We have updated OSCR Online - click here for more information on how to submit your annual return
Print This Page
Guidance Search

Reviewing IT and cyber security arrangements

Published: 07/03/2022
Updated: 07/03/2022

Charity trustees should always be aware of their charity’s IT security arrangements and cyber security should be reviewed on a regular basis.

While there has been no specific threat to UK organisations identified as a result of Russia’s invasion of Ukraine, the National Cyber Security Centre (NCSC) notes that there is a historical pattern of cyber attacks on Ukraine (in other words, attacks on Ukrainian IT systems) with international consequences.

As such, the NCSC considers the current cyber threat to be heightened and advises all charities to review their cyber security arrangements.

The NCSC has provided a thorough list of actions all charities should undertake along with advanced actions for larger organisations.

These include, but are not limited to:

  • Check your system is fully updated – ensure systems, including third party software, have been updated with the most recent patches and turn on automatic updates if possible.
  • Check passwords and accounts – ensure passwords are ‘strong’ and unique to business systems and not shared with personal devices. Furthermore, review all accounts and remove any that are old, unused or unrecognised.
  • Ensure defences are working – ensure antivirus software is installed and active on all systems.
  • Review your backups – confirm that backups are running correctly and that an offline version of a backup exists that is recent enough to be useful in case of complete data loss.
  • Response to Phishing emails – ensure that staff know how to report phishing emails and that you have a process in place to deal with any reported phishing emails.
  • Third party access – if third party organisations have access to your IT systems (for example an IT support company) ensure you have a comprehensive understanding of what level of access to your systems third parties have. Furthermore, remove access from third parties that is no longer required.

As noted above, this is a selected list of actions trustees should be undertaking and OSCR would strongly recommend you visit the NCSC site for the full list of actions.

 

8177