The National Cyber Security Centre (NCSC) has released official guidance for charities to improve their cybersecurity and reduce chances of a cyber-attack.
There are 200,000 registered charities in the UK with an annual income of £100 billion.
In 2022, 30% of charities in the UK identified a cyber attack in the last 12 months, with 38% of those attacks impacting on service, and 19% resulting in a negative outcome for the organisation.
Only 24% of charities were found to have a formal cybersecurity strategy in place despite one in eight suffering a cyber attack in 2022.
Lindy Cameron, CEO of NCSC said: “More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever.
“During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain.”
“Cyber attacks affecting services, funds or compromising sensitive data can be devastating financially and reputationally, potentially putting vulnerable people at risk.”
While charities face the same risks as the private sector, certain characteristics make them more vulnerable to cyber attacks.
The reliance of charities on volunteers and part time workers means they have less staff familiar with cyber security procedures, and also increases the reliance on staff to bring their own devices which are less easy to secure.
As charities often deal with society’s most vulnerable, they are easy targets for cyber criminals to access sensitive personal information. The valuable personal data makes ransomware attacks more effective.
Further, charities are often reluctant to invest money and staff in cybersecurity rather than on front line work. Only 22% of charities have cyber security insurance as part of a wider insurance policy, with 5% having a specific cybersecurity insurance policy.
The lower the charity’s income, the less likely they are to invest in cyber security insurance.
This speaks to the overall reason charities are often in jeopardy of cyberattacks: they have limited funds, minimal insurance coverage, and are a last resort service provider often dealing with sensitive cases and vulnerable people.
Charities face the same threats that businesses do, but often have less resources to mitigate risks.
Since charities are outward facing organisations, they are more likely to face phishing scams or have donors tricked by fake websites impersonating real charities.
Business email compromises, which face all businesses, can especially hit charities with staff who are usually untrained in cyber secure protocols.
Ransomware is also a growing issue for charities and businesses alike – the Edinburgh Festival Fringe Society faced a ransomware attack in January 2022, and recovery from the attack reportedly cost the charity £95k.
“Ransomware continues to be a successful cyber attack and although the extent of the harm is underreported by most victims, ransomware remains hugely profitable for individuals and group offenders and equally disruptive for victims.” – National Fraud Intelligence Bureau (NFIB) Action Fraud
The NCSC has provided guidance for small and large charities alike to better their cybersecurity
Staff training resources are available to use, and the NCSC encourages organisations to take the time to train part-time and volunteer workers as well as their normal staff.
Earlier this year, the NCSC also launched a programme offering free cybersecurity support to achieve Cyber Essentials certification.
Helen Stephenson, Chief Executive of the Charity Commission for England and Wales, said: “All charities ultimately rely on public trust and continued public generosity. So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support.
“Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance.”
Source: DIGIT