Charities know they need a cybersecurity plan, so why do so few have one?

By Eve Joseph, UK Responsibility Manager at Microsoft

It’s no surprise that cybersecurity is a priority for most charity-technology leaders today, but does the wider charity workforce understand the need to invest in it?

With more digital threats today than ever, it’s important that charities put plans in place to mitigate potential risks and address any skills shortfalls, regardless of perception.

Although it can take significant time for an organisation to improve its capacity to respond to cybersecurity challenges, existing resources can help – for example the Government’s Cyber Essentials Scheme. There is no charity-specific standard for cybersecurity; charities are expected to use the same, well-established, risk-based approach to cybersecurity management that other organisations use.

padlock and chain on door

Data breaches have underscored the critical need to actively protect against cyberattacks

Common vulnerability trends

When thinking about establishing digital security, the first step is to familiarise yourself with the most common threats today – two of which being ransomware and data breaches.

  • In recent years, ransomware attacks have begun using fear to compromise organisations – encouraging the victim or organisation to hand over money to deter the assailant from stealing and deleting vital data. Although these attacks could be described as reasonably “low tech”, few organisations have plans to deal with these situations if they do occur – or know how to protect their systems from such a hijack in the first place.
  • Data breaches have underscored the critical need to actively protect against cyberattacks on information technology systems and thefts of sensitive information. In the charity sector, such information can vary from details of fun run volunteers to highly-sensitive information on human rights investigations.

Tackling organisational awareness

One of the most significant challenges that data protection law poses to charities is around broader organisational awareness of how data is managed. For instance, how many databases do you have containing donors’ personal information? Where is this stored? Do your volunteers or employees share sensitive data on USB sticks?

Over the years, some organisations have shown a lack of sufficient awareness of data-protection obligations and risks of non-compliance, but they can start mitigating this risk with a few basic steps:

  1. Document personal data: determine when and why you collect and store any personal data
  2. Create an internal privacy policy: identify applicable data protection laws and assess their requirements
  3. Appoint an owner of data protection and privacy issues: someone who can help the charity adopt appropriate policies, procedures and organisational safeguards for data
Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download [223.24 KB]

Further steps

These steps are just the beginning. If overhauling your cybersecurity and data-protection strategy (or creating one from scratch) seems like an overwhelming task, there are resources out there to help, such as Microsoft’s Nonprofit Guidelines for Cybersecurity and Privacy white paper (above).