that up. And, of course, if you have appropriate insurance, mention that too (please note that insurers will probably want to know all about the steps you have taken to protect yourself before they give you a policy – the advice in this section, combined with the section on getting cyber insurance, should put you on a sure footing).
When you have taken the steps to protect your organisation, you will already be well-equipped to communicate how cybersecure you have become.
This NICVA toolkit is designed to be an easy-to-use guide to cybersecurity that will help anyone from an absolute beginner to someone with a fair amount of tech fluency.
It should help you understand what cybersecurity is, why it is important to all organisations, and help your organisation become cybersecure in a few simple steps.
However, there are lots of possible reasons you might want more information.
Any NI third sector organisation can contact NICVA for advice in this area.
Further information can be found in several places.
The National Cybersecurity Centre (NCSC) has a huge amount of resources and information. A lot of this is already concisely covered in this NICVA guide, but the NCSC toolkits are longer and go into more detail, if that’s what you feel you need. Their website has sections that go into detail about many of the specific aspects of cybersecurity, such as different types of threats or how to make sure you choose strong passwords.
The Northern Ireland Cybersecurity Centre (NICSC) works with Stormont and with the NCSC to try and improve the security of local organisations and businesses. They can help answer queries and provide general advice. They have a prominent role in the delivery of the NI Cyber Strategy - A Strategic Framework for Action, which is overseen by the Department of Finance