No matter what size charity, social enterprise or faith-based organisation you are, if you’re holding important or personal electronic data cyber security should be a key priority. The introduction of General Data Protection Regulation (GDPR) has put this risk in focus, particularly for those organisations who are likely to hold Personally identifiable information (PII). In the UK Governments recent Cyber Breaches Survey (2019), they found that “around a third (32%) of businesses and two in ten charities (22%) report having cyber security breaches or attacks in the last 12 months”2 with Travelex the foreign exchange company being the latest high profile example who, having identified a virus, “immediately took all its systems offline to prevent the spread of the virus further across the network.”1.
- Phishing attacks commonly through emails
- Online impersonation such as invoicing with altered payment details
- Viruses, spyware or malware, including ransomware attacks
- Lost data or assets and subsequent financial loss1;
- Business Interruption with a virus potentially bringing an organisation to a standstill (particularly where office based)
- Reputational risk
- Breaches under Data Security Law
- Fines imposed by the Information Commissioner’s Office (ICO) for data protection breaches and GDPR contravention2
- Civil law-suits from Data Subjects whose data has been accessed
- Breach of PCI-DSS (regulations around taking/holding credit card data)
1 UK Gov Cyber Breaches Survey: “Among the charities recording breaches or attacks, this happened 21 per cent of the time… And for charities facing such negative outcomes from breaches, the average cost was £9,470 in 2019.”
2 Charities and not-for-profit organisations are not excluded from the new, increased ICO fines which can be up to £17.5m or 4% of global turnover (whichever is greater).
An organisations approach to Cyber Security should be top-down and measures an organisation can take to help improve in this area include:
- Appoint a board member or trustee with specific responsibility for cyber security;
- Put in place a written cyber security policy and incident response plan with regular reviews and periodic testing.
- Fund staff training around cyber security either in-house or with a professional company externally;
- Undertake cyber health checks, audits or risk assessments
Cyber Security Policy
This should include, for example, the scope of the policy; what confidential data needs protecting; how employees should protect personal and company devices; how to avoid phishing attacks [and who to refer suspicious emails]; how to manage passwords properly [e.g. strength and regular changes]; how to transfer data securely [e.g. do not use public Wi-Fi]; policies for remote employees and disciplinary action where necessary.
It is also important to note that cyber-attacks are viewed as a crime and any incident response plan should include police notification alongside an organisations insurers and IT specialists.
The governments Cyber Essentials (https://www.cyberessentials.ncsc.gov.uk/) also provides useful guidance and specifies 5 key control areas that should be considered by organisations:
- Firewalls – Intended to create online ‘boundaries’ by restricting access to your network where not necessary
- Secure configuration – Default configurations of shop bought equipment are not always secure (e.g. they might have a publicly known default password) so such weaknesses should be managed through technical controls
- User access control – Only authorised individuals in a business should have access to your computer systems
- Malware protection – Install anti-malware software
- Patch management – Make sure all software updates are installed as these have often been implemented to reduce the risk of found vulnerability.
Obtaining Cyber Insurance
As with more common perils like flood and fire, cyber insurance policies are available to help in the event of a cyber-attack although the extent of cover including “add-ons” will differ from policy in what is an evolving market. It Is often sensible therefore to organisations to consult with an insurance broker who can approach the market on your behalf according to each organisations respective requirements.
aQmen Underwriting are currently able to offer Cyber Recovery (through Lorega / Hiscox) to their clients which is which is a service led proposition with the following cover provided:
- Crisis Response – Initial assessment and advice on immediate action to take
- Incident Management – Notification, defence and public relations
- Incident Management – Investigation and restoration
- Awards, Fines and Credit Monitoring
What Lorega says – “A high number of SMEs have experienced a cyber-attack, and levels of concern are high. However, there’s confusion over who can help and even those who say they have someone ready to support them will find their perceptions differ from reality; yes, the IT department for example, can deal with a specific business issue, but it may not look at the wider picture. Against this backdrop we see our Cyber Recovery insurance product providing a valuable expert service, aimed at reducing exposure to financial losses and limiting commercial and reputational damage.”