Managing Cyber Risk in Charities
Digitalisation is an integral element to today’s organisational operations, and with this the threat posed by cybercriminals is ever increasing. Charities, like any other organisation, face a myriad of cyber threats ranging from phishing attacks to ransomware. The sensitive nature of the data they handle, including donor information and financial records, makes them prime targets for cybercriminals seeking to exploit vulnerabilities. Small charities operate with limited resources, making them particularly vulnerable to attacks due to inadequate cybersecurity infrastructure and awareness. For example, as stated in the NCSC Cyber Breaches Survey, 64% of charities report their staff using their own devices compared to 45% of businesses.
The potential fallout from a cyber incident, including reputational damage and loss of donor trust, can be particularly devastating for small charities. In such a landscape it is imperative that charities recognise the latest cyber security threats. According to the NCSC Cyber Security Breaches Survey 2023, 24% of charities had been a victim of a data breach or cyber incident in the previous twelve months.
Common Cyber Risks Faced by Charities
Phishing Attacks
Cybercriminals often employ phishing emails to trick charity employees into divulging sensitive information or installing malware unknowingly. The risk of phishing for small charities is also heightened by the sectors inherent culture of trust, their outward facing nature, reliance on volunteers and use of personal IT by staff members.
Ransomware
Ransomware can encrypt a charity’s data, rendering it inaccessible until a ransom is paid, disrupting operations, and causing financial losses. In September 2023, ransomware gang BianLian reportedlystole 7Tb of data from Save The Children, including financial, health, and medical data.
Weak Authentication Measures
Inadequate password practices and lack of multi-factor authentication can expose charities to the risk of unauthorized access to their systems and data.
Insider Threats
Disgruntled employees or volunteers may misuse their access privileges to compromise charity data or sabotage operations. Employer threats can also arise from lack of appropriate training or awareness of cyber risks, increasing the risk of human error and accidents.
Supply Chain Risks
According to the Cyber Breaches Survey 2023, only 11% of charities have reviewed the cyber security risks posed by immediate suppliers, and only 6% when reviewing the wider supply chain. It is especially common for smaller charities to outsource their responsibility for managing and securing their data to specialist support companies. In April 2023 a ransomware attack on a Londonderry IT company compromised the data of several charities and community organisations, including phone numbers and email addresses. Such attacks can expose a charity’s vulnerable users to phishing attacks.
Steps to a Strong Cyber Security Posture
Conduct a Cyber Audit
Begin by assessing your charity's current cybersecurity posture. Identify potential vulnerabilities, such as outdated software, weak passwords, or lack of employee training, that could expose your organization to cyber threats.
Implement Employee Training and Awareness
Regular training sessions on identifying and mitigating cyber threats can empower charity staff to recognise potential risks and respond effectively and reduce the risk of insider threats.
Implement Strong Password Policies
Enforce strong password policies that require employees to use complex passwords and change them regularly. Consider implementing multi-factor authentication (MFA) to add an extra layer of security to your charity's accounts.
Data Encryption and Backup
Encrypting sensitive data and maintaining regular backups can mitigate the impact of ransomware attacks by ensuring data availability and integrity. Consider storing your data in multiple locations, both offsite and in the cloud and regularly test your recovery processes.
Secure Your Network and Devices
Ensure that your charity's network and devices are properly secured with firewalls, antivirus software, and encryption protocols. Regularly update software and firmware to patch known vulnerabilities and protect against emerging threats.
Implement and Update Basic Controls
Implementing basic controls such as Cyber Essentials is a cost-effective way for charities to establish the necessary foundations for a strong cyber security posture. Cyber Essentials is a free government backed scheme that helps organisations start to think about cyber security. As a long-standing certification body for both the Cyber Essentials Standard and Cyber Essentials Plus accreditation, PureCyber have a history of working closely with customers to help them achieve this governance standard.
Effective Incident Response
Develop a comprehensive incident response plan outlining steps to take in the event of a cyber incident. Designate roles and responsibilities, establish communication protocols, and practice your incident response procedures through tabletop exercises.
Control Access
Review and update who has access to your sensitive data. Ensure access is only granted to those who require it.
Third-Party Risk Management
Charities should vett and monitor third-party vendors handling their data to ensure they adhere to stringent cybersecurity standards and protocols.
In an increasingly digitised world, managing cyber risks is paramount for charities to safeguard their operations, reputation, and the sensitive data they handle. By understanding the evolving cyber threat landscape and implementing proactive cybersecurity measures, charities can mitigate risks effectively and continue their important work without falling prey to cybercriminals. At PureCyber we cannot stress enough the importance of adopting robust cybersecurity practices for charities to ensure their sustainability and resilience in the face of evolving cyber threats.
To explore PureCyber’s subscription options click here or use the link below to get in touch with our cyber experts with any questions.
Sources