News

26% of charities reported a cyber breach in the last six months. 23% of these charities experienced an attack at least once a week. 81% of non-profit organisations have changed the way they use technology due to the pandemic.

Cyber Security in the Charity Sector

According to the Covid-19 Voluntary Sector Impact Barometer, 81% of non-profit organisations surveyed said they have changed the way they use digital technology as a result of the pandemic. Whether it’s processing donations online, delivering services digitally or using social media to create outreach, charities have undergone unprecedented digital transformation.

While it is true that two thirds of charities are now delivering their services remotely and have therefore increased their risk, it is also true that over half of charities do not have a digital strategy in place.

Charities are hit by cyber-attacks almost as frequently as commercial businesses. The Cyber Security Breaches Survey 2021 states that just over a quarter (26%) of charities reported they had experienced a cyber breach in the last six months. The rapid evolution of digital service delivery and fundraising has been vital for charities’ survival, it is now imperative that they start seriously addressing some of the online threats they face.

Lack of expertise and lack of awareness
Charity IT systems are likely to be less sophisticated (and older) than those of other businesses, and attackers know this. Yet charities often lack the expertise to recognise just how vulnerable they are. The Charity Commission Annual Report 2019-2020 showed that there is a gap in awareness between the cyber risk charities face and the cyber measures actually put in place. Around 85% of charities in the report thought they were doing everything they could to stop a security breach, but almost half of these didn’t have good-practice measures in place.

Trust is the most important thing a charity can build
Unlike many organisations, charities are much more than the profit they generate. While financial loss can be debilitating, cyber-attacks can also damage reputation and trust. There is sensitive information in a charity database that may include sensitive personal information such as IDs, names, phone numbers, credit card details and tax records. These are attractive to cyber attackers as this data can be sold quickly or can be used to identify other targets. Charities are literally sitting on a data treasure trove.

According to the 2021 Charity Commission report, during the COVID-19 pandemic, public trust in charities rose. While public expectations of charities have not changed, public perception of the relevance of charities has risen. This shows that in times of crisis, charities are organisations that are still seen as vitally helpful and trustworthy. This high regard can easily be damaged by a cyber-attack or data breach.

The rise of remote working means there are more devices and platforms with less control.
Remote working in the charity sector is tied to the increased use of technology, in particular cloud-based platforms. According to the Covid-19 Voluntary Sector Impact Barometer, 82% of non-profits have doubled the use of personal devices through the pandemic. Charities, especially low-income charities, rely on the use of personal devices more than businesses, including both mobile phones and laptops. Even with company owned devices, charities are less likely than other businesses to have implemented security controls.

Many charities have found the cloud network to be helpful to deliver services remotely. It is attractive to smaller organisations and charities that are lacking in IT expertise to use cloud platforms to manage their own cyber security systems, as well as helpful for organisations with a range of office and remote staff. The National Cyber Security Centre has previously issued guidance around charities’ use of cloud-based solutions. The main security concern is not whether the cloud itself is secure, but rather ensuring that it has been set up securely within your charity. Outsourcing cyber security does not address the fundamental lack of awareness and expertise within the organisation itself.

Responsibility for maintaining trust
Public trust in charities is not just a question of reputation. These are organisations that provide safeguarding and duty of care services, as well as having key roles in the community from arts to conservation. The Charity Commission 2021 research showed that most trustees recognise the importance of taking public expectations into account and feel a collective responsibility to uphold the sector’s reputation.

What is Cyber Essentials and how can it help?

In the present, digital, post-covid age, trust and cyber security are interwoven. By achieving a basic level, Government endorsed certification like Cyber Essentials, a charity can show its commitment to cyber security and demonstrate that it values customer data.

Charities can get started on their journey by accessing the free Cyber Essentials Readiness Tool, developed on behalf of the National Cyber Security Centre by IASME.
The Readiness tool is an interactive set of questions that addresses different parts of your organisation’s security. Advice and guidance is available specifically for those in the charity sector and a step by step action plan is tailored to your requirements based on your answers to the questions. You will receive specific help in the areas that you need to address in order to achieve Cyber Essentials.

Related content

Scottish #ScamWatch Week 2021

#ScamWatch Week 2021 – 30th August – 5th September With information being more readily available online, and methods of contact being more accessible, scammers are in a better position than ever to engage with us. The more vulnerable members of […]

Cyber Security Advice for Students

Technology will play a key role in your learning, from taking notes, doing research, writing essays, attending classes or just communicating with classmates or teachers. Here are some helpful tips to keep you secure online.

Developing An Incident Response Plan

Developing an incident response plan is a critical step towards preparing a robust and effective incident management and technical response capability. Good incident management will help reduce the financial and operational impact on your business.

Back to top of the page