Vince Warrington looks at the importance of cyber security and explains why it should be at the top of the agenda for charities.
On 1st September 2015 Alan McOwan, director of the Dean Street HIV Clinic in London, probably didn’t think he’d be at the centre of a media storm within 24 hours. Just a few minutes earlier a small mistake was made which escalated until McOwan found himself giving interviews on the TV news channels, attempting to protect the reputation of his organisation. With the story being reported as far afield as the US and Australia, it’s safe to assume he’d had less stressful days at work.
A few months later and it was Dido Harding, CEO of TalkTalk, in front of the cameras in the aftermath of a cyber attack. The incident and resulting coverage not only cost the company an estimated £65m to fix, it also saw them lose over 95,000 customers and in July this year it was reported that a fifth of those remaining wanted to leave as soon as they are able to.
Whilst your donors may have more loyalty to you than they do a mobile phone company, it should worry charity boards across the country. The public, and media, now demands that you treat personal data with as much protection as you can. Fundraising is hard enough at the best of times – having current and potential donors re-considering their support in the aftermath of a security breach could be devastating.
The Information Commissioner’s Office (ICO) is also flexing its muscles. Whilst the causes of the aforementioned incidents were very different – TalkTalk was targeted by hackers, whilst a clerical error was the cause of the Dean Street breach – the outcomes were very similar. Both were fined, the clinic paying £180,000 and TalkTalk £400,000, and charitable status holds no sway when it comes to the ICO. And, despite Brexit, the incoming EU General Data Protection Regulation will still be applicable from May 2018 until we leave the EU, with fines as high as €20m or 4 per cent of global revenue for every single security breach, and any future UK Data Protection Act will essentially be in-line with EU GDPR.
Much of the focus when it comes to information security is on hackers and cyber criminals, but they are only half the story. 50 per cent of all security breaches are caused by inadvertent human error and the majority of deliberate attacks require some form of interaction from an unsuspecting end user, such as opening an infected email attachment. Even in the case of TalkTalk, the attackers exploited vulnerabilities that had been known about for years and could have been easily patched if anyone had bothered to do so. It’s clear that the ‘cyber’ problem is not one of technology but is instead a human issue. People really are the weakest link in the chain.
Protecting your data is no longer an optional extra, or something that you do if you have the time and budget. However, there’s no 100 per cent fool proof strategy you can follow that will guarantee you’ll never have a security breach but there are steps you can take to reduce your exposure level. Obtaining an appropriate accreditation, such as ISO27001 or Cyber Essentials, can help you close off holes in your defences, and using the Cyber Defence Capability Assessment Tool (CDCAT) will identify where you’re strong and where there’s weaknesses.
You’ll need to develop policies and processes which enable a culture of security within your business. Effective governance is a key ingredient in the protected workspace, giving everyone the framework in which to operate securely on a day-to-day basis without inhibiting their ability to perform their role. It’s a balance that can only be reached when an organisation knows how much risk it is willing to accept when it comes to protecting data.
Most importantly, cyber security needs to be managed from the top, not from within your IT department. We’re currently working with the Financial Conduct Authority to make sure information protection has a seat at the board at thousands of banks and insurance firms, and it’s an approach I would actively encourage for all charitable organisations. Cyber security is a business risk, not an IT one, and if you treat it as such then you’ll hopefully not find yourself being grilled on live TV.
Vince Warrington is managing director at Protective Intelligence.
Civil Society Media would like to thank Protective Intelligence for its support with this article.