Cyber and data security How prepared is your charity?

Similar documents
A practical guide to IT security

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Panda Security 2010 Page 1

The Cyber War on Small Business

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cybersecurity and Nonprofit

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

mhealth SECURITY: STATS AND SOLUTIONS

Your security on click Jobs

Entertaining & Effective Security Awareness Training

Second International Barometer of Security in SMBs

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Nine Steps to Smart Security for Small Businesses

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Cyber Attack: Is Your Business at Risk?

Data Protection and Information Security. Presented by Emma Hawksworth Slater and Gordon

CYBER RESILIENCE & INCIDENT RESPONSE

The New Government Security Classification System -

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

The Data Breach: How to Stay Defensible Before, During & After the Incident

Teradata and Protegrity High-Value Protection for High-Value Data

Cybersecurity The Evolving Landscape

Risk Outlook Anti money Laundering and Cybercrime. Steve Wilmott and George Hawkins

CyberEdge. End-to-End Cyber Risk Management Solutions

Data protection policy

Disk Encryption Buyers Guide

Data Breach Notification Policy

The Role of the Data Protection Officer

Data Handling Security Policy

10 Hidden IT Risks That Might Threaten Your Business

Cyber security tips and self-assessment for business

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyber Security Stress Test SUMMARY REPORT

You ve Been Hacked Now What? Incident Response Tabletop Exercise

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Data Protection Policy

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

Moving from Prevention to Detection March 2017

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

GDPR Compliance. Clauses

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Why a Physical Security Policy is Integral to GDPR Compliance

ANNUAL SECURITY AWARENESS TRAINING 2012

Our Data Protection Officer is Andrew Garrett, Operations Manager

Cyber Security. Building and assuring defence in depth

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Cyber Insurance: What is your bank doing to manage risk? presented by

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Up in the Air: The state of cloud adoption in local government in 2016

Unit 3 Cyber security

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

Cybersecurity and Hospitals: A Board Perspective

Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

FOREWORD DR PHILIP SMITH MBE CHAIRMAN MILTON KEYNES BUSINESS LEADERS PARTNERSHIP

Jeff Wilbur VP Marketing Iconix

An overview of mobile call recording for businesses

Electronic Communications with Citizens Guidance (Updated 5 January 2015)

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Date Approved: Board of Directors on 7 July 2016

What is the website's privacy policy?

Cyber risk Getting the boardroom focus right

Mobile Computing Policy

SHS Annual Information Privacy and Security Training

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

BIG DATA INDUSTRY PAPER

PTLGateway Data Breach Policy

The essential guide to creating a School Bring Your Own Device Policy. (BYOD)

The power management skills gap

Evolution of Spear Phishing. White Paper

Data Protection Policy

Data protection. 3 April 2018

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

GDPR Policy WECare Worldwide

PS 176 Removable Media Policy

For our services, the data controller (the company that s responsible for your privacy), is Rent a Van 365 Limited. Registered address:

Privacy and Data Protection Policy

Unit 2 Essentials of cyber security

Enviro Technology Services Ltd Data Protection Policy

Privacy Policy GENERAL

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

It s still very important that you take some steps to help keep up security when you re online:

PRIVACY NOTICE. Who is the Data Controller? Why do we use your information? What is the legal basis for this use? What information about you do we use

INNOVENT LEASING LIMITED. Privacy Notice

The West End Community Trust Privacy Policy

Cyber Crime Update. Mark Brett Programme Director February 2016

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

Defending Our Digital Density.

PHISHING ATTACK TARGETING UNIVERSITY STUDENTS MAY 2016

Internet of Things Toolkit for Small and Medium Businesses

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Transcription:

Cyber and data security How prepared is your charity?

1 Executive summary In this report we reveal the results of our survey 54% of respondents didn t know or said their charity was not well equipped to fend off a cyber security attack We discover that only 14% of respondents believed their charity was very well protected against cyber and data security breaches Over half (54%) either didn t know or said their charity was not well equipped to fend off a cyber security attack But it s not all doom and gloom the overwhelming majority (70%) believed they had processes in place to raise staff awareness of the importance of cyber and data security. Charities are the same as any other company large or small when it comes to information security. They have assets that need protecting including information, threats to counter and a myriad of problems to deal with. This report provides an overview of the current state of play within the sector as well as some top tips on how charities can improve their cyber and data security. Charities are the same as any other company large or small when it comes to information security. They have assets that need protecting including information, threats to counter and a myriad of problems to deal with. A cyber attack on a small UK-based charity last year, where terrorist propaganda and offensive material replaced the website, shows the Third Sector is not immune. Limited resources should not prevent charities from striving to protect valuable data from attack, theft or human error. The Information Commissioner s Office (ICO) is tightening the rules, meaning heftier fines for those that don t comply. Currently, the ICO can levy fines up to 500,000 per infringement but that is set to increase in the near future.

2 When things go wrong A care home received a 15,000 fine for not looking after sensitive personal details in its care. An ICO investigation found widespread systemic failings in data protection at the nursing home at the time of a data breach. A member of staff took an unencrypted work laptop home and the laptop was stolen during a burglary. It contained sensitive personal details relating to 46 staff including reasons for sickness absence and disciplinary information. It also held some details about 29 residents including their date of birth, mental and physical health and do not resuscitate status. The cyber landscape Cyber attacks and data security breaches are never out of the headlines and it s not just large corporations who are victims. The scale of the problem is immense the profits made by selling stolen data worldwide have exceeded 500 billion. And alongside the criminals, who make big business out of stealing then selling data, human error is the biggest threat to charities. Liam Greene, cyber specialist at Markel UK said There are two issues; raising awareness of cyber threats and helping organisations consider appropriate action. The awareness has significantly changed in the last few years, but acting on these threats has yet to reach a tipping point, uncertainty rather than apathy being the main trend. Third Sector Insight surveyed 214 people to find out how well protected they thought their charity was against a cyber attack or data security breach and the results were surprising. As our headline figures reveal, only 14% of respondents believed their charity was very well protected, fewer in fact, than those who said their charity was not well protected at all. 34% said they believed they were well protected with a tiny proportion feeling their charity was totally insecure. Are charities well protected? Cyber Insurers and risks managers are still reporting only gradual changes in decision making. Liam Greene, Markel UK Only 14% of respondents believed their charity was very well protected 34% said they believed they were well protected Frighteningly, over half (54%) either didn t know or said their charity was not well equipped to fend off a cyber security attack.

3 Support While many charities cannot prioritise spending money on the latest equipment and software, good technical support is important to ensure the secure running of IT systems. If in-house support is not possible, then it is worth investigating an arrangement with a third-party, although entering into an agreement does not absolve the responsibility. When asked whether their charity had any cyber security support to protect itself 43% said they did, whereas 33% said they didn t have any such support and a further 24% didn t know if they had any support inhouse or with a third party in place. These findings indicate that while it may be difficult to juggle limited time and resources, charities need to find a way to prioritise protecting valuable data. This is particularly pertinent since the overwhelming majority (70%) said they had data capture and interactive areas on their websites. Software and data protection It is every employee s responsibility to know the terms set out within the Data Protection Act Hackers exploit many vulnerabilities through software. This includes operating systems, applications and even some of the anti-malware that should be protecting systems. To prevent security breaches, this software should be kept up-to-date. Failure to do so, can allow criminals access to loopholes and to steal valuable data, leading to hefty fines for charities. When asked, a third said their software was updated weekly, but the same amount didn t know how often it was updated. Keeping up to date with the Data Protection Act is a essential for anyone dealing with data. Nowadays, individuals can be held liable for breaches as much as an organisation. I didn t know will no longer wash with high court judges. It is every employee s responsibility to know the terms set out within the act. Comfortingly, 89% of respondents said they were very familiar or familiar with the Data Protection Act, with only 11% claiming total ignorance.

4 Keeping data safe Sending files of data over email means the password should be strong and sent separately. In January this year, the ICO issued an Enforcement Notice on the Alzheimer s Society because of two separate security breaches the charity suffered. One attack related to their website, the other was human error. Fifteen volunteers who joined in 2007 and had not received dataprotection training used their personal email addresses to share information about the charity s users and were storing unencrypted data on their computers at home. Procedures to protect data Information including databases of supporters, clients or staff is vital to the running of any charity. All information, whether safely stored on a server, or kept on portable equipment such as laptops, external hard-drives or USB sticks must also be kept safe. Whether it is locked in the office or taken out, it is essential that information security such as encryption is used to keep it from falling into the wrong hands. Time and again, newspapers have reported data thefts occurring due to human error whether a laptop was stolen from the front seat of a car or a USB stick was dropped on the bus these incidents would be less dramatic if the information contained was properly protected. Our survey showed that 59% of respondents said their data was encrypted, with 41% veering between not encrypting, 12% thinking about it and 13% not knowing. Do charities have data encryption? 59% of respondents said their data was encrypted 13% didn t know if their data was encrypted Charities need to make it mandatory for staff to demonstrate their information security knowledge before they are allowed to handle any forms of data. Again, the overwhelming majority (70%) believed they had processes in place to raise staff awareness of the importance of cyber and data security. But that is not enough. All charities should introduce a process for staff that raises awareness of the importance of securing information. They need to make it mandatory for staff to demonstrate their information security knowledge before they are allowed to handle any forms of data.

5 If the worst happens how you would deal with the incident? Through a service provider Chaotically We don t know but consider an incident unlikely Planning & risk management Unfortunately, accidents do happen. Data might get lost or stolen and hackers might compromise security systems. It is a good idea for charities to have a plan of action in place a set of written crisis response guidelines that are freely available to all staff. Only 38% of those that answered the survey said such a plan existed within their organisation. 41% said there were no written guidelines and a further 21% didn t know. Cyber security planning 38% said they have a cyber security plan of action in place 41% said no written guidelines 21% didn t know A comprehensive cyber policy acts as a first response and protects your organisation from the moment a cyber or data breach occurs. It covers your own liability as well as legal, IT security and regulatory costs that may occur to contain a breach before a claim arises. Furthermore, 70% of charities that took part didn t have any specialist insurance protection in place. Whilst cyber insurance is not a replacement for robust IT security, data protection and a response plan, it can act as a safety net. A comprehensive cyber policy acts as a first response and protects your organisation from the moment a cyber or data breach occurs. It covers your own liability as well as legal, IT security and regulatory costs that may occur to contain a breach before a claim arises.

6 Conclusion Too many charities are happy to put the security of their systems, including the data held on them, into the hands of a third party. One of the major issues around data protection is that charities don t always know where their sensitive information is, let alone how to protect it. Another problem that has become clear as a result of this survey is that too many charities are happy to put the security of their systems, including the data held on them, into the hands of a third party. This, they deem, is a fail safe, until the worst happens. A defined security policy, along with a crisis management plan and a cyber insurance policy should be at the heart of every charity s strategy. From the results of the survey, it is clear that at present, for the majority at least, it is not. Employees, management and volunteers as well as the trustees need to be armed with sufficient knowledge to allow them to spot potential problems and have the power to speak up and put solutions in place. That way, it provides a safe framework for the charity to operate under and ensure that its data is protected and systems are in place to prevent a cyber attack from happening.

7 Six cyber and data tips 1 Staff awareness & training Consider both accountability at board level and the day-to-day good practice for employees or volunteers with responsibility for IT systems or handling data. This concerns both physical and electronically held data. Avoid over-confidence in IT 2 Do the basics: safe password policy, frequent back-ups, software security controls & updates in place, but remember no system is faultless and human error, not the IT security, is often the main source of weakness. Access to advice 3 IT & Risk management service providers, along with insurers, banks and online payment processers are able to share their wide industry awareness of issues and trends. A more specific service provider or insurance policy may give you direct access to a cyber expert as an added benefit. 4 Cyber insurance policies Manages unknown costs and risk both for dealing with costs of an incident using the insurer s cyber experts, costs for any business interruption, and ability to defend a claim. 5 Awareness of email scams Email and identity fraud are one of the consequence of hacking and stolen data, and the scams are ever more imaginative. Use the telephone to verify payment transactions, and keep dual controls of changes and instructions. 6 Keep updated with guidance from the ICO The Information Commissioners Office is a resource for practical advice and issues such as encryption, and will also keep organisations updated on developments with potential changes to EU Data Protection law, and how this applies in the UK. Find out more at https://ico.org.uk/ for-organisations/charity/

8 About Markel Markel protect thousands of third sector organisations across the UK including: Charities Community groups Not for profit organisations Care providers Our specialist charity insurance provides cover against a whole range of risks, giving you the peace of mind that if something unexpected happens, your organisation is covered by an expert. We also offer a range of exclusive benefits and services for policyholders providing practical advice and professional help from industry experts to help prevent and manage claims situations. To find out more about charity insurance visit: www.markeluk.com/charity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback