The charity sector, is like cat nip to a cyber criminal. Partly because of the amount of personal information they hold on trustees, board members, staff, donators, but also because of the financial stakes involved. 

Cyber crime is an ever growing and evolving beast. As it continues to grow and cyber criminals become more savvy, they start to expand the sectors they attempt to infiltrate and cause as much damage as possible. 

Helen Stephenson, Chief Executive, Charity Commission for England and Wales said:

“Charities are not immune to cyber crime. Perpetrators do not distinguish between their victims and charities are as likely to be targeted as private firms or the general public. The valuable funds, assets and good reputation of charities are at risk from the increasing threat of cyber crime. That is why everybody involved with charities – donors, volunteers, employees, professional advisers and, above all, trustees – have a role to play in protecting the charity sector from cyber related harm.” 

The Cyber Security Breaches Survey 2019Charity findings by income band’ discovered that in the last 12 months 52% of high-income charities – with £500,000+ – had experienced a cyber attack. These numbers dwindle slightly when we look at charities with lower incomes – 32% for middle-income charities (£100,000 – £500,000) and 19% for small-income charities (up to £100,000). 

With the cost of a data breach as a result of a cyber attack ranging between £300 – £100,000, charity managers cannot afford to ignore the growing threats posed by cyber crime which takes various forms. 

Thankfully, the charity sector is starting to wake up to this threat. The 2019 Cyber Security Breaches Survey went on to show. 75% of charities rated cyber security as a high priority in 2019. This was a 22% increase on the previous year.  

However, what was worrying to discover was that only 49% of charities, directors or trustees are only updated once a year of less on cyber security, if at all. 25% of low-income charities never update their trusts.  

Ciaran Martin, Chief Executive Officer, National Cyber Security Centre, said: 

Like businesses, charities are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally.

What is the most common cyber attack affecting charities?

Unsurprisingly, the most common cyber attack charities face is phishing or scam emails. It’s the most commonly used tool in the cyber criminal’s arsenal.  

15% of small-income, 23% of medium-income and 46% of high-income charities surveyed in the Cyber Security Breaches survey revealed they had received phishing emails. 

But what exactly is phishing?

Phishing is the term used when cyber criminals send an email to a person, claiming to be from another organisation. There is usually a link or an attachment in the email, which the ‘sender’ encourages the recipient to open or click on. These attachments/links can then trigger viruses to be downloaded onto your computer, or execute a ransomware attack. Both of which can be detrimental to your charity. 

However, phishing doesn’t just stop there. Cyber criminals adapted their methods to target senior executives in businesses. Referred to as Whaling’ or CEO fraud, the criminals ask the recipient to click on a link to view an invoice that needs urgent payment, or to click a link to update some details. Often money is sent to a criminal’s bank account, or a criminal is granted access to the organisation’s infrastructure because someone let them in, by providing them with the details in an innocuous way. 

In our busy lives, people have succumbed to this tactic and followed the instructions in the email. Because it’s a tactic that works, cyber criminals continue to deploy it on a regular basis. 

As a result of these phishing emails, 2% of low-income, 6% of medium-income and 18% of high-income charities surveyed said they had been victim or a virus or other malware attack, which include ransomware. 

How can you protect your charity from common cyber attacks?

Cyber Essentials accreditation 

Cyber Essentials is a Government scheme and is recommended by the National Cyber Security Centre. It was created to ensure businesses and organisations were able to adhere to a set of cyber security standards. Many tender processes including national and local Government require those who apply to have Cyber Essentials accreditation. 

Cyber Essentials helps you to guard against the most common cyber threats by covering five technical controls. Once you have taken the time to investigate and put them in place, these controls will put you and your organisation on the path to better cyber security. 

  1. Use a firewall to secure your internet connection 
  2. Choose the most secure settings for your devices and software 
  3. Control who has access to your data and services 
  4. Protect yourself and viruses and other malware 
  5. Keep your devices and software up to date 

Why you business needs cyber essentials

What is the Cyber Essentials accreditation process? 

Today’s Cyber Security is part of the Practical Vision Network, and we are IASME certified, demonstrating that we take cyber security extremely seriously. We are an accredited body that are able to access and complete Cyber Essentials certifications for organisations across the board. 

Getting Cyber Essentials accredited is quick and easy. Our cyber security specialists work with your in-house or external IT team to ensure your cyber infrastructure is in great shape. 

Our expert team will guide you by sending documentation regarding the accreditation, that your IT team can use to prepare for the online assessment. 

Once you’re ready, you will log in to the online portal and complete the self-assessment questionnaire. If you don’t want to do this yourself, one of our consultants can help. When you’re ready, submit your answers for marking by one of our assessors. 

Once you have passed, your charity will officially be Cyber Essentials certified and you can publish the badge on your website. You can then take advantage of our Free Cyber Insurance up to the values of £25,000. 

How much does Cyber Essentials accreditation cost? 

£300 plus VAT. This is an annual certification.

How do I get started? 

Book in a quick and free 15 minute consultation with our Cyber Security Team who can answer any questions you have about the process. 

How to report cyber crime and fraud

There are many avenues you can choose to take to report cyber crime and fraud. Contacting the local police on 999 (in an emergency) or 101 (for non-emergency calls) is one option. The operators on hand there will be able to give you some advice. 

Action Fraud 

Action Fraud is the UK’s national reporting centre for fraud and cyber crime. You are able to report fraud if you have been scammed, defrauded or experienced cyber crime in England, Wales and Northern Ireland. 

If you’re based in Scotland, you need to contact Police Scotland with regards to cyber crime reports. 

You can report fraud or cyber crime to Action Fraud at any time of the day or night via their online reporting tool. 

If you have been a victim of email phishing attempts, but you haven’t lost any money or exposed your log in credentials/personal details, this can be reported via Action Fraud’s ‘Report a Phishing attempt’ tool. 

If you are a charity which is currently suffering a live cyber attack (in progress), you can call 0300 123 2040 immediately. This is a dedicated phone line which is available 24/7.   

Depending on the issue you may need to inform the Information Commissioner’s Office or the Charity Commission. 

Charity Commission 

Under the guidelines of the Charity Commission, charities are required to report serious incidents to them, in a full and frank disclosure. You are required to report what happened and let the Commission know how you are dealing with the incident.  

This report needs to be filed, even if you have reported the incident to the police, Information Commissioners Office, donors or other regulators. 

The Charity Commission defines a serious incident as: 

“A serious incident is an adverse event, whether actual or alleged, which result in or risks significant; 

  • Harm to your charity’s beneficiaries, staff, volunteers or others who come into contact with your charity through its work 
  • Loss of your charity’s money or assets 
  • Damage to your charity’s property 
  • Harm to your charity’s work or reputation” 

The Commissioner also defines the word “significant” as: 

“significant in the context of your charity, taking account of its staff, operations, financers and/or reputation.” 

It is the responsibility of the charity’s trustees to report incidents to the Charity Commission. If at the time of the incident you decide not to inform the Commission, but further down the line the Commission becomes involved, it’s the trustees’ responsibility to explain the decision to not inform the Commission.  

For more information and to read the Charity Commission’s full and detailed guidance, click here. 

Why should I report cyber crime?

By reporting scam emails to Action fraud you can help to disrupt fraudsters. These reports will be provided to the National Fraud Intelligence Bureau (NFIB) for further analysis. This enables crucial intelligence to be collated and preventative action to be taken.   

By reporting cyber crime you are helping to close down fraudsters and their malicious activities. Protecting not only your charity but other businesses and organisations in different sectors. 

Want to know more? Join our free Webinar 

Losing access to technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally.   

Join our latest webinar where we look at cyber crime affecting charity sector and what you can do to protect from the ever-growing threat from cyber criminals.