Over the last few years, charities have become increasingly reliant on IT and Technology and with this, charities are falling victim to the activities of cyber criminals than ever before.
Charities by their very nature hold funds, personal, financial and commercial data, all of which is of interest to cyber criminals. This is due to the monetary value that cyber criminals can charge for access to your data if stolen or make as profit if they steal the data and sell it onto other criminals.
In the UK, we know that some charities are aware their data is sensitive, valuable and vulnerable to attack. However, many charities particularly smaller ones, do not realise this and do not perceive themselves as targets.
Smaller charities may not consider it a priority to commit resources to cyber protection, perhaps in the belief that cyber security will be expensive and divert money away from frontline expenditure. Or maybe they do not fully understand the threat. Therefore, we have created a Frequently Asked Document (FAQ) blog to expose the most commonly asked questions on why charities should take cyber security seriously.
What is a ‘cyber risk?’ A cyber risk is the potential exposure to loss or harm stemming from an organization’s information or communications systems.
What is cyber security? Cybersecurity refers to the protection of hardware, software, and data from attackers. The primary purpose of cyber security is to protect against cyberattacks like accessing, changing, or destroying sensitive information.
I'm a smaller charity, do we really have to worry about hackers?
The short answer is yes. Charities are subject to the same cyber vulnerabilities as other organisations and businesses that conduct financial transactions, and rely on electronically held data or information to conduct day-to-day operations.
The outward facing nature of charities and a culture of trust in the sector makes them particularly vulnerable to criminality.
What is ransomware? A type of malicious software designed to block access to a computer system until a sum of money is paid.
What is malware? Short for malicious software, malware is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
What types of cyber-attacks do charities face? How can I combat these? Sadly, there any many ways that cyber criminals can choose to attack a charity or business. The NCSC’s Cyber Threat Assessment revealed the following types of attacks were most prevalent of those reported:
Ransomware and extortion: Charities may be targeted directly, be inadvertently affected by malware aimed elsewhere, or by mass indiscriminate campaigns seeking to exploit as many victims as possible. Malicious actors may not only steal or deny access to data; they may delete or change it. Alternatively, attackers may steal and threaten to release data unless a payment is made (or another demand is met).
Business email attacks: Criminals may initially compromise the email accounts (usually business rather than personal accounts) of a company’s senior executives or finance or legal personnel. Spoofed emails are then sent ordering unsuspecting employees with financial authority to carry out money transfers that are diverted to the criminals’ accounts.
Fake organisations websites: Criminals exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity. This is often achieved through the creation of fake organisations and accompanying websites. Some of these fraudulent websites are well designed, functional and look professional. Criminals react quickly to exploit disasters and global events to steal donations.
What is a VPN? VPN stands for Virtual Private Network. It is a network connection method for creating an encrypted and safe connection. This method protects data from interference, snooping, censorship.
What can I do if I think I’m being/or have been attacked? The Cyber Resilience Centre for the South East is here to provide help and guidance to protect and prevent businesses from falling victim to cybercrime. If you think you have fallen victim to a cybercrime, you need to know how to report it.
If you are a business, charity or organisation that is currently suffering a live Cyberattack, then please call Action Fraud's 24/7 helpline on 0300 123 2040.
You can report cybercrime, fraud and attempted fraud to the national fraud reporting service Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime, and takes crime reports on behalf of the police and can provide you with guidance. They assess each crime and where possible, pass it out to the most relevant law enforcement agency to investigate or offer bespoke protect advice. Report to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040. How might a breach affect my charity? Charities can face heavy fines if they suffer data breaches leading to the loss or exposure of confidential information. Not only do charities need to worry about the financial implications of the data breach, but the negative publicity and financial penalty together can be devastating for a charity. A UK transgender charity was fined £25,000 by the Information Commissioners Office (ICO) for failing to keep the personal data of its users secure. The breach led to the names and email addresses of 550 people being searchable online.
Another example of a fine received by a charity was the British and Foreign Bible Society who were fined £100,000 by the Information Commissioners Office (ICO) after cyber hackers gained access to more than 400,000 supporters’ personal data.
How can I educate staff/volunteers who work for a charity about cyber security? Most small organisations do not have an IT department, or technical staff responsible for cyber security. And with so much cyber security advice out there, it can be difficult for small organisations to know where to start.
The National Cyber Crime Centre has released new training for small organisations and charities can help. It guides you through all the actions you need to take to reduce the likelihood of you becoming a victim of the most common cyber-attacks.
The training demonstrates how you can improve your organisation’s resilience, and covers five key areas:
1. Backing up your organisation's data correctly
2. Protecting your organisation against malware
3. Keeping the devices used by your employees secure
4. The importance of creating strong passwords
5. Defending your organisation against phishing
The training will put your staff in the driving seat. They will be answering questions, identifying possible issues, and making suggestions for how to prevent, and tackle common cyber security challenges. You can find the training here. How can the Cyber Resilience Centre help a charity improve its cyber resilience? The Cyber Resilience Centre for the South East is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019. Working in structured partnership with regional Policing, Academia, Businesses, Third and Public Sector organisations through a variety of ways, it is our ambition that every charity and business within our region will have the skills and knowledge to protect themselves from online attacks in order to make the region one of the safest places to live, work and do business.
The SECRC offers a range of membership packages, our core membership is free and entitles you to:
o Guidance and tips to help you tackle local cyber threats
o Early bird invites to our webinars
o Free and easy to follow cyber security exercises and toolkits for you to run with your employees
o Access to affordable and professional cyber security services including a service that can test how strong your website is against the most common cyber attacks.
o Find local certifying bodies should you want to achieve Cyber Essentials or Cyber Essentials ‘Plus’ accreditation
o Learn how to procure good value private cyber security professional services
o Upgrade to a membership package suitable for your charities needs