Almost of third of charities were reportedly the target of cybercrimes in the last year alone.
Cybercriminals are opportunists, and charities often lack the resources to remain protected against the latest threats and risks online. Like all organisations, charities are increasingly reliant on IT to perform everyday tasks. But charities without a dedicated IT policy and less protection can be left vulnerable to malicious attacks.
According to UK Government research, in 2022, 30% of charities identified a cybersecurity breach. It is, therefore, vital to assess the growing risk of cyberattacks for the charity and non-profit sector.
So, what steps can charities take in 2023 to ensure the safety of their data, including funds, donations, and employee/volunteer information?
Main cybersecurity concerns for charities in 2023
In the UK government’s Cyber Security Breaches Survey 2022, some major cybersecurity concerns for charities were identified.
1) Personal devices are used more frequently
BYOD (or Bring Your Own Device) involves using personal devices for work purposes, including laptops or phones. In charities that have casual working environments, this kind of policy is generally more relaxed. In fact, the report noticed BYOD has “historically been more prevalent in charities than in businesses”. This is even more common in charities where there is limited office space, resources, and budget or a significant number of volunteers.
In the 2022 Cyber Security survey, 64% of charities (compared to 45% of all businesses) said staff regularly use their own device, and this is a growing trend in smaller charities.
BYOD also means that cybersecurity updates and monitoring are far less effective and are even less likely to be carried out. Without regular organisation-wide updates and monitoring of devices, charities are far more likely to fall victim to cybersecurity breaches.
The use of personal devices in the workplace has been propelled by the pandemic. With even more charity workers having to work remotely and spending more time working outside of an office, often due to lack of office space and remote working Covid-19 policies, workers are using less secure networks. Less security makes these organisations an even easier target for cybercriminals.
2) Supplier risk awareness
Only 9% of charities have carried out work to formally review the potential cyber security risks presented by immediate suppliers and only 5% have looked at their wider supply chain. Charities overall show a lower risk awareness from suppliers, including immediate and wider supply chains. If a charity allows third-party access to IT systems, for example, these suppliers are given an opportune moment to attack. By having the presumption that the immediate and wider supply chain are reliable and trustworthy, organisations are left exposed to cyberattacks.
3) Backing up of data
Whereas 87% of businesses have some form of backup plan in place, only 74% of charities had a similar policy, despite over a third of charities holding payment data or similar. This has improved since the 2021 survey where only 68% of charities back up data, but this is still not high enough and demonstrates how charities are often lacking the technical cyber security controls that other businesses use as part of their protection.
Basic technical controls like password protection are common in charities and businesses alike. Yet, charities lack the depth of controls, covering vulnerable areas like data storage and user activity.
4) Attitudes towards cybersecurity
Another reason charities are increasingly vulnerable to cyberattacks may be their attitudes towards cybersecurity itself. Whilst charities acknowledge the importance of cybersecurity, 72% say their trustees believe cyber security is a high priority. This is significantly lower than the figure for businesses (82%). This oversight may be a contributing factor to the increasing number of cyberattacks.
With the increased use of personal devices, stay-at-home policy and lack of funding caused by Covid-19, administering and monitoring cybersecurity measures has become increasingly difficult, or ignored altogether. With these additional challenges, the already strained resources for cybersecurity have presented charities with increasingly difficult circumstances to ensure they remain as protected as possible.
5) Cybersecurity responsibility
Ensuring that both organisations and employees are empowered by, and responsible for, their cybersecurity is vital. Only 42% of charities regularly update their board on their cybersecurity plan of action. According the survey, many organisations are failing to train staff and volunteers on cybersecurity awareness, despite cyber training being mandated by the ICO, for any IT users that have access to databases.
Steps charities can take to support cybersecurity
All organisations have a legal responsibility to ensure they are minimising the risk of confidential or sensitive data being breached. All organisations hold such data, whether that’s a list of staff or volunteer details, a CRM or fundraising system or data on service users. Taking positive action to minimise the risk of a breach is simply not optional. There are a number of steps all organisations should take.
Using personal devices involves risk, as the vulnerability to malware is managed by the user of the device. However, steps can be taken to secure the device, such as:
- Configuring ‘Find My Device’ or similar. This can be used to secure the device and erase it from your administrator panel. It can also help you find a lost or stolen device.
- Add Biometrics onto your device. Most mobile devices now add the option for fingerprint or face ID.
- Ensure your device still has regular security patches released. If your device is old, then you will need to replace it to ensure security levels are maintained.
- Use a password management system to keep your passwords stored securely rather than on a notes page or similar.
- The best standard however, is to use a properly designed Mobile Device Manager (such as Microsoft’s Intune) to all your IT admin the ability to determine who can access what, to set minimum security settings on the device and to be able to remotely wipe sensitive data from an employee owned device, should that device be lost or the employee leave the organisation.
Too many people believe that data stored in the cloud is automatically backed up and this simply isn’t the case. One of the most common forms of attack, is a ransomware attach, where a cyber criminal scrambles all of your data and holds you to ransom for its safe return. A third party back up of all key data will enable you to quickly restore data without the need to pay charitable funds to a cyber criminal. The increase in ransomware is blistering and backup is an essential risk mitigator. Having a good strategy for your backup, including holding physical offline copies, known as air gapping, is essential to keep your organisation running in case of ransom attacks.
Passwords are still your first line of defence. Password creation and storage requires management and skill. Remembering multiple passwords can be a challenge, and therefore charities users often use weaker or repeated passwords to make them easier to remember. Using a Password Manager application can significantly improve password strength, whilst leaving the end user only needing to remember one master password.
Multi Factor Authentication
Increasingly, more and more businesses are storing information in the cloud, Office365, SharePoint, Box, Google Drive etc are all fairly commonplace, and whilst previously users needed a VPN to access company data, access is now much more straight forward. Passwords are becoming weaker as time goes on and this had lead to breaches a people use similar and familiar passwords.
Multi-factor authentication (MFA) is the process of needing more than one piece of information to log in to a secure website or service. In traditional systems, all you need to know to gain access to an IT system is a username and password, data that can easily be hacked or stolen.
MFA introduces a second component, often a PIN code that can only be generated by a mobile phone or an access token, meaning that for a malicious user to gain access to a system, they would need to steal not only your password information but also your mobile device – making it significantly harder for access.
Training and raising awareness
The more organisations can provide up-to-date knowledge and skills to their workforce on cybersecurity best practice, the greater their resilience to cybercrime. Cybersecurity training is a simple yet highly effective way to prepare charity workers to prevent, and to react to, cybercrime. Your ‘human firewall’, for example, is the biggest line of defence against cybercriminals and should be a high priority for any charity.
The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees. Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all Charities have in a place a regular, comprehensive and trackable cybersecurity awareness training solution
Have a risk assessment and consider external certification
Having an independent expert audit your current cyber security and perform a detailed risk assessment is the best way to ensure you and your trustees properly understand where your risks and opportunities lie. An external verification such as ramsac’s Cyber Resilience Certificate can be a very tangible demonstration to your funders, staff and volunteers, that you’re taking protection of their data seriously.
About the author
ramsac provides managed IT solutions and IT support, as well as specialist cloud and cyber security projects, to organisations in the UK. Find out more.