The critical importance of cyber security

Another month… Another hack. Another edition of Charities Management Magazine and I’m afraid another headline about a UK charity being hacked, which makes me all the more determined to get the message across about how important cyber security is to your charity. It really isn’t a case of “if” you get hacked now, but “when”. The hard work of dedicated charity managers and staff working to high professional standards can be critically undermined by cyber security breaches. Often what can appear as reasonable practices prove to be insufficient and can have dramatically negative consequences.

SALVATION ARMY UK. Although, at the time of writing (early July 2021), the full story has yet to be revealed, it would appear that the Salvation Army’s UK arm was recently infected with ransomware and the organisation's data was siphoned off. As per standard practice, the charity notified the Charities Commission and the Information Commissioner’s Office, but that still leaves a long list of questions like, “whose information has been stolen, what does it consist of and who is it being sold on to?”

Cyber security rights

The Information Commissioner’s Office (ICO) went on record as saying: “People have the right to expect that organisations will handle their personal information securely and responsibly.”

AVOIDING FAILURE OF TRUSTEESHIP. According to the Charities Commission document “The Governance Jigsaw – The Essential Trustee (CC3)”, trustees and board members of charities have a responsibility to “avoid exposing the charity’s assets, beneficiaries or reputation to undue risk” and “having and following appropriate controls and procedures” both of which are key factors in making sure your charity is protected and your staff are fully trained in cyber security. Are you confident, should it be scrutinised, that the protocols you have put in place to protect your charity from cyber-attack would stand up against such scrutiny?

PROTECT YOUR DATA – IT’S THE LAW. The Data Protection Act 1988 states in Principle 7: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

CHARITY FINED £25,000 (JULY 2021). The ICO has fined transgender charity Mermaids for a personal data breach which led to sensitive information being put online. The charity has been told to pay £25,000 in relation to an internal email group it set up several years ago. Following an investigation, the ICO found the group was set up with insufficiently secure settings, which led to hundreds of pages of confidential emails containing the personal information of 550 people, including names and email addresses, being visible online for nearly three years.

Sensitive information online

CHARITY FINED £100,00. In 2018, the Information Commissioner's Office fined the British and Foreign Bible Society £100,000 under the Data Protection Act 1998.

A report on technology news website The Register stated: “An easy-to-guess password allowed hackers to access a service account on the charity's internal network. Ransomware was deployed and the hackers secured access to the personal data of 417,000 of the society's supporters. Some files were also transferred out of the network.”

The ICO commented that the charity had “exposed its supporters to possible financial or identity fraud as well as exposing the religious belief of its 417,000 supporters”.

All for the sake of a stronger password.

WHEN YOUR CYBER HACK TURNS INTO A PR CRISIS. Imagine your charity suffered a similar fate to the British and Foreign Bible Society or Mermaids above. Not only will you have to deal with the vast amounts of work that come from a hack - e.g. communicating with the ICO and the Charities Commission, overhauling your cyber security protocols, contacting anyone whose data has been breached, talking to the press - but, in a much starker reality, where would you find the £100,000 or even £25,000 to pay the fine? If you decided to challenge the case or you are investigated, how would you fund the legal costs?

DONORS’ MONEY AND DONORS’ DATA – GONE. People who donate money to your charity are going to be less than impressed if they find out that, not only did you fail to keep their information safe, meaning they could now be at risk of financial or identity fraud, but that their donations have actually been spent on fines and legal fees to pay for your lack of cyber security measures.

Loss of trust

Make no mistake, this isn’t just a loss of data. this could be a huge loss of trust which would be a PR disaster and, potentially, the end of your charity.

INSURE YOUR CHARITY, BUT PROTECT YOUR CHARITY FIRST. There are pre-loss risk management packages available to test the security of your website and also insurance policies that will cover you for the liabilities, fines and legal fees you may encounter. However, it would be much better you made cyber security a top priority and didn’t suffer the loss in the first place. See insurance as your backstop. It will be there to help you recover but it would be so much easier if you could stop the breach in the first place.