Key issues in data management and cyber security for heritage sector organisations
1. The importance of data management and cyber security
Data management
Even for smaller organisations, data is increasingly seen as an important asset. Having a focussed organisation-wide approach to data management can lead to continual improvements to the quality of data being captured and stored but also:
- creates new opportunities for income generation
- enables more effective marketing and with that, higher levels of stakeholder awareness and engagement
- brings new insights into your organisation’s performance, effectiveness and impact, driven by good quality data
- demonstrates that your organisation takes the handling of your supporters, volunteers, staff and other stakeholders data seriously
- protects the reputation, goodwill and brand-value of your organisation
- ensures adherence to all applicable data laws and other related compliance matters (e.g. Data Protection Act/UK GDPR, PECR and PCI-DSS etc.).
Creating a data management plan will provide your organisation with clear direction as you work to maximise the benefits of good data management.
Cyber security
Cyber threats are a real and present danger and come in many guises. The sophistication, volume and sources of cyber threats such as malware, phishing, denial of service, and password forced access are only increasing.
Having an understanding of some of the common threats is an important first step in improving your cyber security.
- Malware – software which is designed to damage, disrupt or gain access to a computer system.
- Phishing – the practice of sending fraudulent emails designed to persuade the receiver to divulge personal information.
- Denial of service – an attack designed to shut down a computer network through flooding the system with traffic or sending through information that triggers a crash.
- Password forced access – a form of hacking which uses trial and error to determine passwords, login credentials or encryption keys.
Having strong cyber defences will protect your organisation from:
- unauthorised access, loss, transfer or deletion of data
- unauthorised sharing and publication of data online
- financial loss through fraudulent payments, ransom demands and potentially severe fines for breaches of data law
- operational disruption caused by a cyber security incident
- attacks on its reputation, goodwill and income.
Strong cyber defences will also help your organisation adhere to all applicable data laws and other related compliance matters (e.g., Data Protection Act/UK GDPR, PECR and PCI-DSS).
2. Key issues
Our expert, Craig Humphries, senior consultant at Lightful, takes you through key issues organisations can encounter on the journey to improving data management and cyber security. He suggests action you can take and provides some sources of further support.
Below are some of the key issues for organisations of all sizes:
- There can be confusion about who is accountable for the different aspects of data management and cyber security.
- Maintaining organisational compliance with Data Protection Act (2018), PECR and PCI DSS (where relevant) can be time consuming and requires ongoing focus and resource.
- Organisations may not have enough knowledge, experience or resources (both financial and time).
- It can be unclear which systems and devices are in use and where which is made more challenging since the rise in remote working.
- There may be confusion about what data is being captured (e.g. personal, financial, special category/sensitive, commercially sensitive, etc.).
- Organisations may not have a documented, tested and up-to-date data disaster recovery plan.
- Managing and making changes to end-user access to systems and data may not be robust and timely enough.
- With the rise in remote working, managing devices and security can be difficult. Implementing an MDM (Mobile Device Management) solution can help.
- Two factor/multi-factor authentication may not be fully implemented.
- There may be difficulty keeping all devices and systems up to date with security updates and version upgrades.
- It is challenging to manage and protect your systems and data when staff and volunteers use their own electronic devices to receive emails or phone calls.
- It can be difficult to find ways for everyone to keep data and security at the front of their minds in order to help identify potential cyber security threats and to escalate quickly to reduce or remove any impact to the organisation.
3. Actions to take
Now you are aware of key issues in data management and cyber security, you can take action. Here are some steps to get moving in the right direction:
- Clarify accountability – who is responsible in your organisation for data management and cyber and system security? What help and support do they need?
- Check that your organisation is taking all required steps to comply with data protection laws.
- Make sure all staff and volunteers have regular, ideally annual, data protection and cyber security training and ad-hoc awareness communications.
- Visit the National Cyber Security Centre website to learn more about cyber risks and the support materials and advice available.
- Consider applying for the Cyber Essentials certification for your organisation.
- Review your systems to ensure two or multi-factor authentication is enabled on all devices and systems where possible.
- Check whether your organisation has an up-to-date and tested disaster recovery plan.
- Create and roll out a data management plan.
Further sources of support
Below are some links to further reading and guidance we hope you will find helpful:
The Information Commissioner’s Office – Data Protection Act & PECR guidance
National Cyber Security Centre – Small/medium sized organisations cyber security guidance
National Cyber Security Centre – Cyber Essentials guidance
Please attribute as: "Key issues in data management and cyber security for heritage sector organisations (2022) by Craig Humphries supported by The National Lottery Heritage Fund, licensed under CC BY 4.0