Why charities should focus on cyber resilience

According to the Cyber Security Breaches survey 2024, conducted by the Department for Science, Innovation, and Technology, 32% of charities faced a cyber attack or security breach in the last 12 months.

 

The most common cause of cyber breaches at charities was due to phishing, however there are different types of cyber attacks.

 

Phishing is when individuals are tricked into sharing sensitive information, such as passwords, personal information or bank account details. It’s usually done through email or text messages, where it appears to come from a legitimate source – such as a bank, a colleague or the CEO. Unfortunately, these types of attacks are on the rise, and charities are no exception.

 

A resilient organisation is one that prepares for the inevitable. While cyber security is essential, charities need to start investing in what to do if a cyber attack happens.

 

This means creating robust response and recovery plans, having processes in place, and simulating an attack to test and practice your plans.

 

Prevention is key but so is preparation.

 

 

What is cyber resilience?

 

Cyber resilience is an organisation’s ability to prepare, respond and recover from a cyber attack – all while making sure that critical operations are maintained. You can have the best cyber security in the world but you’re still vulnerable to attack.

 

Cyber resilience is about moving beyond prevention and focusing on preparing for an attack, having a plan of action in place to minimise disruption, and getting back to ‘business as usual’ as quickly as possible.

 

 

How to ensure your charity is cyber resilient

 

Here are a few things that your charity can do to help you protect, plan, and recover from a cyber attack. By following these recommendations, you can ensure that your organisation is cyber resilient.

 

 

Cyber security is everyone’s responsibility

 

It’s vital that everyone understands their role in helping to keep the organisation safe from security breaches and cyber attacks. This means regularly changing passwords, ensuring passwords are strong, recognising phishing emails, locking laptops or computers when you step away from your screen, not clicking on suspicious links, using an authenticator app to log on to systems, and more. 

 

There are a number of ways to promote cyber security within your organisation. You could provide regular training, send ‘phishing’ emails from a charity account to test people’s response, ensure that people use an authenticator app or two-factor authentication to log on to systems, and set up passwords to expire after three months so that they are being changed regularly.  

 

 

Don’t make security an afterthought

 

Move from a prevention mindset to a preparedness one.

 

This means designing operations with security and resilience from the start — not as an afterthought. It means not only being able to detect a cyber breach but knowing how to respond and recover when one happens.

 

 

Harness the power of AI

 

Because AI can analyse vast amounts of data in real-time, it can be used to detect unusual patterns which could indicate a potential cyber attack.

 

AI can also be used to automate routine security tasks, predict potential future attacks by analysing historical data, scan emails for signs of phishing, and more.

 

 

Simulate an attack and practice your response

 

Try to conduct regular drills or simulations that test how individuals and the organisation responds to an attack. This helps everyone to understand the role they play and to know what they need to do so that if there is a cyber attack so they can act quickly and efficiently.

 

Through regular practice, you can also stress-test your processes and adapt them if necessary.

 

 

Keep connected

 

Effective communication during a crisis is crucial so that everyone is aware of what is happening and what action they need to take. Regularly review and update your communication plans in case of a cyber attack. Make sure there is a way to communicate even if systems are disrupted.