Cyber Security for charities & third sector should be a priority as almost a quarter of all UK charities were the victims of a cyber-attack in 2023. 

The figures come from the Cyber Security Breaches Survey, published by the Department for Science, Innovation and Technology and highlight the dangers charities and third sector organisations face from cyber criminals. 

Based on a sample of 1,174 UK charities, the survey said that the sector experienced around 785,000 cyber-crimes of all types. 

Higher income charities are significantly more likely to record breaches or attacks, at 56% for those earning £500,000 or more and 76% for those with £5m or more, in line with previous years. 

“All charities ultimately rely on public trust and continued public generosity. So, the impact of any cyber-attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support,” according to Helen Stephenson – Chief Executive of the Charity Commission for England and Wales (pictured above). 

The UK’s charity sector 

There are 200,000 charities registered in the UK with a combined annual income of £100 billion. In England and Wales alone more than a million people are employed in the charity sector with another five million volunteers. 

Back in 2022 a Third Sector and NCSC survey showed only half were fully aware of the potential consequences of a cyber-attack, leaving the other half open to emerging threats. 

Even more alarming, one in 10 of the respondents said cyber-security wasn’t even on the boardroom agenda, with one in five saying not a single employee was trained to identify a potential cyber-attack.  

[Cyber security is seen as] a scary, messy business with lots of technical challenges, best left to the experts. But there’s a growing recognition that it’s staff behaviours that drive most of the cyber security risk, so we need to share more with the SMT [Senior Management Team], so they know where the threats are coming from and what behaviours might be seen as risky. – Business and Resources Director (overseeing Information Security Team), high-income charity 

The biggest emerging cyber threats facing charities are: 

• Ransomware attacks: Malware that makes data or systems unusable until the victim makes a payment; 
• Phishing: Phishing can be conducted via a text message, social media, or by phone, but is mainly used to describe untargeted, mass emails sent to many people asking for sensitive information, such as bank details, or encouraging them to visit a fake website; 
• Malware: ‘Malicious software’ including viruses, trojans, worms or any code or content that can damage computer systems, networks or devices; 
• Denial of service: A type of cyber-attack where a computer service is overloaded, so that real users can no longer access the service. 

Why are charities vulnerable to cyber-crime? 

Cyber criminals are motivated by financial gain. They may seek to directly steal funds held by charities or seek to capitalise indirectly through fraud, extortion or data theft.  

There is growing availability of criminal services for hire; the offender can buy ‘off the shelf’ services from another criminal group and so do not need to have advanced technical skills themselves.  

This change has led to an increase in the scale of cyber-crime and a less targeted approach to victims – criminals will indiscriminately target all organisations. 

Ransomware is the most harmful cyber-crime threat to the UK 

According to the National Fraud Intelligence Bureau (NFIB) Action Fraud: “Ransomware continues to be a successful cyber-attack and although the extent of the harm is underreported by most victims, ransomware remains hugely profitable for individuals and group offenders and equally disruptive for victims.”  

In January 2022, the Edinburgh Festival Fringe Society was the victim of a ransomware attack.  

The Society informed staff straight away and arranged for disaster recovery help from a cyber-security company. Although they also had system segmentation rules in place, which had helped minimise the number of access points the criminals could infiltrate, historic staff data was still threatened. 

Recovering from the attack cost the Society £95,000, of which only £25k was recovered via their insurance, meaning the remainder had to come from charity reserves. 

In 2020 the Information Commissioner’s Office reported that it was aware of 166 UK organisations that had been affected by a security breach in software provided by Blackbaud. 

Bank account information and users’ passwords were among details believed to be stolen by hackers during the attack. Among those affected were the University of Birmingham and The National Trust. 

And there were multiple different cyber-attacks in the UK last year which affected various companies including Royal Mail, the BBC, British Airways and Boots. 

What can charities do to protect themselves? 

The Government’s NCSC has created a series of guides looking at cyber security for charities. 

The Cyber Security: Small Charity Guide covers five topics which NCSC believes are easy for charities to understand and implement at a low cost. It has also produced a number of webinars and training courses which are free to access. 

Backing up your data – All charities, regardless of nature and size, should take regular backups of their important data, and make sure that these backups are recent and can be restored. 

Protect your charity from malware – Make sure you have anti-virus protection on all equipment which connects to the internet. Remind all employees and volunteers not to download apps other than from the official stores. Ensure all equipment and software is up to date. Control the use of USB and other external drives. Make sure your firewall is switched on on all devices. 

Keep your smartphones (and tablets) safe – Mobile technology is now an essential part of life in a small charity, with increasing amounts of data being stored on tablets and smartphones. Make sure password protection is turned on. Make sure lost devices can be located, locked and/or wiped. Keep all devices up to date. Keep all installed apps up to date. Don’t connect to unknown wi-fi hotspots. 

Use passwords to protect your data – Your charity’s laptops, computers, tablets and smartphones will contain a lot of important and sensitive data such as the personal information of your beneficiaries and supporters, as well as details of your online accounts such as banking. Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices. 

Avoid phishing attacks – Phishing emails are getting harder to spot, and some will still get past even the most observant users. Configure accounts to reduce the impact of successful attacks. Think about how you operate and how it might make you vulnerable. Check for obvious signs of phishing like poor spelling and grammar.  Report all attacks and do not punish staff if they get caught out. Check your digital footprint to see if you’re giving away information criminals can use. 

Veracity Trust Network 

Veracity’s Web Threat Protection stops malicious bots before they can cause damage.  

Its patented, AI-powered bot detection uses ultra-fast identification of bot traffic and intelligently learns to recognise new behaviours. It’s easy to implement and stacks seamlessly with your DDoS and WAF solutions. 

Find out more: https://botprotect.veracitytrustnetwork.com

9th May 2024