New year, new beginnings! As we enter 2022 filled with excitement about the year ahead, we look at things with fresh eyes. If improving cybersecurity isn't one of your organisation's goals already then it's time to add it and become more cyber secure than you were last year. Unsure where and how to start? In this episode, Michala Liavaag explains how charities and other not-for-profits can start tackling cybersecurity. Spoiler alert: Context matters and it is all about risk! Take the next step on your cybersecurity journey by listening to this episode where we'll provide you with some questions that you can ask of yourselves and your team(s).
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders
I’m your host Michala Liavaag founder of Cybility consulting. In today's episode I’m going to shed some light on where you actually can start with cyber security. It's all about risk. Risk specifically in the context of your organization. Context really matters here because what's right for one organization may not be right for another. Whether they're even large organizations, again there's so many differences, that the controls you might put in place to manage the risk are different. So things to think about when you're thinking about the context here:
Your organization's size, its geography, the services it provides.
Think about the information that you hold. They'll be the sort of standard charity governance documentation, but think about also the financial, the personal information. Perhaps you're a charity involved in research data. Lots of different types of information there that somebody could potentially be interested in.
What systems do you use when it comes to IT? Are you working mainly from home and remote? Are you all based in an office? Are you using cloud-based systems? Or perhaps you've actually got your own data centre. For smaller charities, perhaps you don't have anyone providing your IT really, you've just got your own personal machine and a couple of volunteers using theirs. Whatever it is, you're all going to need different things.
And think about the obligations. So there's the legal obligations, such around you know data protection for example. Regulatory obligations, which will very much depend on you know what you're doing. One thing that a lot of charities will have in common if they're doing things online, will be about the gambling commission for example. Then there's the contractual obligations. You might have won a bid and you have said that you're going to deliver a service and they've said in order to live that service, you have to maintain a certain level of security. There can also be, particularly again with the charity side, grants awarded and there might be some conditions around that.
Think about policy from a wider scale. So internationally what's affecting your organization, nationally what's affecting it, and locally. Security may well have a role to play here.
Then there's the sector specific type of things to consider. What are the usual standards in your sector?
Finally, but certainly not least by any stretch of the imagination at all, is the expectations of the people that you serve. Also, the expectations of the people that work for you, whether it's volunteers or staff. Trustees even though you are on the board, you also have expectations about what the organization will do and how it will manage things.
So, all of those things together provide that context in which you're going to then make some risk-based decisions. And it will also influence your risk appetite. Now, in some ways this is no different to other types of risk. Health and safety, financial… you probably deal with these all the time. But in other ways, information cyber security risk are very different. Consider that, after our people, information is, in my opinion, the lifeblood of an organization- can't function without it, and when you think that information is more often than not stored in digital systems, and we learn about cyber security is focused on those digital systems and protection of those, what's unique is the significant amount of harm that can be done to an organization with a cyber security incident. For example, think of some of the ransomware attacks you've probably seen on the news, they can wipe out a whole organization, and they have to go back to scratch and rebuild everything, meaning they're not delivering the services. And when you're a charity, that's really really difficult because, generally speaking, those people you serve really need your help. That's one reason why it's a little bit different from some of these other risks in terms of the impact, the detrimental impact it can have quite suddenly.
Now, large charities will likely have a formal risk management framework in place. It might be modelled after ISO31000, which is the enterprise risk management standard. Smaller charities are more likely just weighing things up in their head. They're still going through a process, but it's just not sort of fully documented and managed in the same way. Now, in both cases that risk-based decision is being taken in consideration to their respective risk appetites, which is informed by the context of their organization. So what is the board's risk appetite when it comes to information risk? In reality, we actually have different appetites for different risks. So I suspect that many of you would be reasonably okay with perhaps the odd letter occasionally going to the wrong person. Not great but, you know you, could cope with it. Whereas something like that big ransomware incident, if that were to happen, that you may not be comfortable with, and you might want to actually take some action to try and reduce the chance of that happening. So, one of the challenges around this is actually finding a level that is acceptable to everyone on the board, and also practicable for the organization. So for the executives themselves to manage, you know all the things that they need to deliver within that risk appetite, and then of course there will be an agreed tolerance around that as well.
Now I’d like to leave you with a few things to think about for next week:
First of all: does your organization have a defined risk appetite when it comes to information risk?
Second: do you have information risks included on the risk register? Do you even have a risk register?
If you're a smaller charity, is there a board member assigned to champion information assurance, which includes cyber security, at those board meetings in the order and risk committee for example?
Is there an executive in that management team with overarching accountability for information risk?
Those are important questions to go and answer so I’ll leave you with that.