Research was carried out earlier this year to identify issues with cyber security within third sector, or charity, organisations. 30 in-depth interviews were carried out to establish attitudes towards cyber security, awareness of relevant issues, approaches to cyber security and the charities’ perceptions and experiences of breaches.
What the study found was a mixture of complacency and misinformation, as well as pockets of good practice. For instance, many third sector organisations had never really considered cyber security, and even those in charge of that area felt uninformed. There was also a sense that, if cyber security was something these charities needed to look at, then they would have received further information from governmental channels or the Charity Commission.
Furthermore, some charitable organisations felt that cyber security was an issue for businesses, not the third sector and, generally speaking, the charities that took part in the research did not have internal specialist staff whose role was specifically to deal with cyber security. This led to a lack of effective practices.
As a result, the research reports, “Responsibility for cyber security internally was often held by someone with a different core role, or with multiple responsibilities, such as Chief Executives or finance staff. Competing demands on time and resources – with greater focus often given to areas such as fundraising and delivery – meant that cyber security was often deprioritised and could lack investment”.
Outsourcing cyber security in third sector organisations
When non-specialist staff are given responsibility for cyber security, problems are likely to occur. The importance of protecting supporters’ data, not to mention access to financial records, is understood by most charities, but knowing how to go about it is leaving many third-sector organisations stumped. The researchers in this study found that those charities that had experienced a breach in data security did then go on to invest in cyber security, but by then it is too late.
Cyber security is not just important for the third sector to protect their data. It also has wider consequences under the General Data Protection Regulations (GDPR). Charities would not be exempt from the fines of up to 4% of annual turnover given to organisations that breach the rules, and as the GDPR comes into force, it will be more important than ever that cyber security standards are met.
Enlisting the support of a third-party cyber security company can provide a charity with the information and back-up it needs to keep its data safe and its financial records untouched. The option to undertake schemes such as CyberEssentials means that these organisations can stop being the ‘weakest link’ in data security terms.
Cyber criminals are aware of where these weak links are, and will attack accordingly. The fact that you might be a third-sector organisation with strong ethics or an important raison d’etre means nothing when there is personal information to be stolen and exploited.
What should be done
Rather than letting themselves be a soft target for cyber criminals, third-sector organisations have an obligation to protect the data of their supporters, partners and service users, and to keep financial details safe from prying eyes and sticky fingers.
Many of these organisations would benefit from specialist training so that they fully understand the issue. They may think they are too small to be targeted, but attackers do not necessarily agree, and protection must be in place if organisations are to remain secure. Recruiting a third-party organisation that specialises in cyber security is an effective measure, when specialist knowledge and skills are required.