Cyber security challenges charities are facing in 2023

Cyber attacks, like charities, come in all shapes and sizes.  Cyber criminals use a variety of different tactics for a variety of different means, whether that’s accessing sensitive data, holding technology to ransom, or defrauding organisations of vital funds.  

 

With the combination of sensitive data records, funds, and limited cyber security resources to protect them, charities look like prime targets for cyber criminals. In October 2022, research from the Charity Commission revealed that one in eight charities had experienced a cyber attack in the previous 12 months. More generally, reports have suggested that cyber attacks in the UK grew by 38% on the previous year. 

 

With cyber attacks potentially affecting services, funds, or compromising data (including that of beneficiaries), it is crucial that charities of all sizes protect themselves against potential cyber attacks. 

 

To help them in this mission, the National Cyber Security Centre (NCSC) has created a charity-specific Threat Report for non-profit organisations looking to tackle their cyber security, explaining why cyber criminals might target charities and details about the main methods they use to do so.  

 

The Cyber Threat Report: UK Charity Sector also provides case studies of charities that have been hit with cyber attacks, demonstrating how disruptive and costly incidents can be.  

 

The report has been developed with charity boards and trustees in mind, emphasising the key cyber threats that charities face in 2023 and beyond. It reflects the ongoing threat to the sector as more charities turn to digital for delivering services, reaching donors, and much more.  

 

It is hoped that the report will empower charities to understand the cyber risks relevant to them and how to mitigate those risks in the future.  

 

“All charities ultimately rely on public trust and continued public generosity,” writes Helen Stephenson, Chief Executive of the Charity Commission for England and Wales. “So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support. 

 

She adds: “Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance. We welcome this report and urge trustees to take early action to protect their charities from cyber harm.” 

 

Below, we outline three of the report’s key tips for improving your charity’s cyber security in 2023.  

  

 

Access free tools and resources 

 

The NCSC’s Small Charity Guide features advice on how to back up your data and keep your hardware, such as tablets and laptops, safe from cyber criminals. 

 

Charities looking to bolster their cyber security should consider using the NCSC’s Active Cyber Defence services, which can provide a range of automated protections, free of charge to charities.  

 

These services include Web Check, Mail Check, and Early Warning. Early Warning notifies organisations of malicious activity that has been detected in information feeds, allowing them to investigate potential cyber attacks on their network as soon as possible.  

 

Web Check and Mail Check show charities vulnerabilities in their websites and email configurations, while also offering helpful advice on how to plug those gaps.  

 

These services are free for charities and should be on the radar of the board. Trustees should work with their IT professionals to ensure they are employing all the tools available to protect the organisation online.  

 

 

Get cyber certified 

 

The NCSC works with our delivery partner IASME to provide the Cyber Essentials certification to charities who have implemented the five core controls necessary to prevent cyber attacks.  

 

The certification acts a little like an MOT for charities, assessing an organisation’s ability to protect themselves from the most common cyber threats, while reassuring their stakeholders that cyber security is taken seriously. 

 

There are myriad benefits to getting cyber certified with Cyber Essentials. Organisations in the UK that achieve the whole-organisation Cyber Essentials certification and have a turnover of less than £20 million are also eligible for free Cyber Liability Insurance (provided by IASME), which offers financial coverage should a cyber breach occur. 

 

Taking part in Cyber Essentials also demonstrates a meaningful commitment to cyber security and encourages organisations to regularly review their protocols every year in order to remain certified.  

 

Charities looking to get cyber certified can check the effectiveness of their current cyber security measures using the Cyber Essentials Readiness Tool, which provides users with an action plan to help them meet Cyber Essentials requirements.  

 

 

Educate yourself 

 

One of the most effective ways of looking after your cyber security is educating yourself and your team about the different tactics of cyber criminals.  

 

This could mean making use of free resources from the NCSC such as the Threat Report, taking on cyber security training courses, or simply sharing best practice guidance across the organisation so that everyone is aware of how to prevent or mitigate a cyber breach.  

 

The NCSC has a bank of information for small and medium size charities, including training for staff and volunteers, and guidance such as how to remove your brand from fake websites, how to develop a Bring Your Own Device policy, and how to mitigate the impacts of malware. 

 

Charities can visit the Charity Digital website, too, for lots of articles, webinars, and podcasts about cyber security, including an upcoming online session looking at how to implement cyber security measures on a budget (the session will also be recorded).    

 

Being able to spot a cyber threat can have a positive effect on staff wellbeing, giving them increased control over their security online and helping them to prevent cyber attacks. It can reduce stress levels and help more people identify threats, making the organisation far better prepared to prevent a breach. Simply put, it’s a win-win, all round.