Last week we held our third Quarterly Charity Technology Roundtable, hosted by Microsoft Tech for Social Impact. In this blog, we summarise our discussion on cyber security, including risk management, BYOD, reducing risk of human error and systems gatekeeping.
Compliance Frameworks, Risk Management, Reporting
- It is good practice to define the framework(s) or standard(s) that are suited to your organisation, to kick off the conversation around cyber maturity. You can blend the best bits from different frameworks, such as NCSC 10 Steps, NIST, ISO27001, NHS DPST and Cyber Essentials to help define to stakeholders what “good” security looks like and baseline your position against these.
- Cyber insurers are driving standards and good practice, and adhering to these can lower your premium. Engage with them to ask for help in defining which gaps you should prioritise, to inform your Business Case to the board.
- Supply Chain Risk Management is an emerging theme, as services move away from on-premise to cloud. This needs to be more than a tick-box, with suppliers being asked to demonstrate their compliance and security standards on an annual basis. A good tool to help drive this conversation is ensuring Data Protection Impact Assessments (DPIA) are conducted and audited.
- Cyber risks should be on the Corporate Risk Register, and socialised with the board regularly. The risk is a business risk that doesn’t sit just with IT. There is an opportunity to raise awareness, using the above to drive the case for investment in Cyber. Don’t forget to report on successes too such as cyber training or phishing simulations.
Bring Your Own Device (BYOD)
- Microsoft 365 comes with powerful controls to allow BYOD with a lower level of risk – for example Intune device management profiles specifically for non-corporate devices, and Conditional Access policies to allow web-browser only access to 365 without the ability to download and Compliance Policies to ensure devices running supported Operating Systems. Most of these features are included in most existing licenses such as Business Premium and E3.
- Azure Virtual Desktop and Windows 365 Cloud PC can also solve BYOD by giving these users a fully managed cloud desktop, within which they work, regardless of the end device. These only need to be licensed for users that need them, rather than having to be provisioned for all staff.
- Trustee’s may not want a corporate device. If they only need access to board papers, secure SharePoint sites can be configured at no extra cost which allows them to access papers with their personal email address as a Guest. There are also 3rd Party platforms like BoardEffect that can solve this challenge without the cost and overhead of giving them a corporate device.
People – reducing risk of human error
- The charity sector is the 3rd most targeted sector in the world. Over 90% of successful attacks still happen via email, and are triggered by human error. People are our biggest risk, so continual training, awareness and testing is one of the best protection measures we can invest in.
- Regular, shorter, bite-sized content, with reminders, is more effective than long annual courses. One example of good practice included a 30 second daily Cyber Security Quiz all staff answer each day, gamifying the topic.
- Managers – backed up by HR – should police training. Consider internal enforcement and consequences to ensure staff take cyber security training seriously, like they already do with Safeguarding.
- Microsoft Learn is a good resource for internal IT staff cyber upskilling, and the Nonprofit training and resources centre for staff (courses will require curating into a library of mandatory / recommended etc.).
- Phishing simulations are best practice to test knowledge. Microsoft offer a fully integrated phishing testing platform, including directing staff who do click, to training. Results should be shared with all (anonymised).
- Regularly sharing news of ICO fines at other charities, and recent examples of sophisticated phishing emails with all staff, helps staff see this is a real threat, and keeps awareness up.
Budget & Spend
- Cyber spend can be limitless; using the frameworks is a good place to surface the gaps to drive the conversation around what the “right” level of protection (and therefore cost) is, and socialise this with Board to ascertain their appetite for moving up the maturity scale.
- Consider a separate, ringfenced Cyber Security budget outside the standard IT Budget, with the potential for IT savings to be reinvested in Cyber as a rule of thumb.
- A lot of charities are consolidating / rationalising their cyber tools and systems into the Microsoft stack. For example, replacing 3rd Party email filters with Defender, and replacing 3rd Party antivirus tools with Endpoint Protection. Very often this will save money, plus make management simpler for IT.
- Consider fractional, independent expertise to help steer and advise on your cyber strategy without the wage bill to match, e.g. a vCSO.
System Approvals & Gatekeeping
- Centralising all procurement and spend on IT – including business applications, Cloud subscriptions etc. so it is tracked in 1 place, also helps reduce the risk of Shadow IT.
- Microsoft Cloud Discovery is a very effective low-cost tool to identify all the “other” apps in use within the organisation which IT may be unaware of, to help drive conversations around governance, control and security.
- Whilst many orgs will have 3rd Party Compliance forms, it is hard to enforce these after contracts have been signed. Procurement should include any supplier evidencing their Cyber Security controls – possibly including a “Standard” and “Advanced” version of questions if the system is to hold sensitive information, before being appointed.
- Single Sign On is a good way to help improve security across the plethora of cloud apps. A “Single Sign On By Design” ethos is a useful tool here, mandating that SSO is a core requirement for any and all applications, not an afterthought.
Free Cyber Security Consultations
Would you like a free 1-to-1 consultation from one of our qualified InfoSec experts on Cyber Security at your nonprofit organisation?
We’re offering free 45-minute consultations where you can get practical advice and answers to any questions you may have around cyber security.
Click the link here to book a calendar slot directly to suit you.
Free Microsoft Cloud Security Assessment
Smartdesc partners with Microsoft’s Tech for Social Impact team to help charities and nonprofits move forward on their cloud security journeys.
We’re offering nonprofits a complimentary and detailed Cloud Security Assessment to help you quantify how securely your Azure and Microsoft 365 estate is configured in order to improve your digital security.
Click here to reserve your place.
