The National Cyber Security Centre recently published its 2023 Cyber threat report for the UK charity sector. The report help charities understand current cyber security threats, the extent to which the sector is affected and whether it is being targeted, and where charities can go for help.
In the UK, there are 200,000 registered charities that have a combined annual income of £100 bn. Over a million people in England and Wales are employed in the charity sector with over 5 million volunteers.
Charities in the UK range from large, internationally recognised organisations to small, local community ones. The range of activity by UK charities is diverse, benefitting many sections of society, both here and overseas.
In the last year, a government survey revealed that 30% of UK charities identified a cyber-attack in the last 12 months. Of those attacks, 38% had an impact on the service with 19% “resulting in a negative outcome”.
So, why is the charity sector particularly vulnerable to cyber-attacks?
The charity sector faces the same cyber risks as private sector and government organisations but there are some reasons why charities could be particularly vulnerable to cyber-attack:
Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information, or to disrupt charities’ activities
Charities may feel reluctant to spend resources, money, oversight and staff effort on enhancing cyber security rather than on front line charitable work
Charities are less likely than businesses to employ technical cyber security controls. (DCMS Cyber Security Breaches Survey 2022 4.4).
Charities have a high volume of staff who work part time, including volunteers, and so might have less capacity to absorb security procedures Charities are more likely to rely on staff using personal IT (Bring Your Own Device) which is less easy to secure and manage then centrally issued IT.
What are the main ways that cyber criminals attack charities?
Phishing:
Phishing’ is when criminals trick their victims using scam emails, text messages or phone calls. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.
Phishing is often untargeted, in the form of a mass email, text or cold calling campaign. However, an attacker may use more targeted information to make
their messages more persuasive and realistic (sometimes known as ‘spear phishing’).
The outward facing nature of charities, culture of trust in the sector, reliance on volunteers, staff members using personal IT, and reluctance to spend limited funding on cyber security training and measures could make them particularly vulnerable to criminality.
Fake organisations and websites :
Criminals can exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity, or they can set up fake charities or impersonate well-known charity names to add credibility in phishing campaigns.
Although not directly targeting charities by cyber means, this activity has potential financial and reputational ramifications for genuine charities.
Business Email Compromise (BEC):
This is a form of phishing attack where a criminal attempts to trick someone into transferring funds, or revealing sensitive information. In BEC a cyber criminal initially compromise a business email account through social engineering or computer intrusion techniques.
After using this access to check out the organisation, the criminal then pretends to be the account owner over email or phone conversations to redirect payments to fraudulent bank accounts. BEC actors can create auto-forwarding rules within email to decrease the victim’s ability to observe fraudulent communications.
This attack route took advantage of the shift to remote working during the pandemic, with staff working in isolation at home and their IT less able to be monitored for unusual activity.
Ransomware:
Ransomware is the most harmful cybercrime threat to the UK today. It is a type of malware that prevents you from accessing your device and the stored data, usually by encrypting your files.
A criminal group will then demand a ransom in exchange for decryption while threatening to delete or leak the data they have stolen.
The technique is now so evolved that criminal groups offer Ransomware as a Service (RaaS), whereby ransomware variants and commodity listings are available off the shelf for a one-off payment or a share of the profits.
How can I protect my organisation from cyber-attacks?
Keeping secure online should be a priority for every charity.
To help you keep on top of important security measures and keep your data out of the hands of hackers, we’ve developed this simple security checklist to help secure your data.
Download it, here.
Fight back against cybercriminals with The Cyber Resilience Centre for the South East
The Cyber Resilience Centre for the South East works with businesses, small or large to help reduce cyber-related risks and vulnerabilities and enabling companies to follow cyber best practices to avoid these incidents.
To help you to guard your business against cyber-attacks in the way you would protect your premises against fire and flood, the SECRC offers a free membership package. Membership is hassle-free and, doesn’t commit you to anything that you’ll later be charged for. There are options to upgrade your membership to utilise our cyber services, but these upgrades are not compulsory – the crux of the offer is free.
Businesses can find out more information about the centre at https://www.secrc.co.uk/. To keep updated with all the latest SECRC developments follow @SouthEastCRC on Twitter or on LinkedIn.