Cybersecurity for charities: managing risks

ramsac charity cybersecurity

Cybercriminals are opportunists, and charities often lack the resources to remain protected against the latest threats and risks online. Like all businesses, charities are increasingly reliant on IT to perform everyday tasks. But charities without a dedicated IT policy and less protection can be left vulnerable to malicious attacks.

In 2020, 26% of charities identified a cybersecurity breach. This has increased since 2018, where only 19% of charities reported a breach. The magnitude of an attack can range from data theft to financial information being stolen, amongst other risks.

So, what steps can charities take to ensure the safety of their data, including funds, donations, and employee information?

Main cybersecurity concerns for charities in 2021

Observed in the UK government’s Cyber Security Breaches Survey 2021, some major cybersecurity concerns for charities were identified.

1) Personal devices are used more frequently

BYOD (or Bring Your Own Device) involves using personal devices for work purposes, including laptops or phones. In charities that have casual working environments, this kind of policy is more relaxed. In fact, the report noticed BYOD has “historically been more prevalent in charities than in businesses”. This is even more common in charities where there is limited office space, resources, and budget.

In the 2021 Cyber Security survey, 67% of charities said staff regularly use their own device, and this is a growing trend in smaller charities.

2) Supplier risk awareness

Only a quarter of high-income (annual income of £500,000 or greater) charities had looked at the risks from immediate suppliers, and one in nine have looked at their wider supply chain. Charities overall show a lower risk awareness from suppliers, including immediate and wider supply chains. These kinds of risks vary from third-party access over IT systems to phishing attacks or viruses that originate from a supplier.

As charities tend to work with governing authorities such as local councils, they may assume they are safe. But supplier risks still pose a great threat to the security of a charity.

3) Backing up of data

Whereas 89% of businesses have some form of backup plan in place, only 68% of charities had a similar policy, despite over a third of charities holding payment data or similar. This demonstrates how charities are often lacking the technical cyber security controls that other businesses use as part of their protection.

Basic technical controls like password protection are common in charities and businesses alike. Yet, charities lack the depth of controls, covering vulnerable areas like data storage and user activity.

Charity donate cybersecurity

Managing cyber risks

Charities have a great responsibility when it comes to cyber security. Not only do they process large amounts of data, they also regularly receive monetary donations and, depending on their clients, may process large amounts of ‘special category data’. According to the ICO (Information Commissioner’s Office), this describes any confidential data that needs extra protection, such as data concerning health.

Special category data and financial data is highly valuable, and therefore more likely to be targeted. Whilst a large variety of data may be processed by a smaller charity, they are less likely to identify or know when to report a breach.

However, 51% of high-income charities have reported a breach, which matches the pattern of larger businesses.

In the 2021 Cyber Security report, it was shown how charities have been targeted more frequently by ransomware attacks, viruses, spyware, and malware when compared with other businesses. This is because of the type of data they collect and store.

For example, the highly reported Blackbaud attack of 2020 affected thousands of supporters of charities and historic institutions across the UK. Among its victims were Crisis, a homeless charity, as well as other high-profile charities like Sue Ryder, Young Minds Myeloma UK, and more.

Steps charities can take to support cyber security

Regardless of size, charities have a responsibility with any data collected, stored, or transferred. This involves good cyber security practice, including risk assessments and regular patching.

BYOD security

Using personal devices involves risk, as the vulnerability to malware is managed by the user of the device. However, steps can be taken to secure the device, such as:

  1. Configuring ‘Find My Device’ or similar. This can be used to secure the device and erase it from your administrator panel. It can also help you find a lost or stolen device.
  2. Add Biometrics onto your device. Fingerprint is the most secure here, as Face ID can be bypassed.
  3. Ensure your device still has regular security patches released. If your device is old, then you will need to replace it to ensure security levels are maintained.
  4. Use a password management system to keep your passwords stored securely rather than on a notes page or similar.

Using Backups

While nothing sophisticated needs be used, cloud backups are not only useful in the case of a broken device, they also help to protect your data. If you’re not currently using a cloud system, it’s a virtual way of storing data rather than relying on physical storage, such as a USB stick. You send data to the cloud, which it holds, and when you want to access the data, you simply login and download it.

The increase in ransomware is blistering and backup is an essential risk mitigator. Having a good strategy for your backup, including holding physical offline copies, known as air gapping, is essential to keep your company running in case of ransom attacks.

Secure passwords to save data

Password creation and storage requires management and skill. Remembering multiple passwords can be a challenge, and therefore charities often use weaker passwords to make it easier to remember. Use a paid for password manager to help with this. Here at ramsac we use Password Boss to save passwords, both at an individual and a company level.

Outsourcing your cyber security

ramsac is an expert in cyber security and offers outsourced security and protection for charities, non-profits, and more. We know that charities often have complex requirements, and our specialist team is on hand to provide reliable support regardless of what you need.

Related Posts

  • What is Zero Trust security and where should you start?

    What is Zero Trust security and where should you start?

    Cybersecurity

    Zero Trust security removes assumptions about trusting a user, even when they're inside your network. This means users and devices must be verified. Read here. [...]

    Read article

  • Why are charities increasingly being attacked by cyber criminals? 

    Why are charities increasingly being attacked by cyber criminals? 

    Cybersecurity

    More than a quarter of charities were reportedly the target of cybercrimes in the last year alone. But why are charities increasingly the victims of cyberattacks? Find out here… [...]

    Read article

  • Introducing the Cyber Resilience Certification from ramsac

    Introducing the Cyber Resilience Certification from ramsac

    Cybersecurity

    ramsac is committed to helping organisations to protect themselves against cybercrime, to help organisations understand where they are on their cyber resilience journey, we have created the ramsac cyber [...]

    Read article

  • How aware are you when it comes to social engineering?

    How aware are you when it comes to social engineering?

    Cybersecurity

    Cybercrime is huge; indeed, no other criminal activity is quite so lucrative, thus it is imperative that you prepare and protect both your business and your personal life to [...]

    Read article

  • Common telephone cybersecurity risks for businesses

    Common telephone cybersecurity risks for businesses

    Cybersecurity

    Companies are at risk from telephone hacks every day. Discover what common tactics are, and how you can prevent them. [...]

    Read article

  • Is Russian based Kaspersky Anti-virus a threat?

    Is Russian based Kaspersky Anti-virus a threat?

    Cybersecurity

    Kaspersky is a russian based anti-virus, in this blog we explore the NCSC latest advice for organisations using Russian – nexus products and services [...]

    Read article