Additional governance controls to support your cyber security

Cyber security doesn’t take place within a vacuum. You can’t just expect to add some anti-virus software, maybe some multi-factor authentication, and pat yourself on the back. Job done!

Unfortunately, it’s not that easy, as threat actors can find other ways to infiltrate your systems and access your data that might fall outside of the direct remit of your IT services.

The following controls and supports are recommended to sit alongside your overarching governance controls and are important when considering all potential threats and risks.

(Further reading: Best-practice cyber security governance)

Invoice fraud controls

Invoice fraud is a common scam targeted at organisations - including NFPs - and occurs when a threat actor attempts to have an employee pay a fake invoice or change the bank account details on a real invoice so that payment is redirected to the threat actor’s bank account. It is crucial that NFPs recognise this risk and implement a policy that addresses these scenarios and defines procedures for employees to follow to help avoid these scams.

These procedures must include, but are not limited to:

• verification procedures to validate invoices against services rendered, work completed and existing supplier or vendor information
• dual or independent verification for any changes to supplier bank account details
• dual sign-off authorisation for transactions exceeding a defined monetary threshold (e.g. $5,000).

Although invoice processes are financial in nature, most modern invoice fraud is enabled through cyber compromise, which makes information security governance controls critical.

TEMPLATE: From Institute of Community Directors (External): Fraud Risk Management Policy (External)

Visitor Register

Organisations should aim to implement a register (written or digital) that all visitors and contractors are required to complete. A visitor register is important as it supports the protection of sensitive information by enforcing physical access controls – stopping unauthorised individuals from entering a work office or site.

Ideally, before they enter any “staff only” or restricted areas of the organisation, the register should record the following:

• Full name.
• Organisation name.
• Contact details.
• Signature.
• Check-in date and time.

A visitor or contractor badge should be assigned to the person when they have finalised their registration, which they will be required to wear visibly while on your premises, and return upon sign-out.

Confidentiality agreements

Confidentiality agreements are essential for maintaining the protection of sensitive information and organisation details by controlling information disclosure. NFPs should implement a process to ensure all employees, contractors and third parties are bound by confidentiality obligations before they are granted access to organisational data or systems. This may be achieved through requiring individuals to read and sign confidentiality agreements or verify that existing contracts with third-party suppliers have adequate confidentiality clauses.

Don’t have access to legal advice? Justice Connect provides free or affordable legal supports for not-for-profits. Learn more.

TEMPLATE: From Institute of Community Directors (External): Confidentiality Policy

Take a holistic approach to your cyber security

These critical documents can help you outline the requirements and controls your organisation should have in place to protect your information and data from malicious cyber security-related threats.

Further Reading

If you haven’t already, be sure to check out our DIY Information Security Policy Template and take the necessary steps to protect your organisation from malicious activity.

These supports above are by no means an exhaustive list, and there are further policies and supports that could be implemented to help strengthen your cyber security. Check out the following to learn more.