- NUS Charity
- Your Membership
- Trading
-
Union Development
-
Research and Training
- The Big SU Survey: National Research
- Employee Engagement Survey
- More...
- Events & Conferences
Why Cybersecurity and Data Protection are Critical for SUs
Tuesday 14-11-2023 - 11:26
Students’ Unions are increasingly digitised, relying on online platforms and data-driven operations to engage students, provide services, and fulfill their charitable objectives. This digital transformation brings enormous opportunities, but also significant risks if cybersecurity and data protection are not priority areas. As custodians of student data, and with financial and reputational assets to protect, SUs must take a proactive, holistic approach to security and compliance.
The scale of the cybersecurity challenge facing SUs is daunting. Phishing, malware, ransomware, DDoS attacks, and more threaten unions daily. Data breaches are on the rise; over 600 were reported in the UK last year alone. The impact of an incident can be severe - diversion of resources, loss of student trust and reputation, regulatory fines, and disruption of activities advancing the union's charitable aims. Many wrongly perceive cybercrime as only a risk for large corporations and government. However, as registered charities holding valuable data, SUs are prime targets, regardless of size.
Robust cybersecurity and data protection must now be central to good governance and risk management for every SU.
Promoting cybersecurity and data protection foundations across the organisation empowers SUs to avoid regulatory penalties, protect reputations and assure students that their data is safe. It ensures resources stay focused on delivering the union's charitable objectives.
Trustees have a key governance role to play in ensuring cyber risk and data protection are being appropriately managed, just as they would do for any reputational, operational or compliance risk area. They must invest adequately in security and compliance, proportional to the union's data assets and risks.
By proactively embracing cybersecurity, student unions can thrive safely in our digital world. The objective is not to react once a breach has occurred, but to implement a security culture and controls to prevent incidents undermining an SU’s vital charitable work. Cybersecurity and data protection are fundamental strategic issues and should be treated as such by trustees and senior managers.
NUS Charity has a range of data protection / GDPR resources that can help you with this work.
Information and Communications Systems Policy: This resource has been written in conjunction with DAC Beachcroft, specialists in employment law. It is designed to be used as an example for students’ unions who can choose to adopt the resource in full or take relevant clauses to insert into your existing HR documents.
NUS data protection guidance March 2017: This guidance has been developed by NUS Charity and Bates Wells for use by students’ unions.
Supplementary Note of Advice on Student Unions and the General Data Protection Regulation: Supplementary note of advice on student unions and the general data protection regulation
Legal Guidance: Data Sharing and Data Protection: Bates Wells & NUS Charity guidance on Data Protection and Data Sharing with your institution
Data Sharing Template Letter: A template to adapt and send to institutions who are currently not sharing basic or demographic data with their SUs.
We also have a workplace group to aid SUs discussions on this topic.
NUS Students' Union data protection and Cyber Security Workplace Group
In addition to the resources above we recommend accessing the organisations below which have a range of resources that can support you.
Charity Digital provides content and events to support non-profits in utilising digital tools, aiming to maximise the impact of the sector. By promoting digital capabilities, Charity Digital enables organisations to operate more efficiently, reach wider audiences, improve service delivery and unlock the full potential of digital. Their objective is to keep non-profits informed on key issues, inspire confidence in using technology, and connect charities to expertise that can further their missions. Overall, Charity Digital strives to empower the non-profit sector to harness digital platforms for greater good.
Charity Digital publishes free daily articles, fortnightly podcasts, fortnightly webinars, regular videos, as well as running regular events.
The National Cyber Security Centre (THE NCSC)
The NCSC supports the most critical organisations in the UK, the public sector, industry, SMEs, charities, and the general public. When incidents do occur, the NCSC provides an effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.
The NCSC has plenty of tools. First, you can use the Web Check, which was developed by the NCSC to check for vulnerabilities on your website. Organisations can put URLs into the tool, and it will check for myriad issues, such as whether your server software is up-to-date and patched, whether any links to third party sites are secure, and whether there are any issues with a server’s certificate chain.
The Mail Check tool helps you to understand the security of your email configuration server. The tool covers two areas of email security: anti- spoofing and email privacy. It protects your systems with ’anti-spoofing controls’ so criminals can’t send emails pretending to come from your charity. The tool teaches you about anti-spoofing controls and helps you identify and fix email sending systems so they can be trusted, while ensuring that legitimate emails are delivered.
The Early Warning tool is designed to give organisations a heads-up that there might be a problem with their cyber security that needs addressing. The tool filters millions of events every day and if it links any potential threats to an organisation’s IP address and domain names, it notifies them so issues can be investigated and mitigated. Essentially, Early Warning matches data from its information feeds to data given by the potential victim organisation and helps them prevent a breach before it starts.
The Small Charity Guide advises on how to improve cyber security within your charity - quickly, easily and at low cost.
Cyber Security Toolkit for Boards. Resources designed to help board members govern cyber risk more effectively.
There are plenty of other products and services on the NCSC site, along with advice and guidance, opportunities to educate and improve cyber skills, and information on the latest cyber developments.
The Information Commissioner's Office (ICO)
The Information Commissioner's Office (ICO) is the UK's independent data protection and privacy regulator. Operating under laws like the UK GDPR, the ICO oversees information rights, provides regulatory guidance, runs a public complaint service, and can impose major fines for breaches. As the key data regulator, the ICO is critical for UK students' unions to engage with. This is a key resource for data protection officers.
The ICO have recently produced new guidance to help organisations understand the law and good practice around protecting personal information when sending bulk emails.
National Council for Voluntary Organisation (NCVO)
As part of your NUS Charity membership, you have associate membership of NCVO OR their sister organisations in Northern Ireland (NICVA), Scotland (SCVO) and Wales (WCVA) if your institution is based there. They exist to champion voluntary action and civil society. They provide support and advice and keep members up to date with relevant news and activities. They also represent members by upholding the sector’s independence, influencing the regulatory and financial environment and supporting the role of charities in public services.
NCVO resources on data protection and cybersecurity
Northern Ireland Council for Voluntary Action (NICVA): The basics of cyber security
If you have any questions or feedback on this topic, please post on NUS Students' Union data protection and Cyber Security Workplace Group or email uniondevelopment@nus.org.uk
