Skip to content
  • Alison Stone, Third Sector Cyber Resilience Co-ordinator shares why those in the charity or voluntary sector should invest time in their cyber resilience.
Alison Stone

Now, it is a little too early for talking about “making a list and checking it twice…” but what about checking your incident response plan?  It’s never too early for that! 

When we cyber-folk talk to people, we state that every organisation should take a “when, not if” attitude towards being the victim of a cyber-attack.  Having a proactive attitude to incident response planning may be the difference between recovery and failure of your charity or voluntary sector organisation, so, where do you begin?  

Fortunately, help is at hand.  Colleagues at the CyberScotland Partnership have just collated the MOST EXCELLENT Incident Response planning pack, which covers the main steps towards cyber resilience and helps you prepare your response in a structured and managed way.

This pack includes an introduction to IR planning, a prepare your business checklist and an emergency contact list template, as well as really helpful advice on reputation management and legal responsibilities during an incident.  I can’t think of a better place to start than with this resource – it is more straightforward and logical than people think. 

Planning for the worst

After you have complied your IR plan and shared it within your charity, a fantastic idea is to test the plan you have drawn up.  Again, help is at hand from the Scottish Business Resilience Centre (SBRC) who provides facilitated sessions of the NCSC’s Exercise in a Box toolkit

Exercise in a Box is an online tool that helps organisations test and practice their response to a cyber-attack.  There are a number of different scenarios, including home working and digital supply chain and each scenario features a set of probing questions to help you understand if what you have in place is enough, and what else you could be thinking of implementing to strengthen your defenses 

There is so much value to be had by attending one of these sessions and you can book on with your incident management team and work through the facilitated process with the SBRC Ethical Hackers as a group.  That way you can share your understanding of the plans with colleagues and iron out any hiccups before you need to deploy your plan. 

There is a special Exercise in a Box session for third sector organisations being hosted by SBRC on Wednesday 6th October.  

These sessions are excellent for exploring the assumptions you have made within your plan. Better still, there is a follow up call with the incredibly knowledgeable ethical hacking team to see how they can further support you in your cyber journey.  

Already over 40 third sector organisations have undertaken Exercise in a Box with the support of the SBRC… it is a great experience and a brilliant way to identify gaps in your plan. Do yourself a favour and book a space today!