Cybersecurity for charities: managing risks

ramsac charity cybersecurity

Cybercriminals are opportunists, and charities often lack the resources to remain protected against the latest threats and risks online. Like all businesses, charities are increasingly reliant on IT to perform everyday tasks. But charities without a dedicated IT policy and less protection can be left vulnerable to malicious attacks.

In 2020, 26% of charities identified a cybersecurity breach. This has increased since 2018, where only 19% of charities reported a breach. The magnitude of an attack can range from data theft to financial information being stolen, amongst other risks.

So, what steps can charities take to ensure the safety of their data, including funds, donations, and employee information?

Main cybersecurity concerns for charities in 2021

Observed in the UK government’s Cyber Security Breaches Survey 2021, some major cybersecurity concerns for charities were identified.

1) Personal devices are used more frequently

BYOD (or Bring Your Own Device) involves using personal devices for work purposes, including laptops or phones. In charities that have casual working environments, this kind of policy is more relaxed. In fact, the report noticed BYOD has “historically been more prevalent in charities than in businesses”. This is even more common in charities where there is limited office space, resources, and budget.

In the 2021 Cyber Security survey, 67% of charities said staff regularly use their own device, and this is a growing trend in smaller charities.

2) Supplier risk awareness

Only a quarter of high-income (annual income of £500,000 or greater) charities had looked at the risks from immediate suppliers, and one in nine have looked at their wider supply chain. Charities overall show a lower risk awareness from suppliers, including immediate and wider supply chains. These kinds of risks vary from third-party access over IT systems to phishing attacks or viruses that originate from a supplier.

As charities tend to work with governing authorities such as local councils, they may assume they are safe. But supplier risks still pose a great threat to the security of a charity.

3) Backing up of data

Whereas 89% of businesses have some form of backup plan in place, only 68% of charities had a similar policy, despite over a third of charities holding payment data or similar. This demonstrates how charities are often lacking the technical cyber security controls that other businesses use as part of their protection.

Basic technical controls like password protection are common in charities and businesses alike. Yet, charities lack the depth of controls, covering vulnerable areas like data storage and user activity.

Charity donate cybersecurity

Managing cyber risks

Charities have a great responsibility when it comes to cyber security. Not only do they process large amounts of data, they also regularly receive monetary donations and, depending on their clients, may process large amounts of ‘special category data’. According to the ICO (Information Commissioner’s Office), this describes any confidential data that needs extra protection, such as data concerning health.

Special category data and financial data is highly valuable, and therefore more likely to be targeted. Whilst a large variety of data may be processed by a smaller charity, they are less likely to identify or know when to report a breach.

However, 51% of high-income charities have reported a breach, which matches the pattern of larger businesses.

In the 2021 Cyber Security report, it was shown how charities have been targeted more frequently by ransomware attacks, viruses, spyware, and malware when compared with other businesses. This is because of the type of data they collect and store.

For example, the highly reported Blackbaud attack of 2020 affected thousands of supporters of charities and historic institutions across the UK. Among its victims were Crisis, a homeless charity, as well as other high-profile charities like Sue Ryder, Young Minds Myeloma UK, and more.

Steps charities can take to support cyber security

Regardless of size, charities have a responsibility with any data collected, stored, or transferred. This involves good cyber security practice, including risk assessments and regular patching.

BYOD security

Using personal devices involves risk, as the vulnerability to malware is managed by the user of the device. However, steps can be taken to secure the device, such as:

  1. Configuring ‘Find My Device’ or similar. This can be used to secure the device and erase it from your administrator panel. It can also help you find a lost or stolen device.
  2. Add Biometrics onto your device. Fingerprint is the most secure here, as Face ID can be bypassed.
  3. Ensure your device still has regular security patches released. If your device is old, then you will need to replace it to ensure security levels are maintained.
  4. Use a password management system to keep your passwords stored securely rather than on a notes page or similar.

Using Backups

While nothing sophisticated needs be used, cloud backups are not only useful in the case of a broken device, they also help to protect your data. If you’re not currently using a cloud system, it’s a virtual way of storing data rather than relying on physical storage, such as a USB stick. You send data to the cloud, which it holds, and when you want to access the data, you simply login and download it.

The increase in ransomware is blistering and backup is an essential risk mitigator. Having a good strategy for your backup, including holding physical offline copies, known as air gapping, is essential to keep your company running in case of ransom attacks.

Secure passwords to save data

Password creation and storage requires management and skill. Remembering multiple passwords can be a challenge, and therefore charities often use weaker passwords to make it easier to remember. Use a paid for password manager to help with this. Here at ramsac we use Password Boss to save passwords, both at an individual and a company level.

Outsourcing your cyber security

ramsac is an expert in cyber security and offers outsourced security and protection for charities, non-profits, and more. We know that charities often have complex requirements, and our specialist team is on hand to provide reliable support regardless of what you need.

Related Posts

  • Understanding the dangers of ‘Permission Creep’

    Understanding the dangers of ‘Permission Creep’


    This blog post explains what permission creep is, how it can expose sensitive data to unauthorised users, and what steps an organisation can take to prevent permission creep. [...]

    Read article

  • Using cybersecurity training to reduce an organisation’s risk of a cyberattack.

    Using cybersecurity training to reduce an organisation’s risk of a cyberattack.


    Cybersecurity training is an important tool for organisations to prevent and mitigate cyberattacks, we explore the types of training available to organisations. [...]

    Read article

  • The risks of ChatGPT, and the Rise of AI.

    The risks of ChatGPT, and the Rise of AI.


    Artificial intelligence (AI) is a game-changing technology in this blog we explore the risks and benefits of using AI-powered language models such as ChatGPT [...]

    Read article

  • How secure is MFA based on SMS and Voice calls?

    How secure is MFA based on SMS and Voice calls?


    In this blog ramsac's cybersecurity expert Voke Augoye explores how secure Multi-factor authentication is when using SMS and voice calls. [...]

    Read article

  • Microsoft Office – High Severity Vulnerability

    Microsoft Office – High Severity Vulnerability


    Earlier this month Microsoft announced there was a High Severity vulnerability affecting Microsoft Office products. In this blog we explain what the vulnerability is and how to protect against it. [...]

    Read article

  • EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring

    EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring


    The cybersecurity product market is full of acronyms which can make it hard to determine what security monitoring services you need, and what benefits you get from them, this [...]

    Read article