skip to main content
NICVA Northern Ireland Council for Voluntary Action logo
Basket
Your Account
Your Wishlist
Venue Hire
Jobs
Join NICVA
About
About NICVA
Who We Are
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
More About Us
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Training & Events
Training & Events
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Help & Guidance
Help & Guidance
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Policy & Insight
Policy & Insight
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Policy
Research
Representation
State of the Sector
Campaigns
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Services
NICVA Services
GrantTracker
Find & track funding.
MediaConnect
Find a journalist or industry expert.
SectorMatters
Find quality business services.
CommunityNI
Find community offered services.
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
News
News
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
List your news
News & Opinion
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Press Releases
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
About
Who We Are
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Training & Events
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Help & Guidance
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Policy & Insight
Policy
Research
Representation
State of the Sector
Campaigns
Services
GrantTracker
MediaConnect
SectorMatters
CommunityNI
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
News
News & Opinion
Press Releases
Venue Hire
Jobs
Join NICVA
Home
/
Help & Guidance
/
Resources

Cyber Security Guide - Managing

20 Apr 2022
Back to resources
Like any security process, cybersecurity will need to be maintained. This section will provide some straightforward guidance to help with that, including how to get insurance and how to make sure your board has proper oversight.

You’ve taken steps to make your organisation more cybersecure. Now you should do two more things:

  1. Maintain that security
  2. Capitalise on it

Like any security process, cybersecurity will need to be maintained. This section will provide some straightforward guidance to help with that, including how to get insurance, how to make sure your board has proper oversight, and how to make sure your staff and volunteers help with cybersecurity in appropriate ways.

It will also help you capitalise on your new and improved security. You’ve made your organisation safer and more robust, which is great.

You could, and probably should, get accreditation. You should definitely tell funders that your organisation is well prepared for modern ways of working, modern opportunities - and modern threats.

This section will take you through everything you need to do.

Contents

  • Basic tips for staff and volunteers
  • Basic tips and toolkit for the board
  • Cybersecurity insurance
  • How to get accreditation
  • How to communicate that you are cybersecure (including to funders)
  • Signposting
Back to top

Basic tips for staff and volunteers

If your organisation is run entirely by one person, or by a small group of people who all took a full part in helping you become cybersecure, there is no need for broader communication with other staff and volunteers.

In all other circumstances, it is important to make sure that everyone involved in the organisation’s day-to-day work has a basic understanding of the steps you have taken and what any new processes are. Everyone will need to know:

  • A simple overview of how the charity has become cybersecure
  • Their own role in maintaining this new security

The first part should be straightforward. A brief outline of the steps taken by the organisation will do the trick.

The second might differ from person to person, depending on their role within the organisation. If they use secured accounts, they will need to know how to stick to the new password policy. If they use devices, let them know how to keep those secure, keep apps up to date, and how to spot phishing. If they are involved in handling data, tell them how to follow your security policy – and also how to back up information, if that is part of their job.

Communicating your security policy clearly is itself part of having a good policy. For instance, you could have a great process for keeping devices secure in theory, but unless everyone handling those knows what this policy is, your cybersecurity is at risk.

The National Cybersecurity Centre (NCSC) has an online lesson aimed at staff members and volunteers that covers the basics. It takes around half an hour to complete and any beginners should feel more confident if they use this service.

Back to top

Basic tips and toolkit for the board

You will want your board to know how you have become cybersecure.

While board members are not usually involved in day-to-day operations – and, if any of them are, the basic tips for staff and volunteers applies – their role in scrutinising the organisation is vital. This includes an ability to assess cybersecurity.

Board members don’t need to be technical experts, but they need to know the basics about what cybersecurity is and about how being cybersecure will boost your organisation’s work and lower its risks. This will allow them to perform their role as scrutineer and help them set targets, as appropriate.

Questions that board members should feel confident in asking include:

  • What has our organisation done to make itself cybersecure? Is this sufficient?
  • Who has responsibility for ongoing maintenance of our cybersecurity?
  • How are we going to assess that cybersecurity is maintained on an ongoing basis? Have we established a baseline, do we need to set any targets, and what structures are in place to make sure we can assess whether our cybersecurity is effective in future?
  • Do we, as a board, fully understand how cybersecurity affects not just the organisation, but also our role in overseeing it?

This NICVA guide is a good starting point for anyone who wants to know about cybersecurity. Our tips should allow them to ask important questions about how you are adapting to the digital age, in the same way it will help you prepare your organisation for modern risks.

Board members should also be aware that, as senior people within an organisation, they themselves could be the target for cyberattacks. We recommend that, as well as establishing a cybersecurity baseline for your organisation, they make sure their own digital security is up to date.

While they are usually not involved in daily tasks, your board will have an active role to play in response to any cyberattack or breach of cybersecurity. They will need to act quickly, working with staff and volunteers, to ensure your incident response plan is rolled out smoothly and effectively. They may also be part of that plan, for example in telling stakeholders (including service users, regulators, funders and the media) what has happened, what the consequences are, and what is being done to repair any weaknesses and fix any damage.

For that reason, board members should be just as knowledgeable as your staff and volunteers, when it comes to your cyber incident response plan.

The National Cybersecurity Centre (NCSC) has produced a toolkit aimed at board members. This guide provides a more extensive set of advice than is found here. While the NICVA toolkit should cover all essentials, for any board member who wants to know more, the NCSC resource is highly recommended.

The NCSC also goes into some detail about the legal and regulatory aspects of cybersecurity. This should be useful for any board members – although they should also be aware that cybersecurity is an area of rapidly-changing best practice. What is deemed sufficient now might not tick all the boxes next year. As such, board members should be aware they may need to periodically refresh their own knowledge.

Back to top

Cybersecurity insurance

Cyber insurance is like any other form of insurance. It is a safety blanket. In the same way that building insurance can be a huge help in the event of a fire, cybersecurity will offer you help in the event of a data breach, phishing attack, or other type of incident.

Like any form of insurance, cyber insurance will not solve all problems and will itself offer no protection against a breach. It can, however, greatly mitigate risk.

In fact, you may already have cybersecurity insurance.

If your organisation has any form of insurance policy, ask your providers if they cover cyberattacks.

When looking to either get your first insurance policy that covers cybersecurity, or to update your current policy, approach things in the same way as with any other insurance.

The most important things are that your policy is comprehensive and affordable.

To ensure a policy addresses all your organisation’s needs, it is important to ask providers the rights questions. These might include:

What does the policy cover, and what does it not cover?

This does not just mean whether a policy covers for different types of breach, such as a phishing attack or a lost laptop, but also the extent to which the consequences of a cyberattack are covered.

For instance, a ransomware attack could mean your digital systems become unavailable for a period of time, while a malware attack could cause a significant loss of data that itself both disrupts operations and requires that data to be collected again from other sources.

It is important to know whether your insurance covers the costs accrued indirectly following an attack, as well as direct losses such as a phishing attack resulting in a loss of funds.

Furthermore, cyberattacks are developing – and becoming more sophisticated – over time. Check whether your policy offers a reasonable cover for types of attack that might not even exist yet.

What cybersecurity services are offered as part of the policy?

Insurers may offer consultancy services or risk management as part of their policy. This may include providing resiliency planning in addition to financial protection.

This could be extremely useful, especially if you do not have these skills in house or find the cost of outside consultancy to be prohibitive.

However, while there isn’t really such a thing as being too secure, insurance is about balancing risk. Check the costs. Ultimately, the two core criteria for any insurance policy is that it comprehensively covers your organisation’s own individual needs, and that it is affordable.

What conditions are placed on the organisation in order to comply with the policy?

Insurers will also have questions of their own, including about the steps you have taken to minimise your organisation’s risk of a cyber breach, and what process you have in place to regularly bring your cybersecurity up to date.

Our section on how to communicate that you are cybersecure should help you answer their queries. If you need more information, read below.

When dealing with insurers, you might find the fine details of their policy to be difficult to understand. This might require a professional level of understanding, either of cybersecurity or of insurance law. The NCSC has published its own guide on this insurance, which may be of help, but if any conversations become too technical, and the insurers own customer service team is unable to make you confident about your understanding of their policies, then make sure you get some expert advice. Don’t sign up for anything you don’t understand.

Back to top

How to get accreditation

Launched in 2014, the UK’s main scheme for cybersecurity accreditation is called Cyber Essentials.

Cyber Essentials was developed by the National Cybersecurity Centre (NCSC), in partnership with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF).

Organisations can gain certification that they have taken basic steps to protect themselves against common online threats. There are two tiers of accreditation, Cyber Essentials and Cyber Essentials Plus.

  • Cyber Essentials is suitable for all organisations, of any size, in any sector. It involves self-assessment, and currently costs £300.
  • Cyber Essentials Plus involves hands-on technical support from experts. The costs will vary depending on the size of your organisation and the technical expertise and workload involved in checking your security.
  • Accreditation is the clearest way for any organisation to show their cybersecurity is up to date.

The core Cyber Essentials certificate requires self-assessment, and the process is designed to be as easy to use as possible. Between NICVA’s toolkit and the accessibility of Cyber Essentials, most organisations should be able to handle this themselves. Further support is available in the NCSC’s large volume of cybersecurity tips. The IASME is also available to provide advice.

Bear in mind that Cyber Essentials accreditation is time limited. Certificates expire after 12 months. However, it should be noted that this is both understandable, and potentially useful. Cybersecurity is a fast-evolving area. Refreshing your security processes regularly is important. Reviewing your policies and practices on an annual basis, as a minimum, is highly recommended. Indeed, the technical requirements for Cyber Essentials accreditation have already been updated once in 2022.[RM2] 

Back to top

How to communicate that you are cybersecure (including to funders)

All funders want to see best practice. This applies as much to organisational structures as it does to frontline services. And what is meant by “best practice” changes over time.

As cybersecurity becomes more mainstream, it will become part of organisations’ proper due diligence.

Funders, and other supporters, will want to know that charities are as secure as is reasonable and practicable.

The best way to do this is simple: tell them what you’ve done.

If you’ve followed NICVA’s starter tips you will have:

  • Backed up your data
  • Good password security
  • Protected your organisation from viruses and malware, and have a simple process to keep apps and other software cybersecure
  • A policy in place to protect devices like laptops, phones and tablets
  • Awareness of how to spot phishing and other scams
  • Have a plan to respond to a possible cyber breach

As well as being a checklist of things your organisation should do to stay secure, this is also a list of ways you can illustrate your own cybersecurity.

If you’ve used this NICVA starter guide, you can mention that. If you’ve delved deeper into resources from the NCSC (especially its Cyber Essentials accreditation scheme), mention that. The same for the Northern Ireland Cybersecurity Centre, or any reputable consultancy firm you have worked with on your organisation’s cybersecurity.

If you’re accredited in any way, flag that up. And, of course, if you have appropriate insurance, mention that too (please note that insurers will probably want to know all about the steps you have taken to protect yourself before they give you a policy – the advice in this section, combined with the section on getting cyber insurance, should put you on a sure footing).

When you have taken the steps to protect your organisation, you will already be well-equipped to communicate how cybersecure you have become.

Back to top

Signposting

This NICVA toolkit is designed to be an easy-to-use guide to cybersecurity that will help anyone from an absolute beginner to someone with a fair amount of tech fluency.

It should help you understand what cybersecurity is, why it is important to all organisations, and help your organisation become cybersecure in a few simple steps.

However, there are lots of possible reasons you might want more information.

Any NI third sector organisation can contact NICVA for advice in this area.

Further information can be found in several places.

The National Cybersecurity Centre (NCSC) has a huge amount of resources and information. A lot of this is already concisely covered in this NICVA guide, but the NCSC toolkits are longer and go into more detail, if that’s what you feel you need. Their website has sections that go into detail about many of the specific aspects of cybersecurity, such as different types of threats or how to make sure you choose strong passwords.

The Northern Ireland Cybersecurity Centre (NICSC) works with Stormont and with the NCSC to try and improve the security of local organisations and businesses. They can help answer queries and provide general advice. They have a prominent role in the delivery of the NI Cyber Strategy - A Strategic Framework for Action, which is overseen by the Department of Finance

 

Back to top

Hubs

  • cyber security information governance

Share

LinkedIn Facebook X Email

More resources

All resources
Subject access requests (SARS) and Privacy notices
13 Oct 2023
Getting your message across
20 Nov 2014
Welfare Reform - Learning from Scotland
30 Oct 2014
MODAL CONTENT HERE

Footer

NICVA Northern Ireland Council for Voluntary Action logo
Facebook
twitter
linkedIn
YouTube
Subscribe to our bulletins
Contact Us
Office
61 Duncairn Gardens,
Belfast, BT15 2GB
Phone
028 9087 7777
Training & Events
Training
Events
Programmes
Bespoke Training
Accredited Training
Services
GrantTracker
CommunityNI
SectorMatters
Venue Hire
MediaConnect
Document Review & Drafting
Join NICVA
About Us
Policy & Insight
Help & Guidance
News
Jobs
Privacy Policy Cookie Policy Accessibility Statement
NICVA Northern Ireland Council for Voluntary Action
Company Number: NI001792
Registered Charity Number: NIC100012
site by Green17