Cybility Savvy

E21 - Cybersecurity for trustees - with guest host Penny Wilson

Michala Liavaag Episode 21

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 45:46

In this episode, we turned the tables: Penny Wilson interviews Michala Liavaag! 

Penny Wilson is the CEO of Getting on Board, a trustee recruitment and diversity charity. Penny has been a trustee of several charities and is currently a trustee of the National Migraine Centre.

Penny asks Michala questions about cybersecurity from the perspective of trustees.

Starting with the basics of what cybersecurity, the importance of robust process design, through to the nuances of obtaining insurance coverage, and much more.

This episode is full of resources and practical tips for trustees.

 👉 Cited in this episode: 

Getting on Board - why we campaign https://www.gettingonboard.org/why-we-campaign

Cybility Cybersecurity Ring of Resources - https://bit.ly/cybilityring4charities

More Cybility resources https://www.cybilityconsulting.co.uk/cms/resources-cybersecurity

National Cyber Security Centre (NCSC)

 Cybility Savvy Episodes


 IT Infrastructure Library (ITIL) a background on good IT service management practices - https://bit.ly/Cybility2ITILprocess

South East Cyber Resilience Centre

CREST Incident Response Implementation & Procurement Guides - https://bit.ly/Cybility2CRESTIRguides

Charity Commission Incident Reporting - https://bit.ly/Cybility2CCincident

ICO quarterly review - https://bit.ly/Cybility2ICOtrends

Verizon data breach report - https://vz.to/3DOwk1T

 -----

⭐Found this useful? Please rate and review, as it helps reaching more people

-----

⭐Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions

🤝Connect with Michala and Cybility Savvy:

LinkedInTwitterYoutubeInstagram

---

✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner

(automatic transcript)

00:00:00:03 - 00:00:27:13
Penny Wilson
hello everybody and welcome to Cybility Savvy demystifying cyber security today we have completely turned everything on its head and rather than Michala being host I'm hosting and Michala's guest so my name's Penny Wilson and I'm CEO of a charity called getting on board we work on trustee issues with a particular interest in trusty diversity um I'm here to quiz Michala to find out about what trustees ought to know about cyber security and my starting point is I know absolutely nothing so I hope that I'm quite typical as a trustee and that's something that we'd obviously like to change 

00:00:35:16 - 00:00:41:06

Cybility Savvy the quickest way to go from cyber confused to cyber savvy 

00:00:43:01 - 00:00:49:20
Penny Wilson
so let's kick off Michala tell us what cyber security actually is  

00:00:49:20 - 00:01:16:10
Michala Liavaag
okay so this is quite a funny question actually because you'll get a different answer depending on who you speak to if you were to just sort of look at what you see in the media the term cyber security seems to relate to any sort of I.T connected attack when you actually sort of delve into things there is actually a slight difference between information security and cyber security information security is really what we care about because it's the information that's valuable whether it's people's data whether it's  International property it could be Healthcare records depending on what your charity is and it's the information that's valuable and not all systems are it systems how many Charities out there actually still work on you know pen and paper? Good filing can have it you know if there was an instant with that that would be an information security incident so are thinking about you know physical protections and everything all of that is information security Now with the whole world of connected systems in this world of the internet cyber security is focused on protecting anything that is internet sort of connected there's interconnected Networks and that's really the dividing line between the two so any of your trustees who are understand that difference are probably 80 better than a lot of us professionals out there who mix the terms.

00:02:23:17 - 00:02:40:08
Penny Wilson
well that's already really really interesting  and in terms of those kinds of information that are held on internet-based things and I haven't got any of the technology so I apologize for that in advance I'm probably quite typical there as well what kind of information do Charities hold that might be affected by this?

00:02:40:16 - 00:03:05:13
Michala Liavaag
so in terms of the I.T systems quite often especially for smaller Charities who don't have their own it teams to sort of build and maintain systems for them typically we'll be using cloud-based services that are provided by people like you know Microsoft Google you know all the big companies in the world and so our information is going to be in those sorts of systems and as trustees   one of the most common things that you'll be using is some sort of probably board papers application it might just be that people are putting it on a Google Drive for example or if you're a large charity you'll probably have a specialized app that you put the minutes and things out to so the information that you're getting just from a governance point of view is potentially going to be quite sensitive depending on which committees you're on stuff like that in terms of the people who are doing the operational work and again smaller Charities it's typically one person doing both sides of it  then you're probably looking at things like the information you hold about your volunteers so it's probably going to be name names addresses contact details again depending on what sort of Charity you are you might hold some more sensitive information about them as well around say Occupational Health Data for example if you're a large charity you're going to have more staff so you'll have obviously their details and then obviously what we're all here for is our beneficiaries so these systems that hold their data and again that could be anything from an old-fashioned role as X to an I.T system say Outlook or whatever it is and you know having all their details in there or again bigger Charities will have a customer relationship management solution or perhaps a patient management system very much depends on what you do but fundamentally we're all here for beneficiaries and want to look after and protect that data

00:04:43:03 - 00:04:47:00
Penny Wilson
and I guess our stakeholders might include donors and supporters and ambassadors 

00:04:47:05 - 00:05:16:04
Michala Liavaag
yeah absolutely and actually just on that point when we think about you know the fundraising aspect of it and those people quite often Charities you know we have some high profile of people who are going to support and you know spread our message and their contact information is particularly sensitive thinking about some of the big donors again there's could be more sensitive lists that need perhaps additional protections compared to other information so there's lots of things around it we start digging into it 

00:05:19:19 - 00:05:31:01
Penny Wilson
that's great I feel like we're like I've got already got a much better grasp of these so I'd really love you to spell out to us why should trustees care about cyber security?

00:05:31:05 - 00:06:05:07
Michala Liavaag
fundamentally as a trustee  you know the role is about governance of the charity that you know you're looking over and hoping that they make the right sort of decisions and do things in an ethical way cyber security and when I say cyber security from now on okay I'm using it interchangeably as the media does in terms of it meaning both information and cyber security just because it's easier to have been saying by the fourth time if you're thinking that information is throughout all of the processes that your charity does as well as you know the people operating in the beneficiaries it's all about risk day in day out on those committees you're making decisions about risk you know and what is going to be good for the charity and you know where do you put your finite resources so it's always about either the benefit versus the risk and you are probably used to dealing with say health and safety risks it's no different that's one of the things that I had to admit a bit of a pet peeve but people sort of dress cyber security risk up as if it's something really special and actually it's just another type of risk yes when you go into the detail you might need to use somebody like myself to talk about you know the expertise around that and help you understand it in the same way that you'd probably use a health and safety advisor to help you understand the details of course Etc so it's no different that's the first thing I want to say every trustee understands risk because that's what you're doing and this is what that's about ultimately you're on the hook as a trustee potentially for your charity the key differences between the private sector and Charities is that and I'm not saying there aren't private sector who do do this because there are but we all are here because we want to do a good job and help Society there's an assumption that everyone in the sector wants to do that and therefore there's a high level of trust and as trustees you might want to challenge that assumption because charity fraud is a huge thing as well and that's the sort of thing that you want to be aware of so that you can sort of maximize those limited fundraised funds and make sure they're you know being used in the appropriate way so it's really just all about the governance of the charity and feeding into that 

00:07:51:01 - 00:07:59:12
Penny Wilson
And do you think following on from that, that because of that assumption of trust that charities are low hanging fruit when it comes to cybersecurity issues?

00:07:59:16 - 00:08:35:13
Michala Liavaag
yes and no low-hanging fruits just because of being on the internet I would say everyone regardless of Charity or not if you're connected to the internet you know hanging fruit by default and then the more protections you put in place you kind of make yourself harder to Target and so even if you just do some of the basic things we always say that the sort of five basic things around the Cyber essential scheme if a charity can do those then that's generally going to protect from about 80 of the attacks out there and so you'll be slightly higher up that tree but in terms of the trust and that assumption of trust with people I think where it does increase the risk of Charities is that there's something we call Insider threat that's when you have somebody who comes into an organization or they might have worked in the organization for years and have a change of personal circumstances like right now for example we've just had covered so Charities are already struggling with fundraising we've now got the cost of living crisis and the energy crisis and that's putting additional pressure on it's worth considering and I know it's a horrible thought none of us want to think this about you know people we work with but  again as trustees I think you have a duty to consider the increased risk to your organization because if I'm working there and suddenly I know my rent's gone up I'm really struggling because I've not had to pay rise in 10 years then if I'm approached and said you know I'll give you a thousand pounds for your login is that really do any harm for some people they might think not and it's easy money so that's the sort of thing that trustee you should be aware of and then asking you know the exact team or your other hat if you are the one person doing both things is that's the sort of thing that you are at risk of? what are you doing to protect against that?

00:10:06:21 - 00:10:30:20
Penny Wilson
it's really interesting and it's interesting earlier that you drew a parallel with other sorts of risk this conversation is making me think about safeguarding risk and some of the things that you do to me you know to reduce safeguarding risks are not only to reduce the chance of it happening but also to reduce the chance of people putting themselves in a situation where they might be accused of something that they have or actually haven't done exactly not all the systems where actually there's not going to be any accusations you know that somebody couldn't have done this thing but you might have think that if you're looking at how did this thing happen yeah yeah you know for sure it couldn't have come from your staff then you know that that's an enormous reassurance and and it's taken a risk away hasn't it?

00:10:50:17 - 00:11:02:12
Michala Liavaag
yeah yeah absolutely I wouldn't say necessarily taking it away completely but definitely reduced it and yeah if there is an incident in a better position than to sort of defend  your case with the Regulators 

00:11:02:13 - 00:11:09:23
Penny Wilson
you mentioned five basics that organizations need to have in place can you run us through what those five basics are please?

00:11:10:17 - 00:11:42:01
Michala Liavaag
yeah  so  some years ago the government introduced the Cyber essential scheme  and the idea being you've got this all five basic areas that we call sort of cyber hygiene and the first one that's most important is Access Control so knowing who works for your charity the identity of everybody and that can be really challenging actually when you've got a lot of volunteers or perhaps you know partner with universities so maybe you've got students and things as well but there's all sorts of   the more you dig into this it there's actually quite a lot of things to work out so and again obviously it's easier smaller Charities to an advantage if you're smaller in this case then the larger Charities were is really quite a big headache so that's the first thing who do you have you know working on your class where are they working are they using your own kit or are they actually using their own personal kit because that's going to introduce different risks as well what systems do they need access to in a smaller charity it's very easy to default to just giving everybody everything  whereas we would generally say you need to operate on a principle if we call it least privilege so you only have access to what you need to at the time that you need to and if you sort of Follow that rule generally some don't go far wrong and one of the things that people would want to do from just a point of view here is again if you're smaller or medium size and you Outsource your I.T is looking at you know their processes what do they have in place to protect you and your data so that's a really key area about access control it also looks at so not just the identity part and the authorization Parts we've talked about in terms of who can have access you know and who's allowed to but also the authentication art and when I say authentication that's about proving to A system that you are who you say you are I really can't overstate the importance of enabling multi-factor authentication in authentication we talk about there's something you have which could be say a phone with a mobile app on it there's something you know which is your password typically or a PIN code and then something you are and with these modern like say smartphones for example we're using our biometric data so it might be my face that authenticates me might be my fingerprint or my voice print the more combinations of those you use the extra hurdles you're putting in front of an attacker or something you might be trying to you know get that data oh you've probably all seen the news recently about the Uber breach one of the things that perhaps stands out about this attack is that they used a technique called MFA fatigue and what that means is you know when if you have an app and instead of it generating a code it just pops up and says somebody's trying to log into your account was this you and you say approved or not and what they do the attacker this is they just keep sending you this thing over and over and over and after I don't know 60 odds of these things most people are just gonna go oh shut up you know and approve it and that is when the attacker can then having gotten into your system they can then add their own device for multi-factor authentication and after that they don't need to bother you anymore you won't know but the other thing we then think about is the sort of secure configuration of the devices that we use so if it's a large charity you'd probably have I.T that are locking things down and making it secure to protect that information if you're a small charity then you don't have that luxury so then it's a case of thinking about okay who can actually physically access my device do I have one account that does everything on the device or do I actually split it and have one Administration account but I only ever use when I need to install something or update something and then I do all of the charity work generally on a normal account and that I would recommend by the way because if again you're doing a normal charity work and say a phishing email comes in so that's some when where somebody's trying to deliberately get your username and password for example if you accidentally click on that and it installs or tries to install some malware because you have split out the administration from your normal that will stop by a lot of it not all of it but quite a lot of it so it's really worth doing that as part of this as you go on from sort of thinking about the actual configuration and security of the device you're then going to things like keeping you up to date   we often use the term patching whether it's your mobile phone whether it's say an Xbox  that your kids have or adults  you know whatever it is 

00:16:46:11 - 00:16:46:20
Penny Wilson
No Judgment here 

00:16:47:19 - 00:17:16:03
Michala Liavaag
I'm a gamer so you know we've got lots of devices here  but but when you get that prompt about updating the software do do it don't operate on the kind of old-fashioned idea of it ain't group so you know I won't touch it it is just not worth the risk just do the update larger organizations will have processes in place the test updates before they sort of role automatic organization and again as trustees that's one of the things that you can challenge and check you know how are you actually getting these updates out what percentage of you know devices are up to date how long is it taking you to get everything up to date so well yeah make sure you you're doing that on personal devices and work devices it used to be the analogy of your information was in your castle like the crown jewels and you'd have all the sort of doors and lots and the guards and all that protection you know around the castle with your motor Etc that's their number two because we're taking our information and storing it in the cloud and again post covered a lot of people are working from home so we no longer can rely on it's in this secure area at work it's all good and so thinking about how do you protect those sort of connections between wherever you are and where your data is to get to it how are you doing that is it secure and one of the key things you can do again especially smaller Charities but applies large ones as well is use a VPN which stands for virtual private Network and if you'd like to know a bit more about how that works again we've got a separate episode on that so probably all used to you know having some sort of antivirus software on your PCS and you can also get it on your mobile phones so if you haven't bought it on a mobile device it is worth doing that as well that's really important again you know protecting your mobile devices because so many of us now access information through that mobile device 

00:19:01:00 - 00:19:23:03
Penny Wilson
right thank you  I mean this has been really really interesting I feel that I know a lot more about what cyber security is but I understand the kind of bits of information that it you know it pertains to and you've talked to some of the controls and I know that people can delve into other episodes to to learn more about those let's talk about what where trustees might start

so if somebody let's start with smaller organizations where trustees might be the only operational people or they might you know only have one or two part-time members and staff if they're thinking I've never thought about this issue before what should they do first where would they start in a small organization?ion?

00:19:39:21 - 00:20:10:24
Michala Liavaag
okay so there is a really helpful resource on the National Cyber Security Centre website which we can add to the show notes for you  that takes you through  a little check to sort of get  just ask you a series of questions about what you're doing and then it tells you in response to those answers some of the things that you can do and focus on right now so if you're completely starting scratch that's probably where I would start there's also these small Charities guide that they produce and that again provides some information on some a bit more about some of these basic sort of hygiene things that you can do and put in place what it doesn't really talk about though that I think is quite important from a sort of information governance perspective again is understanding just what you have so know what information you've got and where it is who's working for you what devices people are using to access the systems what are your physical locations do you have filing cabinet storage that you need to think about what suppliers are you working with or are you providing Services   sort of to other businesses who then provide services onto our beneficiaries so think about that whole supply chain but right at the start just start with that nice simple checklist and then build from there it's an iterative process we always say that  cyber security is in Marathon it's not a Sprint so just get starting line and just as you train for a marathon start small and you build up 

00:21:24:07 - 00:21:44:10
Penny Wilson
that sounds that sounds like a really good manageable starting point and I'm posting to helpful resources and if you're a trustee of a much larger organization an organ an organization that's probably got an I.T Department if you joined a board and you were wondering I wonder what this organization is doing about cyber security where would you start there what kind of questions should trustees there be asking?

00:21:44:22 - 00:22:09:05
Michala Liavaag
I would probably be having a conversation and want to do have a bit of a talk whether it's a CIO that's in place Chief Information officer or whether perhaps they've just got a head of it again different organizations have different models but whoever's responsible for that it gave us a sense you know just have them talk through what the setup is in that organization and how they handle things so you get an understanding of it and once you understand where they're at then you can start sort of probably being into those things a little bit more so are they using for example standardized good practices there's something called ITIL the it structure library but there's other versions too about the wider Point around IIT service management and how you deliver it services so asking the question around well you know what processes do you follow for IT service management what have you actually implemented and as a starting point the thing you would expect to hear back is that they would at least have request fulfilment Incident Management they may have problem management especially the bigger Charities you actually want problem management and change and configuration management from a cyber security perspective it's the change in configuration management that's really crucial so when writing his phrase configuration management what that means is you know I've said about all the assets you know where they are who's using them that all comes under configuration management is about how the relationships between them and when you understand that if there's then a change to one of those you understand the impact that goes on to prevent so as a trustee being aware that your it does have a change in configuration management process well straight away mean that you're a bit that Notch higher again in terms of cyber security because at least they have visibility of what they've got and then managing it if you just hear that maybe doing instant management and nothing else but then you might want to sort of think about well actually how are you managing you know all the stuff?

00:24:07:24 - 00:24:25:18
Penny Wilson
then for many I'm already feeling frightened Now by what you're saying because I know I wouldn't know how to ask these questions I'm going to forget the terms but presumably for larger Charities there must be Consultants who'll come in and do reviews as well so you can get an external audit reports a little bit on this  yeah I was thinking about two things as well Michala I was thinking about the risk register and I'd love you to say about that in a minute I know that's one of your your book bears as well but also this diplomacy and this isn't just a cyber security issue but a trustee coming in talking direct to senior staff I think we need to be careful don't we that that is seen positively that the CEO or equivalent is happy with that but the stuff see this is something really positive that probably a trustee has never come to talk to a Chief Information officer or a head of it and actually how do we position that so that so that they think brilliant you know I've been banging on for years about how important my area is and finally a trustee is asking me me about it so that trying to couch it all very diplomatically is going to get us to where we need to be isn't it?

00:25:08:14 - 00:25:33:15
Michala Liavaag
yeah absolutely and did we just come down to the culture of the organization  because you're actually right there are some organizations where yeah it's like the trustees are up here you know the staff who in the front line are down here and the executive are like never never meet you know that doesn't really sort of contribute very well to transparency and sort of that you know trust  and from a Governor's point of view I might just see that as a bit of a red flag myself then you've got organizations who support the trustees in doing and fulfilling their role with governance but when you on board a trustee in the first place it's really good if you have a solid induction for them and you know it could be that at that point they get to meet some of these key people and they can and ask those questions and get a sense of what is this are now responsible for? 

00:26:06:24 - 00:26:26:14
Penny Wilson
that's an immediate action we could all take isn't it isn't it which is you know how much of this stuff is in our inductions what the staff the trustees and I've imagined actually in larger organizations the staff a lot of this is probably standard but not necessarily but I don't think it stands for trustee inductions I think it's easily wholly missing from most trusty inductions so an action there for us to think right yeah let's let's sort that one out 

00:26:30:13 - 00:26:32:05
Michala Liavaag
absolutely yeah definitely .

00:26:32:08 - 00:26:38:02
Penny Wilson
And what about risk registers? What are your thoughts on how this how they should be appearing on risk registers?

00:26:38:02 - 00:26:57:03
Michala Liavaag
it will vary depending on the size of the organization if we start with a small one first of all you might have a sort of quite basic risk register where you've just got maybe sort of 10 or so things on it in which case you might just want to have sort of one thing that covers everything around information and cyber security we talk about in our field the CIA the confidential reality of information so that you only have access to it if you need to we talk about the Integrity of information and by that we mean that only people who should be able to change it can do integrity and accuracy and information can be really crucial Finance for example one did you hear or not can make a difference in it it's really important that we use the correct nbers to identify different machines putting one full stop or something in the wrong place one digit out of place huge impact potentially so Integrity is really important and I know that generally speaking when we talk about trustees and integrity we'll be thinking more about the sort of Ethics side of it and you say the value but this is more about the integrative information and then we'll talk about a for availability so is the information accessible and available to the people that need it and authorized to access it at the time that they need it those three things the CIA are what you can throw in to that risk on the risk register an example might be there is a risk that information that we hold could have a compromise of confidentiality Integrity availability which could result in it could be potentially fines from a regulator it could be reputational damage and that's obviously the key thing that us Charities really care about the reputational damage because that will then potentially impact on the income and from people you know thinking about that that you know there's a risk that this could happen and this is the impact to us if it does so you can roll it all up into that one thing if you're personal charity in terms of larger ones what you'll want to do is start breaking that out and thinking about the different types of scenarios that could give rise to that thing happening so I might be overarching risk for example but think about different scenarios no mention daily about fishing could be one ransomware has been big in the news where you know people these malicious actors throw malware onto your machines and look it up so you can't use it unless you pay a ransom and nowadays actually just to let you be aware of this increasingly what they're doing is they're doing what we call a double extortion when you think you're happily working your way and nothing's wrong in the background they're stealing data once they've got that data that's when they then lock your machine down and say pass the ransom otherwise we will publish this data whichever size they are they need to be living they're not just something you put together shove on a shelf and don't look at it for another year information time security is that it's changing all the time so keep that risk under regular review and focus on your objectives as a charity do you know I mentioned about the scenarios there's a wonderful way of approaching this which is about objective centred risk management and of course separate episode with a lady called us Sabrina Segal that we're going to be more depth on this but there were so many sort of scenarios out there just focus on the things that are going to directly prevent you from achieving your objectives as a charity so start with your objectives and think about what could stop us from achieving that 

00:30:46:00 - 00:31:19:13
Penny Wilson
thank you and I've had I've had a women's Refuge not a particular women's Refuge but I'm thinking about a women's Refuge as in speaking about the rich register and thinking actually you know there's some really drastic potential impact there of people's  of residence data being being out there and getting into the wrong hands what what are the most common breaches and if you've got no I mean not necessarily named examples Anonymous examples or you know your sense of what is happening most frequently in terms of problems 

00:31:19:13 - 00:31:56:03
Michala Liavaag
one of the resources that you could take a look at is the information Commissioner's Office published a quarterly review  that analyses and looks at you know what are people actually reporting to them typically most of it is actually around that paper-based information maybe somebody leaves something on a bus and then also one of the biggest ones is about an entire intended disclosures via email because somebody's put in the wrong address or perhaps somebody's folded a chain on this is one of the most common things there'll be something really sensitive right down the chain and because nobody's actually deleted that trail before forwarding it on that sensitive information can end up in places that you never expected it to be 

00:32:09:15 - 00:32:15:17
Penny Wilson
You can set that in your email settings, can't you? You can have that set so that it doesn't forward on what's gone before.

00:32:15:24 - 00:32:18:06
Michala Liavaag
You can in some of them. Yes, not of them. I don't think.

00:32:18:18 - 00:32:25:03
Penny Wilson
what strikes me about those examples is they're all very human aren't they? no it's it's a mistake people have made a mistake 

00:32:25:03 - 00:33:04:08
Michala Liavaag
yeah and actually  the latest  Verizon data breach investigation report found that I think on top of my head is 84 or 86 of data breaches all came about due to some sort of human error some sort of human factor particularly big organizations will happily spend lots of money on technical waistband solutions that claim to secure your organization when actually if they spent a fraction of that in helping support their staff not just through sort of education and awareness systems and I don't mean just doing e-learning once a year but the processes one of the most important things that gets overlooked I think is core process design because you can engineer out a lot of risks if you look at your business processes do you understand your business processes do you know where that data is going and if you  you are just by yourself it's relatively easy if you sort of figure that out if you've got multiple teams and the data is going either between things it's a really great way to sort of put people together as a workshop and have them wrap it out and talk about where those roots might be 

00:33:48:03 - 00:34:08:11
Penny Wilson
one example of that being be you know you're you're taking personal data in via some sort of registration form and that is sitting in a nice secure you know nice secure bit of software which is all locked down people have their logins and you've thought everyone hasn't got a login but it's also coming via email and they're forwarding it all over the shop and actually that's an unnecessary part of the process that you could probably just completely remove by telling people to log back in when they need to see the original data

00:34:17:00 - 00:34:37:06
Michala Liavaag
yeah the other thing   that is a bit of a loophole to watch out for with this is quite often some of these systems particularly when you can't afford the kind of whiz-bang ones that  you know have all the extra controls in but they make you pay for it which is again a pet peeve people shouldn't have to pay extra security in my view it should be part of the or offering anyway they if you you know let's say I've logged into that system I run a report but you know for me the reporting capability in a system was absolutely useless it's not giving me what I want so instead I click on this extra useful button about exporting it to excel so I take all this data out to excel I do what I like with it I save it in a particular Drive which maybe then gets synced to somewhere else and all of a sudden you don't know where your data is and all before you know it there's a data breach so that's something to watch out for as well does the systems you use actually address the needs of the people who are doing the process 

00:35:18:20 - 00:35:37:14
Penny Wilson
and I guess in a way you know the this we're here to talk about trustees and actually you know I'm nodding along at this as a CEO of a small charity yeah but and I guess the CEO of a very large charity doesn't wouldn't be mapping the processes within their organization but actually this the  atrocity of   sorry the the trustee of a large doing that but a trustee of a very tiny charity particularly a charity with no staff which after all is most Charities they would they would be doing all this and actually you're a volunteer trustee you've got other stuff going on in your life whether that's a day job caring responsibilities of court of course other volunteering you're always trying to try to use your time yeah obviously count on time aren't you so actually you know you're just getting stuff done and you've probably got your you've probably got your brain focused on what are the Frontline things we're trying to deliver here yeah and probably haven't I think many people probably haven't thought about these processes and where people's days are going so it's very helpful for trustees and smaller Charities yeah 

00:36:18:19 - 00:36:33:05
Michala Liavaag
and that comes back to what said about you know what are the objectives of the charity what are you there to try and Achieve and therefore Which business processes help you achieve that and then start there look at the risks around those particular processes 

00:36:33:14 - 00:36:54:17
Penny Wilson
yeah thank you  I want to ask you quite briefly about this one which is about insurance yeah and I and I find this with trusty responsibilities that people think oh we've got insurance so therefore you know jobs jobs done and my suspicion is you're probably going to say the same about insurance for cyber security but tell us is it part of a standard policy if it isn't what should trustees be aware of if they're if they're thinking about insurance and how much protection is Insurance really going to provide?

00:37:02:20 - 00:37:44:20
Michala Liavaag
And you'll be pleased to know we have a separate episode that goes into this in more depth the insurance industry has definitely been sort of changing a lot as obviously this threat's been increasing over the years some of them will have some sort of basic protection around cyber security already built into their core policies now we're seeing that a little bit more but mostly there's separate cyber security policies depending on again the start of your organization there will be different things that that insurance company is looking for from you to commit to in order to be willing to provide you with a level of cover and one of those things is as I mentioned earlier cyber Essentials so as an organization if you certified cyber Essentials then you are likely to get such a premium for example and then if there is a claim you're more likely to have it paid no guarantee this is the thing because if a breach happens but you've not been doing the basics and they think you know you were negligent in that then the problems are going to pay out 

00:38:15:11 - 00:38:29:05
Penny Wilson
and I think I heard in one of your other  episodes from the policeman about it you know it's like leaving your it's like leaving your doors open what's the point in having home insurance if actually your doors wide open they're not going to pay it to you 

And I guess some of the other bits you were talking about earlier, you know, harm to beneficiaries, the safeguarding issues, reputational risk, all of that. An insurance payout doesn't cover any.

You know, it doesn't take away the damage that's been done. Really interesting. Thank you.

00:38:47:00 - 00:39:03:01
Michala Liavaag
can I just say one thing for small Charities sorry with a cyber Central scheme  that if you do certify   through the IASMI comes with I think it's about 65,000 pounds of   subsequent insurance cover so that that's worth just being aware of 

00:39:03:01 - 00:39:21:24
Penny Wilson
okay that's good to know I wanted to ask you on the one hand it's very easy with this topic isn't it to talk about all the risks and the bad stuff and stuff that could go wrong but what really motivating thing would you say to trustees to encourage them to educate themselves about cyber security to take action here what is the positive slant on this?

00:39:22:08 - 00:40:05:02
Michala Liavaag
I think the positive thing is  and again it's to give a different depending on you know what sort of Charity you work for as to how you might sort of spin that but it's about you know fundamentally we again coming back to Charities and what we're about it's about caring you know we want to make a difference and security of your beneficiaries data is one way you show you care if you are a sort of Charity who is maybe providing Services into others and you have contracts then good Security will help you win more business 

00:40:05:08 - 00:40:14:15
Penny Wilson
You very helpfully signpost signposted lots of resources. As we go on, we're going to put some stuff in the show notes, but is that what are the main good places to go to?

00:40:14:22 - 00:40:45:14
Michala Liavaag
you've got wealth of resources on the internet how do you know which are the good ones so what we've done is we've actually created something we call the Ring of resources for Charities like security resources and it takes you through  the kind of process of identifying you know what you've got and then these are the resources you should go and look at  then you know what protections to put in place these are the resources to look at you know right through to detecting an instance and how you respond to it do absolutely have a look at that if you haven't already I would say to people the key places other than that are the National Cyber Security Centre  and they have a charity engagement team who are Keen to support the sector  there's the across the country there are cyber resilience centres which are police-led   but they're sort of partnering with private sector and other organizations across the country and they provide some of these services around you know looking at your policies looking at your security controls technically perhaps doing a vulnerability scanners or website and they do that at really rock bottom prices  because the the police are recognized that the crime they used to see on the streets is now online and so they need themselves to sort of get with the times and help protect people in that way obviously you've got you know there's a section about this on the charity commission site the fundraising regulator site   the   direct marketing associations  so there are lots of things out there so depending on which   which thing you think is going to impact your objectives and your achievement of those I would maybe give you different resources for those so  you know if people have a question please just you know reach out to us a Cybility Savvy  I'm more than happy to sign those people hop on a call for a few minutes and   you know Point them in the right direction 

00:42:24:03 - 00:42:30:20
Penny Wilson
What's a fantastic offer? So we're at the end. And I want to ask you, is there anything that you wish I had asked you?

00:42:31:08 - 00:43:14:22
Michala Liavaag
Probably something around how do we know that what to do if there is actually a cyber security incident in our charity so the answer to that again it will vary depending on your size but fundamentally it will be a process around identifying you know what you think has happened analysing that containing it particularly if it's malicious software so that it can't spread any further or if it's say somebody accidentally published something onto the website and sponsored to an FOI request for example putting that data down so what was whatever is containing it limiting the scope of the damage and then in terms of you know sort of how you sort of respond and recover that's going to look very different depending on the size of your organization so you might deal with in the scope of a day others it could be weeks and months of recovery like for example the one that's affected the NHS recently but what you can all do is come up with a plan now before it happens

00:43:43:05 - 00:43:44:07
Penny Wilson
What's the process?

00:43:44:13 - 00:44:23:16
Michala Liavaag
what's the process who do you need to contact who do you need to bring it on board to help you with this process if you didn't people in-house and   there's a great sample fan   from the   some resilience centres actually so that's a really good one particularly for small Charities  and then the larger ones I'd say have a look at the instant response guidance on the national cyber security web Centre website and   also the crest website have some great stuff around incident response and buying support services for that some insurance companies will provide it by the way if there's an incident you can claim you ask their support 

00:44:27:03 - 00:44:50:13
Penny Wilson
okay that's a good tip thank you yes that would have been an excellent question I asked you the question what you wanted me to ask so to an end Michala I hope you've enjoyed being guest really whether whether that means you don't ask such evil questions

00:44:51:00 - 00:45:01:04
Michala Liavaag
Yeah. And thank you for hosting and put me through my paces today. It's definitely been a fun and very different experience. So thanks again sometimes.

00:45:01:11 - 00:45:04:02
Penny Wilson
It's a pleasure.

00:45:04:02 - 00:45:14:06
Michala Liavaag
Okay. Thanks very much, everybody, and we'll see you next time.


Head Shot

Michala Liavaag

Host