Cyber security is a business risk and needs to be understood, owned and led by sector leaders

Phili Wetton, Development Manager for the Association of Chief Officers of Scottish Voluntary Organisations (ACOSVO) shares an update on the organisation’s recent cyber initiative.

Through our membership body of 700+ CEOs, senior leaders, Chairs and Vice-Chairs of voluntary organisations in Scotland, we hold the unique position of being the only organisation of its kind in Scotland with members comprising of key decision and change makers in the sector. ACOSVO reach is vast, with members overseeing roughly 72,000 staff and volunteers, ranging from those who lead smaller, community-based organisations to those who head up some of the largest charities in the country.

So in August 2021, we partnered with CyberScotland and the Scottish Government to highlight to voluntary sector leaders the importance of protecting sensitive data and ensuring cyber security is on their agenda. Using the straplines “Be Better Informed” and “Not If But When” we launched a new cyber resilience survey, promoted key findings via an infographic, delivered a number of cyber events and produced a user-friendly resource.

Cyber security is an ever-increasing global issue and has been for many years. Add in two years of many working from home due to the recent COVID-19 pandemic and new hybrid working models now being implemented, many of us are accessing potentially sensitive data from personal computers. This carries an increased online risk to malicious attacks seeking to expose, manipulate and exploit organisations and individuals’ confidential data. The importance of organisations becoming more cyber resilient has never been more pertinent.

Working closely with CyberScotland and Scottish Business Resilience Centre, through our regular member & external stakeholder e-bulletins and strong social media presence, we have raised awareness of numerous cyber events, workshops and training sessions and promoted our survey findings and further support resources.

We have been delighted to learn that there has been an increase in people seeing cyber security as a high priority for their organisation, and an increased appetite to gain Cyber Essentials Accreditation. However, it’s also been concerning to learn that many have still not assessed cyber risks to their organisation, are not confident collecting & managing data, or confident that their data is held securely and used appropriately. Alarmingly, our survey also reported that 56% don’t have an incident response & recovery plan, 50% don’t have an up-to-date incident security policy and 43% didn’t know how to report a cybercrime or ask for assistance.

When we consider this against 68% having received fraudulent emails or been directed to fraudulent websites and 32% reporting that people impersonated their organisation in emails/online, it’s critical that ACOSVO helps the voluntary sector “Be Better Informed”. 10% of our members have already experienced attacks that tried to take down their website/online services and 8% have had money stolen in the last 12 months. These statistic are worrisome at best as according to Jordan M. Schroeder, Managing Chief Information Security Officer for Barrier Networks “modern cyber-attacks are professionalised. You are an opportunistic target, you can’t predict what or when it’s going to happen".

It's time to act now, before more voluntary sector organisations are hit by malicious cyber-attacks! ACOSVO user-friendly cyber resource “Not If But When” guides you along your cyber resilience journey, introducing a checklist (prioritised into high, medium, low) which your organisation can take to achieve maximum cyber protection. By working through this, you will minimise the impact of future cyber-attacks on your organisation and best protect all your stakeholders.

Increased cyber security is a necessity for the sector to survive and thrive both in the immediate period of covid recovery and for the future sustainability of the sector as a whole. We hope the legacy from ACOSVO’s eight month cyber resilience project, (ending 31 March 2022), will start to be evident over the coming months and year demonstrated by improved cyber understanding and resilience across Scotland’s voluntary sector.

Remember “no-one becomes an expert at this overnight. The only way forward is to identify, plan, test – repeat”!

Access the cyber resource here.