The Problem 

The first step in our cybersecurity journey was identifying the problem at hand. In an era dominated by interconnected systems, FNF faced the omnipresent challenge of safeguarding sensitive information from a myriad of cyber threats. From phishing attacks to ransomware, the digital landscape is a breeding ground for malicious activities. The realisation that cybersecurity was no longer an option, but a necessity prompted us to take decisive action.  

Why We Decided to Act 

We recognised that the consequences of a cybersecurity breach could be catastrophic – not just for our organisation but for the stakeholders entrusting us with their data. The decision to proactively address this issue stemmed from a commitment to protecting the integrity of our digital ecosystem. As custodians of sensitive information, we owed it to our stakeholders to create a robust defence against evolving cyber threats.  

What We Did 

To fortify our cybersecurity measures, we implemented comprehensive employee training to address human error vulnerabilities that can arise from phishing and social engineering attacks. We also deployed state-of-the-art cybersecurity tools, including advanced firewalls and intrusion detection systems, and developed a robust incident response plan for swift reaction to security breaches. Recognising the importance of baseline cybersecurity standards, we implemented Cyber Essentials and Cyber Essentials Plus, government-backed schemes providing clear guidelines and best practices to protect against common cyber threats. 

Learnings and Challenges 

Reflecting on our cybersecurity journey so far , we’ve gained valuable insights: 

• Cultivating a culture of cybersecurity awareness requires continuous communication, engaging training, and shared responsibility among stakeholders. 
• Adaptable defence mechanisms are crucial for navigating dynamic cyber threats, alongside proactive threat intelligence gathering and incident response readiness. 
• Ongoing training and education are vital for staying abreast of emerging threats, supplemented by effective third-party risk management. 
• Embracing a cultural shift towards security integration, regular security audits, and assessments will further fortify our cybersecurity posture. 
• Collaboration and information sharing within the cybersecurity community foster awareness and effective mitigation strategies, leading to a holistic approach to cybersecurity. 

Next Steps 

Demystifying cybersecurity is not a one-time task but a continuous process. By understanding the problem, taking decisive action, implementing comprehensive measures, and constantly adapting, we navigate the digital realm with resilience. Our next steps involve continuous monitoring, regular updates to security protocols, and staying abreast of emerging threats. Cybersecurity is an ongoing process, and our commitment to safeguarding digital assets remains unwavering.  

Tips for Charities: 

Charities may have unique challenges in prioritising cybersecurity due to limited resources, here are some practical tips: 

• Prioritise Critical Assets: Identify and allocate resources to protect critical digital assets. Design business continuity and disaster recovery plans for operational resilience. 
• Adopt Cloud-Based Storage and Systems: Utilise cloud-based storage and systems for scalability, flexibility, and enhanced security. Ensure regular backups and integrity testing for data recovery. 
• Engage with Regulatory Compliance: Familiarise with industry regulations to benchmark cybersecurity practices and avoid legal repercussions. 
• Establish a Cybersecurity Policy: Create formal guidelines for staff covering internet usage, data handling, and incident response protocols. 
• Set up Threat Reporting System: Enable staff to report suspicious activities promptly for quick assessment and response. 
• Implement Secure Remote Access and Controls: Ensure secure methods for remote access with VPNs, encryption, and multi-factor authentication (MFA). Regularly review access privileges and introduce password managers for enhanced security. 
• Provide Employee Training: Educate staff on cybersecurity risks, password security, and safe browsing habits. 
• Conduct Regular Security Assessments: Assess cybersecurity posture through audits or penetration testing to identify weaknesses. 
• Pursue Continuous Improvement: Evaluate and update policies, procedures, and technologies for ongoing enhancement based on incidents and industry developments. 
• Stay informed, collaborate with experts and utilise free resources: Seek partnerships with organisations or professionals offering cybersecurity expertise pro bono to strengthen your defences. Stay informed about the latest cybersecurity threats and best practices taking advantage of free resources such as the guidance from the National Centre for Cyber Security (NCSC) to enhance cybersecurity practices inexpensively. 

You can read our full ESG statement, here.