Six ways to keep your charity safe from cyber attacks

Third Sector Promotion NCSC

Cybersecurity experts give their top tips to keep hackers at bay.

5 panellists on a webinar
Clockwise from top left: Emily Burt, Third Sector; Gareth Packham, Save the Children International; Michala Liavaag, Cybility Consulting; Ian Levy, NCSC; Stuart McSkimming, Royal British Legion

At the recent Third Sector webinar on ‘How to keep your charity cyber safe’, in partnership with the National Cyber Security Centre (NCSC), we asked the experts for their golden rules to protect against cyber attacks in a not-for-profit organisation.

1. Get your board to take cybersecurity seriously

Getting buy-in from your board to invest in cyber security can be difficult – especially if it’s a choice between spending money on beneficiaries, or splashing out on new technology. To encourage board members to invest, it’s important to explain the specific risks to your organisation.

“Frame cyber security investment in terms of what could prevent charities from carrying out their work. So, if you are very dependent on technology, think about what would happen if there were a ransomware incident that took out access to your machines. Could you still deliver services to your beneficiaries?,” asks Michala Liavaag, founder and managing director of Cybility Consulting.

Stuart McSkimming, chief information officer at the Royal British Legion added: “Board members are not cyber security experts, but they should understand ‘risk’. Keep it simple and explain what could actually happen, and here’s what we can practically do to reduce the possibility of a cyber attack.”

The NCSC has produced a Board Toolkit which is designed to encourage and support essential cyber security discussions between the board and their technical experts.

2. Encourage an open culture when it comes to reporting an attack

There is often shame and embarrassment associated with falling for a hacker’s scam, so encouraging employees to speak out if they make a mistake is essential.

“Cyber security has grown up in this adversarial war-gaming kind of culture, which is really unhelpful, so make sure you don’t blame people if they click a phishing link,” said Ian Levy, technical director at the NCSC.

“It’s not their fault, so make sure you support your staff.”

3. Reduce the risk of human error with training

Liavaag said that the majority of cyber breaches are related to the human factor, so spending a little money on training, education and awareness could be more valuable than spending thousands of pounds of new technology. “I would like to see that balance shift,” she said. “Think about the people and invest in them – they will make the difference to your organisation.”

Gareth Packham, director of information security & data protection at Save the Children International, agreed: “Our job is not to turn everyone into cyber security experts, but they do need to know how to protect themselves, whether that’s using multi-factor authentication or looking out for phishing emails,” he said.

Check out Cybility’s Cybersecurity Ring of Resources - Charities Edition; it is a collection of useful, mostly free, resources that can help you protect your charity.

4. Save money by talking to your peers

Seeking help from peers in the not-for-profit sector can be a cheap and easy way to stay ahead of cyber threats. “There are a lot of people out there from larger charities who are willing to put some time in to mentor smaller charities, so build up connections with people who can give you some honest, simple advice,” said McSkimming.

Sharing information about current threats with other organisations is also incredibly valuable. Levy says the NCSC organises a Charity Trust Group which cyber leaders in larger charities can join to share information. “It’s one of the best ways to make sure large charities stay on top of the threat as it evolves over time,” he says. The NCSC also publishes a small charity guide, dedicated to helping not-for-profits that may not have the time, money or resources to tackle cyber crime on their own.

5. Protect your passwords

McSkimming said that one of the simplest ways to protect your organisation is using multi-factor authentication for passwords. “I would recommend this to anyone to reduce the risk of cyber attacks,” he said.

Liavaag also suggested using, which can be set up to check if your employees’ email or phones have been compromised, and immediate action can then be taken to disable those accounts. The NCSC also offers advice on best practice when it comes to setting strong passwords.

6. Create an incident response plan – then test it - and use it!

When thinking about the cyber threats your organisation might face, it’s crucial to make sure you know what your risks are. “It’s so important to have an incident response plan. Innovating during a crisis is not a good idea,” says Levy.

He added that testing your current system is a good first step towards finding out how resilient your charity might be in the event of an attack. “Putting people in a real situation and letting them work through how it actually feels to be the subject of a cyber attack is really constructive,” he said. “The NCSC has a free tool called Exercise in a Box, which takes you through a simulated attack and shows what the impact might be – not just on your services but your brand.”


Content Labs

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Cyber security for charities: Insights and guidance

Not everyone is working for the greater good: cyber criminals are targeting charities. We're seen as data-heavy and vulnerable. That's why Third Sector, in partnership with the National Cyber Security Centre, has collated advice, insight and guidance to help you take simple steps to staying more secure, so you can better and more easily understand the risks and prepare appropriately. 

Visit the content hub here.


Articles from the NCSC

Six ways to keep your charity safe from cyber attacks

Promotion from NCSC

Cybersecurity experts give their top tips to keep hackers at bay.

Cyber security for charities part 1: Emerging threats and how to spot them

Promotion from NCSC

Becca K, charity sector resilience lead, NCSC, explains the current cyber threats charities face and how to spot them, as part of a four-part cyber security series.

Cyber security for charities part 2: Getting buy-in from the board

Promotion from NCSC

Save the Children International and Edinburgh Festival Fringe Society give us an inside look into the cyber threats charities face and how to get buy-in from the board to invest in cyber security.

Cyber security for charities part 3: Shifting organisation culture and educating employees

Promotion from NCSC

Javvad Malik, lead security awareness advocate at KnowBe4, explains how to educate employees and change organisation culture to prevent cyber attacks and respond to threats.

Cyber security for charities part 4: What does a good incident response plan look like?

Promotion from NCSC

Michala Liavaag, founder and managing director, Cybility Consulting, takes us through what a good cyber attack incident response plan should look like.

Webinar on-demand: How to keep your charity cyber safe

Promotion from NCSC

What are the emerging threats you need to be aware of, how can you keep up with them and what does a good incident response plan look like?

Visit the Third Sector NCSC content hub here.