Cyber security for charities

A recent Third Sector and NCSC survey with over 120 charities revealed only half are fully aware of the potential consequences of a cyber attack, leaving the other half open to emerging threats. Alarmingly, one in 10 said it’s not even on the boardroom agenda, and one in five said not a single employee was trained to identify a cyber attack.

This guide gives you an inside look into the current cyber threats that charities face, how to spot a cyber attack and how to get buy-in from the board to invest in cyber security. We also offer top tips for improving your cyber security culture, we take you through what a good incident response plan looks like, and leave you with a handy checklist and list of tools to get you started.

Emerging threats and how to spot them

New threats and vulnerabilities are being found all of the time so it can be difficult to keep up-to-date.

The vast majority of IT security threats in the third sector are cyber crime. Cyber criminals go after personal data and money.

The biggest emerging cyber threats facing charities are:

• Ransomware attacks: Malware that makes data or systems unusable until the victim makes a payment.
• Phishing: Phishing can be conducted via a text message, social media, or by phone, but is mainly used to describe untargeted, mass emails sent to many people asking for sensitive information, such as bank details, or encouraging them to visit a fake website.
• Malware: ‘Malicious software’ including viruses, trojans, worms or any code or content that can damage computer systems, networks or devices.
• Denial of service: A type of cyber attack where a computer service is overloaded, so that real users can no longer access the service.

There was a 105% surge globally in ransomware attacks last year (Source: Fortune)

1 in 5 charities perceive cyber security to be a low priority.

1 in 5 charities (20%) said not a single employee was trained to identify a cyber attack.

Becca K is the NCSC’s charity sector resilience lead. Here’s what she has to say about the latest cyber threats…

“The type of cyber attack that has the biggest impact is ransomware attacks, where a cyber criminal has managed to gain access into your charity’s system. Once they’re into your system they’ll have a really good root around to see what they can find, and they’ll try to get access to as much as possible”.

“It could be a member of staff or volunteer who clicks on that link, so start with a training plan for all your staff and volunteers”.

Watch the full video here for more insights

Getting buy-in from the board

Is your board taking cyber security seriously? Getting buy-in from your board to invest in cyber security can be difficult - especially if it seems like a choice between spending money on beneficiaries or investing in new technology.

Only 34% said cyber security is a high boardroom priority that they review regularly.

Alarmingly, one in 10 said it’s not even on the agenda.

40% said their board members have not recently discussed the potential impact of a cyber attack within the organisation.

Gareth Packham, director of information security and data protection, Save the Children International:

“By being very specific about the types of threat that we face and how investment can counter those threats and reduce the risk of us suffering a major cyber security incident, it’s a lot easier to explain that narrative to the board and get the buy-in you need”.

“Cyber security isn't just an IT issue, it’s something that affects the whole organisation and needs to be a joined-up approach”.

Lyndsey Jackson, deputy chief executive, Edinburgh Fringe Society:

“Go out and seek information from organisations like the NCSC and Charity Commission who have really clear guides of what charities need to be aware of in terms of cybercrime resilience”.

“Understand what you’re doing as a charity to minimise the damage to the charity if it does happen and what you’re doing to ensure you’re building systems and structures that are future-proof”.

Stuart McSkimming, chief information officer at the Royal British Legion:

“Board members are not cyber security experts, but they should understand ‘risk’. Keep it simple and explain what could actually happen, and here’s what we can practically do to reduce the possibility of a cyber attack”.

Michala Liavaag, founder and managing director, Cybility Consulting:

“Frame cyber security investment in terms of what could prevent charities from carrying out their work. So, if you are very dependent on technology, think about what would happen if there was a ransomware incident that took out your access to your machines. Could you still deliver services to your beneficiaries?”

The NCSC offers a range of cyber security advice and guidance for charities including this cyber security guide for boards.

Watch the full video on getting buy-in from the board here.

Shifting organisation culture and educating employees

Charities need to think differently about their cyber security culture. Cyber security isn’t just an IT function, it’s an organisational function. It needs to be embedded within the organisational culture. It’s something everyone needs to be responsible for and do their part.

Fewer than half of charities have a dedicated member of staff responsible for cyber security.

70% don’t have plans to deliver cyber security training in the next 6 months.

Education and protection are key...

Javvad Malik, lead security awareness advocate, KnowBe4:

“It can be as simple as the CEO standing up in their briefings and saying ‘I got attacked by a phishing email’ - that act alone takes away the stigma”.

“What we want is long term change. Focus on the key behaviours that really affect your charity - maybe it’s phishing emails or strangers wandering into the office and wandering out again - work out what those are and specifically target those behaviours. This won’t happen overnight”.

“No matter how big your organisation or security team is, it’s never going to have enough resources, so unless you can leverage the entire organisation - all the people within it - you’re always going to be at a disadvantage”.

Gareth Packham, director of information security & data protection at Save the Children International:

“Our job is not to turn everyone into cyber security experts, but they do need to know how to protect themselves, whether that’s using multi-factor authentication or looking out for phishing emails”.

Ian Levy, technical director, NCSC:

“Cyber security has grown up in this adversarial war-gaming kind of culture, which is really unhelpful, so make sure you don’t blame people if they click a phishing link”.

Stuart McSkimming, chief information officer at the Royal British Legion:

“There are a lot of people out there from larger charities who are willing to put some time in to mentor smaller charities, so build up connections with people who can give you some honest, simple advice”.

Top tips for improving your cyber security culture

Create a culture of openness: Remove the stigma associated with falling victim to a cyber attack.

Identify your cyber security champions: Find the people in your organisation who are inclined to help with cyber security.

Involve comms teams: They know how to deliver messaging. Think of it as a marketing campaign!

Make your digital infrastructure more user-friendly: Add a password meter or smiley face so when someone types a new password that face goes from sad to happy the stronger the password gets.

Educate your workforce: Inform them about the threats out there, the value of the data you hold, how to protect it and how you report anything.

Survival of the fastest - what does a good incident response plan look like?

A good incident management plan is about establishing a framework that guides you through the stages of an incident. What does a good incident response plan look like? Will you have to suspend operations after a cyber attack? What steps should board members take after an attack? And how often should you review your incident response plan?

30% of charities don’t have a process in place to respond to a cyber attack.

39% of charity board members have not recently discussed the potential impact of a cyber attack within the organisation.

Only 39% of charities have a process in place to respond quickly to a cyber attack.

50% of charities have not tested their incident response plans in relation to the heightened risk caused by Russia’s invasion of Ukraine.

Michala Liavaag, founder and managing director, Cybility Consulting:

“One of the most important things you can do as leaders in your organisations is to educate your people about how to recognise an attack and who to report it to. From your employed staff to volunteers”.

“Having a visual flow-chart is really helpful, having an escalation process, offline copy of your key contacts in case of an awful incident where you can’t access your systems, procedures for reporting up to the regulators.

“Depending on the significance of the incident and your connectivity with other organisations, you may need to be brave and say in this instance we will actually shut down our Internet connection or we will shut down delivery of this particular service while we contain the issue and make sure it’s safe to bring everything back up”.

Watch the full video here for more insights.

5 simple steps

Protect your charity from the most common cyber attacks with these simple low-cost steps:

1. Back up your data
2. Keep your smartphones and tablets safe
3. Prevent malware damage
4. Avoid phishing attacks
5. Use passwords to protect your data

Toolbox (free resources)

• Plan your cyber incident response processes: check out the NCSC’s incident management guidance.

• Get your organisation in shape to prepare and respond to cyber threats with the NCSC's Exercise in a Box fitness tracking tool. It takes you through a simulated attack and shows what the impact might be – not just on your services but your brand.

• Subscribe to weekly threat reports and the NCSC’s small organisations newsletter here.

• Get buy-in from the board to invest in cyber security - check out the NCSC’s cyber security guidance for boards.

• Guidance to help small-to-medium sized organisations prepare their response to and plan their recovery from a cyber incident.

• Report a cyber security incident

• Click here to sign up for the NCSC Early Warning service and receive alerts about potential security issues affecting your network.

• Cybility’s cyber security ring of resources

• Check if your email or phone is in a data breach

• Password tips

Click here to sign up for the NCSC Early Warning Service and receive alerts about potential security issues affecting your network.

All statistics are taken from the 2022 Third Sector & NCSC survey, unless otherwise stated.