Trustees are the volunteers who lead charities and decide how they are run. Sometimes referred to as board members or the board, they play a very important role, almost always unpaid, to guide and strategise with often very limited funds. Without a strong buy in from trustees, up to date IT infrastructure and cyber security can frequently get overlooked in a sector where there is very little flexibility for spending.

If you are a trustee in a charity or you need to talk to your trustees about cyber security. Here are some basic but critical themes:

We are a small charity, what are the chances that someone would attack us?

It is not so much that a criminal would deliberately attack a specific charity (although they might), it is that they randomly attack many thousands of organisations in one go, with no regard to who they are. Cyber criminals use readily available tools that require next to no skill and work by tricking people to give away their security credentials or by finding weak spots in their IT systems to gain access. If your charity uses digital technology, you are a potential victim of cyber crime.

Surely I can leave cyber security for the IT manager to worry about?

Cyber security is a vital responsibility for the trustees. A cyber security incident will affect the whole organisation - not just the IT department. It may impact or halt your services, damage your reputation and contractual relationships, put sensitive client and donor information in the public domain and result in legal or regulatory action. Regardless of who is taking care of the IT, If something went badly wrong, the responsibility for the cyber security controls, the passwords, the accounts and the potential data breach would lie with the senior management and trustees. Trustees themselves don't need to be technical experts, but you should be having constructive discussions with key staff to ensure you are confident that cyber risk is being appropriately managed. If this is an area that you feel very uncertain about, could you ask an IT consultant or cyber security professional to review your organisation’s cyber maturity? or even better, introduce one onto your board of trustees? This would ensure that your charity is receiving some knowledgeable advice and having the right conversations.

What are the key questions we should be asking?

1. Are you and any remote or home workers and contractors accessing your organisation's network and data in a secure way?

• To help tackle this, you could create a Bring Your Own Device policy for all remote/home workers? (link to a BYOD policy)

• Share a comprehensive password policy with all employees, volunteers, contractors and trustees. (link to details)

• Enable multi-factor authentication for all accounts accessible over the internet? Implementing multifactor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen.

• Ensure all staff use a standard user account to carry out their normal day-to-day work  Staff using admin accounts for everyday tasks is a common facilitator for a cyber breach. An attacker will have the same privileges as the account you are logged in as and if that is an admin account, they will be able perform actions such as install malicious software, delete files and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.

• Check that all accounts and apps that are not used being used are removed. Ifcertain software is not needed, by removing it from your device it will reduce the risk of there being a vulnerability that can be exploited by cyber criminals.

2. Does the charity regularly back up all its essential data? This is the best way to limit the effects of a ransomware attack.

• Do you keep your back-ups in a different location from your network and systems, with one back up kept off site?

• Do you know how to restore files from the backup and test that your back up system is working?

3. If your charity uses cloud services, do you understand the shared responsibility model?

• This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to. Do not assume your service is secure, be diligent about checking who is responsible for what. (link to guidance) 

4. Does your charity keep an asset list to help you identify all the devices that access your charities data, plus a list of all the software and cloud services that you use?

• Maintaining an asset inventory helps to track which software you have in use in your organisation and when it becomes unsupported or no longer receiving security updates.

5. Do you avoid using legacy and unsupported software?

• Unsupported software is a key target for cyber attacks. Known vulnerabilities in legacy software left un-patched are easy targets for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.

• All critical and high securityupdates released by the manufacturer must be applied within 14 days; the easiest way to achieve this is to enable ‘automatic update’ on all your devices.

• For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide. The National Cyber Security Centre has some useful guidance on installing software updates without breaking things

Help is at hand

If you are a small charity, the NCSC's Small Charity Guide can help you nail the basics. 

If you are a larger charity, the NCSC's 10 Steps to Cyber Security will help you to identify what to do within a more complex infrastructure.

The NCSC has also created an Introduction to cyber security for board members

Cyber Essentials is an effective, government backed baseline scheme that will help you to protect your charity, whatever the size  against a whole range of the most common cyber attacks including ransomware. It is a great way to check that you have implemented the five key controls adequately, without overlooking something. Many charities report that the process of certifying acts like a check list and gives them huge peace of mind. 

If you need help getting started on your Cyber Essentials journey you can access the free Cyber Essentials Readiness Tool, developed on behalf of the NCSC by IASME. The Readiness Tool  is a free, online tool accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.