The Charity Commission recently revealed that charities have reported being victims of fraud or cybercrime 645 times, resulting in £3.6 million total losses since the UK went into lockdown in March. However, due to cybercrime being unreported, the total loss is thought to be significantly higher.
More concerning is the findings of a recent survey by Ecclesiastical Insurance which reported just half (52%) of the 200 charities they surveyed have a cyber security plan in place.
Charities by their nature tend to be very trusting and don’t always realise the value of the personal data they hold. With more and more charitable donations being made online, charities hold a significant amount of personal information including people’s bank accounts and card details. No matter how small or large the charity, they will hold data a cyber-criminal wants to steal.
We know there have been incidents of charities in the South East region being targeted, so having a cyber security plan in place is absolutely essential. Whilst the initial cost of a successful cyber-attack can be high, the long-term impact on loss of confidence from supporters of a charity can be devastating.
A recent high-profile case which hit the media affected charities including the mental health group Young Minds, terminal illness charity Sue Ryder, Breast Cancer Now, Crisis and The National Trust.
The breach came via a service provider Blackbaud, who provide the charities with a service used to raise donations from millions of people. It’s feared bank account information and users' passwords were stolen by hackers.
This shows that as well as attacking individual charities, cyber criminals also target organisations that supply charities with various services. When deciding on what services need to be bought in, the cyber security of the supply chain is just as important as the charity itself.
Smaller charities in particular rely heavily on volunteer support and often those volunteers will have access to charities systems and files via various digital devices such as their own laptops and mobile phones. A charity may have the best cyber defences money can buy, but it only takes one volunteer or employee to click a link in a suspicious email and the cyber-criminal is in.
Glen Hymers, SECRC Board Member and Global CISO & Head of Data Protection for Save the
Children International said: “Getting the basics right is important in the fight against cyber-crime and cyber-attacks. The South East Cyber Resilience Centre is a key helper in this space, acting as a trusted friend and advisor to those organisations who may not necessarily have the skills or the money to ensure that their organisations are as secure as they need to be.
“The SECRC is here to help local charities improve their cyber resilience, any charity in the South East with less than 50 employees can sign up for the free core membership. This provides access to tools and guidance which can help them identify where they might be vulnerable and how they can take simple steps to minimise those risks. This in turn will help the organisation mature and will help protect against other types of attacks which will financially affect the organisation.
Awareness training of staff and volunteers is a key tool in any organisations armoury, if staff and volunteers are aware of the potential threats out there then they are better placed to identify and subsequently fend off bogus emails or other types of attacks they may face.”
Charities can also work with one of the centres Trusted Partners to achieve Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks. It is also something to consider when appointing suppliers.
Our Head of Cyber Innovation, Chris White suggests taking the following steps to help your charity start to improve their cyber resilience:
· Sign up for our free core membership
· Get your charity Cyber Essentials certified
· Make sure you have a cyber security plan in place
· Provide cyber security training/guidance to all staff and volunteers
· Make sure all your software is up to date and patched
· Download the Small Charity Guide from the National Cyber Security Centre
As well as membership packages, the SECRC also offers a range of cyber security services including Security Awareness Training, designed for those with little or no cyber security or technical knowledge. The training can be delivered to small groups of charity employees and volunteers and will give them the knowledge and confidence to challenge when something doesn’t look right.
Sign up for a free core membership today and one our team will contact you to see how you got on with the tools and guidance provided and see what, if any additional help you might need.