Key principles and practical guidance for charities navigating cyber attacks

11 November 2021

Ransomware is a persistent risk to the security of your data. If we’ve learned anything over the past 18 months it is that the importance of protecting your IT infrastructure is crucial. Having a cyber policy will help you avoid a loss in the event that your IT infrastructure comes under attack. Charities collect and retain a range of sensitive data that is considered valuable for criminals. Personal data, customer data, bank details and employee details are assets that make charities an attractive target for criminals.

No alt text available

Cyber attacks on a charity can severely affect the particular charity, but can also impact  the whole charitable sector, making the donating public nervous about giving their personal information to charities.

Owned by a charity ourselves, Ecclesiastical Insurance Group have over 130 years of experience and deep knowledge of the charity sector. We have built  a huge understanding of what needs to be done to prevent ransomware and other cyber attacks against charities.

To help you avoid a ransomware loss, Ecclesiastical recommends three key areas in which your charity should invest:
  • Invest in your IT infrastructure
  • Invest in training and awareness
  • Invest in transparency

Invest in your IT infrastructure

Investing in your IT infrastructure is key in order to reduce the likelihood of  ransomware attacks. Anti-virus software and firewalls prevent hackers from getting in in the first instance; charities must keep these up to date in order to avoid emerging threats. Backing up your IT systems at least every seven days and keeping the back up  separate from your day-to-day operating systems means you will have a copy to fall back on if the worst happens.

Invest in training and awareness

Employees can be the biggest threat to your IT security, which is why investing in training your staff on what they need to look out for and what they need to be aware of is vital. When a potential threat arises, their first thought should be “this doesn’t look right, there’s something wrong here”. Cultivate the curious mind to react and think before they click a suspicious link.
Making your employees aware of the threats and understanding how to spot a potential threat and react to it quickly and correctly will reduce the risk of your organisation becoming a victim of a ransomware attack.

Invest in transparency

When a cyber attack happens, timing is crucial which is why your organisation must encourage an open and transparent blame free culture. Your employees must feel they are able to approach you and tell you that they’ve made a mistake or clicked on something they perhaps shouldn’t have.
Stressing the importance of reporting any suspicious or potential IT threats will help avoid cyber attacks and enable the issue to be resolved more easily and much faster. If an employee sits on a potential threat because of some perceived penalty, the risk to your organisation becomes much greater. Investing in transparency can reap real benefits.

Ensuring your policy has you covered

Having up-to-date insurance cover is critical to help you respond to a cyber attack. However, your insurance policy will have some conditions you must fulfill in order for it to be operative. Don’t wait for something to happen, you need to  read your insurance policy as soon as it comes out so you understand the terms and conditions. You will then know what you need to comply with to ensure the policy will operate if you are the target of a cyber attack.
For example, with cyber cover, insurers are likely to insist that you have up-to-date anti-virus software and firewalls, and that you regularly update these. Failure to comply with these requirements may render the policy inoperative. Ecclesiastical Insurance advises that long before anything happens, you study the policy conditions so you can comply with any requirements .
When you’ve had a cyber attack, timing is critical and it’s essential that you contact your insurer as soon as you can and advise them of the event. This call will trigger a series of responses and actions and will identify what resources you need including an IT consultant and perhaps some legal advice.
The Data Protection Commission puts strict timelines on your response to these attacks and it is crucial that you comply with these requirements.
As insurers, Ecclesiastical Insurance is here to help our customers; with advice on how to avoid a ransomware attack and to help in the event that your charity becomes a victim of cyber crime.