21st Feb 18 Chloe Green
Why is cyber security a trustee issue? (Guest Writer)
In this guest post, Rebecca Lyng of Templar Executives explores the charitable sector’s relationship with cyber security and what organisations can do to stay secure.
As charities store and process more information online such as donors and beneficiaries’ personal details, there is a distinct need for organisations to assess their cyber security, to address not only the external threat but also the internal threat they face. Last year, two thirds of cyber security breaches were not down to poor firewall systems or lax security systems but were as a result of human error within organisations; it turns out that people, the most valuable resource, are invariably also the weakest link.
Examples of true incidents are as follows: a miss-sent email (a beneficiaries’ personal information); sensitive donor details lost on a train; papers going missing as a result of staff not storing confidential information properly and a laptop left on a train with passwords attached.
The human element of cyber security is consistently overlooked by not taking a holistic approach to cyber security. The loss of confidential information on clients from a charity in Northern Ireland following a lack of a risk aware culture recognised the need for greater clarity and focus in management roles. The charity found there was a lack of understanding of each other’s roles and a need for more training on policies and procedures. Early this year it was seen that 93% of companies where security policy was poorly understood had staff related breaches. Organisations need to assess the criticality of their information they hold and assess all types of risk to It and a huge part of this includes training staff on handling information through standardised risk policies and procedures as well as outlining reporting lines. Having procedures in place will allow staff to use information to its maximum benefit whilst at the same time protecting it to the standard required mitigating the risk of it being lost or damaged. Communication lines will allow staff to know who to contact when they aren’t sure how to handle specific types of information. How do they report a breach? Clear communication lines will also allow for feedback on current information handling within the organisation and whether it is at an adequate level.
In most organisations there is often a flourishing, vibrant and effective Health & Safety culture – clearly understood and rigorously adhered to by management and employees alike. Perversely, when it comes to the ‘life blood’ of an organisation, its critical business information, there is often a distinct lack of collective education, training and focus to support a company’s business objectives, as well as suitable ICT products to use. Moreover, effective business processes, and the governance structures necessary to foster the correct pervasive culture of information risk management are also missing. To make the necessary changes to value and exploit an organisation’s information better, trustees needs to be fully engaged; the cultural change needed to successfully introduce an effective Health & Safety regime is not too dissimilar to that of holistic cyber security and this has to start at the top; trustees need to lead by example!
Poor leadership will not inspire cultural change, no matter how hard internal communications try to advertise best practice. All this will take top-down leadership and trustee-level commitment if it’s to pervade through-out an organisation. It is no good if trustees are setting a bad example, recklessly using social media, emailing sensitive work to their home accounts or viewing trustee’s papers on the latest insecure ICT. The recent case of Ciarnan Helferty, Chair of Amnesty International showcases the importance of boards taking governance on cyber security.
All elements of an organisation must know ‘who, what, why and when’ they are to share company information with and manage their critical business information through-life. This needs a collective corporate understanding of the threats and risks to different types of information and knowledge of the shared technical and business processes for safely handling them while at every given opportunity safely exploiting the information.
Donors and beneficiaries’ are the lifeblood of an organisation. Suffering a breach will have both financial and reputational consequences- are trustees prepared and do they understand the risk?
Tips for Trustees
- Every organisation, regardless of sector, handles key information. Compromised information can cause enormous damage to charities operations and reputation.
- Cyber Security is a Board level responsibility. The board is responsible for driving information management from the top to ensure buy in along the journey.
- Gain a comprehensive understanding of cyber threats and opportunities to your charity.
- Charities can mitigate 80% of the threat by embedding information security practices with your People (eg. education, culture), Processes (eg. Information risk management, incident management), Technology (eg. Malware protection, network security)
- The Human anti-virus – effective education & awareness campaigns will increase Cyber Security & information knowledge within the organisation – creating an environment that is aware of the threats and understands what best practice & policy to follow to reduce the risks.
- Identify information that is critical to achieving business objectives
- Introduce a policy so that the risks can be managed
- Allocate your security responsibilities. Ensure individuals know who is responsible for security within the organisation including clear reporting lines.