voluntary organisations, social enterprises and volunteering
voluntary organisations, social enterprises and volunteering
Cyber security - a growing threat to the third sector
Created: 25/05/2017The recent media coverage of the global cyber attack which affected many NHS systems in the UK has brought the debate into boardrooms, offices, homes and pubs across the country. You and your organisation should be taking the threat and risks seriously, but where do you start?
Firstly, it is worth noting that cyber attacks come in many different forms and every system is vulnerable to some extent. Having good computer systems and software isn't enough either - many of these complex systems can be undermined by inadvertent (or sometimes deliberate) actions by people in our organisations. The days of cyber criminals targeting NASA, governments and banks for the notoriety are long gone - modern cyber attacks are indiscriminate and seek to exploit weaknesses in any IT system and will scour the internet looking for vulnerabilities. These are largely fully automated attacks, attacking millions of internet addresses every hour (all devices connected to the internet have a unique address). These attacks are happening every minute of every day.
Some attacks are more obvious - dodgy e-mails asking you to click on a link or open an attachment. Doing that runs the risk of harmful code being run on your device, potentially compromising your whole system and all of the passwords and data stored on it.
Compromises of your IT security can lead to theft, loss or encryption of your files. This may also result in breaches of law which can have financial and legal implications beyond the inconvenience for staff and volunteers, IT costs and potential for negative publicity. Data protection and how you store personal data about your staff, volunteers, members, service users and so on are key considerations. Being a small organisation, or not having technical expertise or, even worse, not really knowing what the various pieces of legislation say or mean, are not acceptable excuses!
This is a complex matter and we can't cover all of the risks and suggestions for managing the risks here. Here's a very brief summary:
So, what can be done about it?
We strongly recommend that every organisation that users computers conducts a risk assessment and takes appropriate action to manage the risks. Boards/Committees should take responsibility to ensure this happens and actions are implemented. We also list below some basic steps that can be taken straight away to help mitigate against some of the basic risks (please note this is a basic list and is only a small example of the kinds of steps you should be taking):
What is FVA doing to help the local third sector?
We're putting together some briefing papers to explore some of these topics in more detail and we'll publish these on our website over the next few weeks.
We're also going to be hosting information sessions for local organisations to come along and hear about cyber security and data protection in a bit more detail, engage in discussion with other organisations and have questions answered. Once dates and venues are identified we'll promote these sessions on our website and in our e-bulletins. You can register interest in these information sessions by dropping an e-mail to [email protected]
So, the best way to find out what's happening and when good practice information is published is to ensure you get our e-bulletins: sign up here.
We're not an IT support provider, but can offer some advice in some circumstances - please contact us if you need help.
Further Reading
In the meantime, you can read more about these topics at the following websites:
National Cyber Security Centre - lots of resources about the recent cyber attack, guidance for small organisations, statistics, alerts and more
National Fraud & Cyber Crime Reporting Centre - About malware and computer viruses, and how to report incidents
Cyber Essentials - UK government-backed accreditation scheme
Information Commissioner's Office - guidance and resources on data protection for organisations
Get Safe Online - A guide to passwords (there's lots of other information on this site)
Digital Unite - digital skills support