Cybersecurity for charities: managing risks
Posted on September 9, 2021 by James Haigh
Cybercriminals are opportunists, and charities often lack the resources to remain protected against the latest threats and risks online. Like all businesses, charities are increasingly reliant on IT to perform everyday tasks. But charities without a dedicated IT policy and less protection can be left vulnerable to malicious attacks.
In 2020, 26% of charities identified a cybersecurity breach. This has increased since 2018, where only 19% of charities reported a breach. The magnitude of an attack can range from data theft to financial information being stolen, amongst other risks.
So, what steps can charities take to ensure the safety of their data, including funds, donations, and employee information?
Main cybersecurity concerns for charities in 2021
Observed in the UK government’s Cyber Security Breaches Survey 2021, some major cybersecurity concerns for charities were identified.
1) Personal devices are used more frequently
BYOD (or Bring Your Own Device) involves using personal devices for work purposes, including laptops or phones. In charities that have casual working environments, this kind of policy is more relaxed. In fact, the report noticed BYOD has “historically been more prevalent in charities than in businesses”. This is even more common in charities where there is limited office space, resources, and budget.
In the 2021 Cyber Security survey, 67% of charities said staff regularly use their own device, and this is a growing trend in smaller charities.
2) Supplier risk awareness
Only a quarter of high-income (annual income of £500,000 or greater) charities had looked at the risks from immediate suppliers, and one in nine have looked at their wider supply chain. Charities overall show a lower risk awareness from suppliers, including immediate and wider supply chains. These kinds of risks vary from third-party access over IT systems to phishing attacks or viruses that originate from a supplier.
As charities tend to work with governing authorities such as local councils, they may assume they are safe. But supplier risks still pose a great threat to the security of a charity.
3) Backing up of data
Whereas 89% of businesses have some form of backup plan in place, only 68% of charities had a similar policy, despite over a third of charities holding payment data or similar. This demonstrates how charities are often lacking the technical cyber security controls that other businesses use as part of their protection.
Basic technical controls like password protection are common in charities and businesses alike. Yet, charities lack the depth of controls, covering vulnerable areas like data storage and user activity.
Managing cyber risks
Charities have a great responsibility when it comes to cyber security. Not only do they process large amounts of data, they also regularly receive monetary donations and, depending on their clients, may process large amounts of ‘special category data’. According to the ICO (Information Commissioner’s Office), this describes any confidential data that needs extra protection, such as data concerning health.
Special category data and financial data is highly valuable, and therefore more likely to be targeted. Whilst a large variety of data may be processed by a smaller charity, they are less likely to identify or know when to report a breach.
However, 51% of high-income charities have reported a breach, which matches the pattern of larger businesses.
In the 2021 Cyber Security report, it was shown how charities have been targeted more frequently by ransomware attacks, viruses, spyware, and malware when compared with other businesses. This is because of the type of data they collect and store.
For example, the highly reported Blackbaud attack of 2020 affected thousands of supporters of charities and historic institutions across the UK. Among its victims were Crisis, a homeless charity, as well as other high-profile charities like Sue Ryder, Young Minds Myeloma UK, and more.
Steps charities can take to support cyber security
Regardless of size, charities have a responsibility with any data collected, stored, or transferred. This involves good cyber security practice, including risk assessments and regular patching.
Using personal devices involves risk, as the vulnerability to malware is managed by the user of the device. However, steps can be taken to secure the device, such as:
- Configuring ‘Find My Device’ or similar. This can be used to secure the device and erase it from your administrator panel. It can also help you find a lost or stolen device.
- Add Biometrics onto your device. Fingerprint is the most secure here, as Face ID can be bypassed.
- Ensure your device still has regular security patches released. If your device is old, then you will need to replace it to ensure security levels are maintained.
- Use a password management system to keep your passwords stored securely rather than on a notes page or similar.
While nothing sophisticated needs be used, cloud backups are not only useful in the case of a broken device, they also help to protect your data. If you’re not currently using a cloud system, it’s a virtual way of storing data rather than relying on physical storage, such as a USB stick. You send data to the cloud, which it holds, and when you want to access the data, you simply login and download it.
The increase in ransomware is blistering and backup is an essential risk mitigator. Having a good strategy for your backup, including holding physical offline copies, known as air gapping, is essential to keep your company running in case of ransom attacks.
Secure passwords to save data
Password creation and storage requires management and skill. Remembering multiple passwords can be a challenge, and therefore charities often use weaker passwords to make it easier to remember. Use a paid for password manager to help with this. Here at ramsac we use Password Boss to save passwords, both at an individual and a company level.
Outsourcing your cyber security
ramsac is an expert in cyber security and offers outsourced security and protection for charities, non-profits, and more. We know that charities often have complex requirements, and our specialist team is on hand to provide reliable support regardless of what you need.