Six ways to keep your charity safe from cyber attacks

Third Sector Promotion NCSC

Cybersecurity experts give their top tips to keep hackers at bay.

Clockwise from top left: Emily Burt, Third Sector; Gareth Packham, Save the Children International; Michala Liavaag, Cybility Consulting; Ian Levy, NCSC; Stuart McSkimming, Royal British Legion

At the recent Third Sector webinar on ‘How to keep your charity cyber safe’, in partnership with the National Cyber Security Centre (NCSC), we asked the experts for their golden rules to protect against cyber attacks in a not-for-profit organisation.

1. Get your board to take cybersecurity seriously

Getting buy-in from your board to invest in cyber security can be difficult – especially if it’s a choice between spending money on beneficiaries, or splashing out on new technology. To encourage board members to invest, it’s important to explain the specific risks to your organisation.

“Frame cyber security investment in terms of what could prevent charities from carrying out their work. So, if you are very dependent on technology, think about what would happen if there were a ransomware incident that took out access to your machines. Could you still deliver services to your beneficiaries?,” asks Michala Liavaag, founder and managing director of Cybility Consulting.

Stuart McSkimming, chief information officer at the Royal British Legion added: “Board members are not cyber security experts, but they should understand ‘risk’. Keep it simple and explain what could actually happen, and here’s what we can practically do to reduce the possibility of a cyber attack.”

The NCSC has produced a Board Toolkit which is designed to encourage and support essential cyber security discussions between the board and their technical experts.

2. Encourage an open culture when it comes to reporting an attack

There is often shame and embarrassment associated with falling for a hacker’s scam, so encouraging employees to speak out if they make a mistake is essential.

“Cyber security has grown up in this adversarial war-gaming kind of culture, which is really unhelpful, so make sure you don’t blame people if they click a phishing link,” said Ian Levy, technical director at the NCSC.

“It’s not their fault, so make sure you support your staff.”

3. Reduce the risk of human error with training

Liavaag said that the majority of cyber breaches are related to the human factor, so spending a little money on training, education and awareness could be more valuable than spending thousands of pounds of new technology. “I would like to see that balance shift,” she said. “Think about the people and invest in them – they will make the difference to your organisation.”

Gareth Packham, director of information security & data protection at Save the Children International, agreed: “Our job is not to turn everyone into cyber security experts, but they do need to know how to protect themselves, whether that’s using multi-factor authentication or looking out for phishing emails,” he said.

Check out Cybility’s Cybersecurity Ring of Resources - Charities Edition; it is a collection of useful, mostly free, resources that can help you protect your charity.

4. Save money by talking to your peers

Seeking help from peers in the not-for-profit sector can be a cheap and easy way to stay ahead of cyber threats. “There are a lot of people out there from larger charities who are willing to put some time in to mentor smaller charities, so build up connections with people who can give you some honest, simple advice,” said McSkimming.

Sharing information about current threats with other organisations is also incredibly valuable. Levy says the NCSC organises a Charity Trust Group which cyber leaders in larger charities can join to share information. “It’s one of the best ways to make sure large charities stay on top of the threat as it evolves over time,” he says. The NCSC also publishes a small charity guide, dedicated to helping not-for-profits that may not have the time, money or resources to tackle cyber crime on their own.

5. Protect your passwords

McSkimming said that one of the simplest ways to protect your organisation is using multi-factor authentication for passwords. “I would recommend this to anyone to reduce the risk of cyber attacks,” he said.

Liavaag also suggested using, which can be set up to check if your employees’ email or phones have been compromised, and immediate action can then be taken to disable those accounts. The NCSC also offers advice on best practice when it comes to setting strong passwords.

6. Create an incident response plan – then test it - and use it!

When thinking about the cyber threats your organisation might face, it’s crucial to make sure you know what your risks are. “It’s so important to have an incident response plan. Innovating during a crisis is not a good idea,” says Levy.

He added that testing your current system is a good first step towards finding out how resilient your charity might be in the event of an attack. “Putting people in a real situation and letting them work through how it actually feels to be the subject of a cyber attack is really constructive,” he said. “The NCSC has a free tool called Exercise in a Box, which takes you through a simulated attack and shows what the impact might be – not just on your services but your brand.”


Content Labs

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Cyber security for charities: Insights and guidance

Not everyone is working for the greater good: cyber criminals are targeting charities. We're seen as data-heavy and vulnerable. That's why Third Sector, in partnership with the National Cyber Security Centre, has collated advice, insight and guidance to help you take simple steps to staying more secure, so you can better and more easily understand the risks and prepare appropriately. 

Visit the content hub here.


Articles from the NCSC

Defending data: How to keep your charity's personal information safe from cyber attacks

Promotion from NCSC

Explore the impact of having data stolen in a cyber attack and the practical steps to protect your charity from financial and reputational damage.

Cyber criminals are coming for your data – here’s how to stop them

Promotion from NCSC

Six practical steps to minimise your charity’s cyber threat, taken from an expert panel at a recent Third Sector / NCSC webinar

Cyber security for charities part 8: Budget-friendly data protection tips

Promotion from NCSC

Jonathan Chevallier, CEO, Charity Digital, explains how small charities can protect the personal data they hold.

Cyber security for charities part 7: How can organisations protect their data?

Promotion from NCSC

In this video, Richard Bartlett from the Royal Society of Wildlife Trusts explains the steps the medium-sized charity has taken to protect its personal data.

Cyber security for charities part 6: Cyber Essentials

Promotion from NCSC

In this video, Neil Furminger from IASME explains how Cyber Essentials certification can help charities protect against the most common cyber attacks.

Cyber security for charities part 5: Protecting personal data

Promotion from NCSC

In this video, the National Cyber Security Centre's deputy director explains the challenges charities face in protecting personal data and simple steps they can implement now.

Visit the Third Sector NCSC content hub here.