Insights
We explore steps that charities can take to mitigate the risks posed to them by cyber threats
Around one in eight charities (12%) in the UK have experienced cyber crime in the last 12 months, according to research from the Charity Commission.
The recent shift towards digital ways of working, accelerated by the pandemic, only increases the cyber threat to charities, with more than half holding electronic records on their customers, posing a potentially fruitful prospect for cyber criminals.
Cyber criminals care less about the organisations they attack than the data and money they can access through them. Charities are vulnerable to attack because they hold so much data but are more likely to have limited resources to protect that data.
Research from Charity Digital found that 11% of charities relied solely on antivirus to protect themselves from cyber threats, while 52% of organisations lacked clarity on what good cyber security looked like and what products they actually needed.
But, as the Charity Commission notes: “A greater digital footprint increases a charity’s vulnerability.” Cyber attacks – including phishing and impersonation, which charities most commonly experience – can impact fundraising, finances, and even prevent services being delivered to those who need them.
There are actions that charities can take now to prevent cyber attacks, respond to them more quickly, and mitigate the risks they pose. Below we’ve listed some of the most cost-effective ways that charities can become cyber secure, with help from the National Cyber Security Centre (NCSC).
Your staff and volunteers are your best defence against cyber attacks. Training them to be able to spot potential cyber threats is a great way of mitigating risks and preventing any clicks on hazardous links.
The NCSC has a wealth of training resources available to charities, including guidance on how to back up data, how to keep devices secure, and how to protect your organisation against malware and phishing. The increased awareness across your charity can lead to more people identifying threats and demonstrate that the organisation is taking cyber security seriously across all departments.
Cyber security training can also have a beneficial effect on staff wellbeing as it gives them greater control and confidence to be able to prevent cyber attacks and, as a result, reduces stress levels. Employees should feel empowered to ask for help if they think that they might have been a victim of phishing, especially if they’ve not raised it before.
A culture in which employees are not scared to report mistakes is vital for keeping your organisation safe, just as much as any antivirus software, and It’s important to take steps as soon as possible if you suspect a successful attack has occurred
As well as highlighting any potential phishing risks internally, charities should also encourage their employees and volunteers to report them to the NCSC itself. Any suspicious emails can be forwarded for free to report@phishing.gov.uk. The NCSC can investigate and remove fraudulent email addresses and websites, protecting yourself and others from cyber crime.
Looking after your cyber security doesn’t have to be expensive. It will always need time regularly dedicated to reviewing it but there are many tools available to charities that can help them on a budget.
There are lots of free cyber security tools that charities can make use of from the NCSC, for example. Charities can help to prevent their emails being spoofed using Mail Check . The Mail Check tool helps organisations understand how secure their email server configuration is, and how they can improve and maintain it.
Mail Check helps organisations to understand their email configuration and make it more secure using ‘anti-spoofing controls’, so criminals can’t send emails pretending to come from their organisation, and it also teaches users more about anti-spoofing.
There’s also the NCSC’s Web Check and Early Warning services. Web Check shows charities if they have any vulnerabilities on their site that cyber criminals could exploit to access their systems and data. It tells you what you need to worry about on your charity website and what to do about it.
Early Warning makes charities aware of threats that could impact them and their operations. It takes note of the threats that the NCSC monitor every day and, using the IP and domain names organisations provide, correlates those that are relevant to them, notifying organisations of the potential threat.
You can also look to the Charity Digital Exchange for discounts on your cyber security software. The dedicated customer service team can help you implement your chosen solution, for those charities who need a little more support with their cyber security.
Charities can also make use of the NCSC’s free package of exercising tools, Exercise in a Box. Exercise in a Box helps charities run through their actions in the event of a cyber breach in a safe environment, allowing them to be prepared for such an eventuality without compromising their operations.
Some exercises included in the package are discussion-based, while others include technical elements, ranging from micro-exercises taking 15 mins, right through to cyber attack simulation exercises. Taking a small group of your key staff through some structured exercise scenarios and questions related to a specific area of cyber security, you’ll be able to identify what risks your organisation is currently exposed to, and what you can do about it.
Organisations can also look to become accredited to ensure that their cyber security protocols are appropriate and up to date through the Cyber Essentials programme. IASME works with the NCSC to deliver this initiative and it has a Cyber Essentials Readiness tool that helps organisations discover if they have the five key measures in place to keep them cyber secure.
The Readiness Tool helps charities identify areas where they can improve their cyber security and, once all are achieved, offers an official certification that shows their audiences they have the necessary protocols in place should a cyber event occur.
The accreditation also helps organisations take regular stock of these protocols, since it needs to be renewed every year.
Staying up to date with training and guidance is also advised where possible. Make it clear to your audiences, including your service users, what they can expect to hear from you and make it clear what a typical message would include or not include.
Share this guidance regularly, including at the top of your emails, if possible and appropriate. Many organisations, such as banks, already do this, explaining that they will never ask for any details via phone or email.
Most of all, remember that looking after your cyber security needs to be done regularly. Fraudulent emails can catch you at any time, especially when using current events proves to be an avenue for phishing, as we saw during the pandemic.
Actions charities take to regularly address cyber security may look different depending on the size of the organisation.
Leadership can take action by adding cyber security to their agendas at meetings and by adding cyber security to risk management processes. Some charities might find it helpful to set up a working group that meets regularly to discuss how to improve cyber security processes or alternatively put in monthly update reminders in their calendars to ensure software vulnerabilities are patched accordingly.
For more information on how to keep your charity protected, try the NCSC’s website and click below to find out more about the organisation’s free tools for charities.
Click above to discover more about the NCSC’s cyber security tools and how they can help your charity
For the sixth year in a row, we're bringing back an action-packed event filled with Digital Fundraising insights from the charity and tech sectors. Join us on 7th October 2024 for a free, one-day online event featuring informative webinars and interactive workshops.