Cyber security for charities - Click and Protect

Like any other organisation, charities have information assets to protect. Often, they have less money to spend on protection and are staffed largely, if not entirely, by volunteers.

If you work for a charity, this means you have some additional challenges to overcome too, but improving the cyber security defences protecting a charity, isn’t an impossible task.

Bring Your Own Device (BYOD)

Many charities rely on volunteers using their own devices to carry out work on behalf of the charity: 67% of charities, according to the DCMS Cyber Security Breaches Survey 2021 (Cyber Security Breaches Survey 2021 (publishing.service.gov.uk))

If it isn’t possible to supply volunteers with equipment for financial reasons, then the charity should have a strong BYOD policy in place.

In particular, you should insist that devices are automatically locked if not used for a few minutes, password protected (ideally with multi-factor authentication) and that software is updated to the latest versions and includes security software.

If finances allow, consider using a mobile device management system to enable remote management of the devices. For example, the ability to wipe data remotely, if the device is lost or stolen.

Data Protection

Charities are likely to hold information about supporters, their volunteers (and any staff) and possibly about clients, depending on their mission. Like any other organisation, charities need to abide by the data protection laws to ensure that this information is as secure as possible.

Attackers don’t ‘go easy’ on charities because of their good work: the ICO received over 530 reports of incidents in the last year. Note that this figure is based on the number of reports made by data controllers, not necessarily the number of incidents (not all incidents must be reported). Data security incident trends | ICO

Make sure that you understand the data protection requirements and step through the information security checklist, to see where you could make improvements. Information security checklist | ICO

Staff training

All staff, voluntary or paid, should receive security awareness training, because attackers don’t care whether their target is being paid or not. And yet only 18% of charities train their staff in cyber security (Cyber Security Breaches Survey 2021 (publishing.service.gov.uk)

For example, the most common cyber-attack on charities are phishing email attacks. So, teaching staff how to spot a phishing email, should help reduce the phishing risk.

But there are other areas of security to train staff in too. Even something as simple as failing to ‘BCC’ correctly in an email, and thereby revealing personal information. This can result in a fine from the ICO, as HIV Scotland discovered late last year (ICO warning after Scottish charity reveals personal data in email error | ICO).

You could start with this short training session for staff, provided by the National Cyber Security Centre. Top tips for staff – Overview (ncsc.gov.uk)

Supply chain

Depending on their size, charities may well be using third parties to provide some of the day-to-day operational processes needed to run the charity, such as; HR and IT, accounting, cloud services and data storage.

Like any other organisation, the risk here is that if one of the third-party providers suffers a cyber-attack, the charity’s data may be at risk. Only 8% of charities have reviewed these third-party risks (Cyber Security Breaches Survey 2021 (publishing.service.gov.uk).

This may take some time, but you could begin by reading the NCSC’s supply chain security guidance: Supply chain security guidance – NCSC.GOV.UK.

Insider threat and Covid-19

According to the Fraud Advisory Panel, fraud has increased by as much as 40% during the pandemic, and charities are at particular risk. This is typically because of excessive trust: those working in charities are highly committed to that charity’s aims, and find it impossible to consider that colleagues might not be.

Not only has the amount of cybercrime gone up, but so has the level of insider fraud as staff and volunteers come under increased financial pressure as a result of the pandemic. Often, too, there are insufficient controls in place, especially as people have been working from home. (https://preventcharityfraud.org.uk/).

It is important to have strong controls in place, including pre-screening, staff training and awareness, and to develop strong governance.

Call Click and Protect on 0113 733 6230 to talk about how we can help your charity to strengthen its cyber security defence.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Bring Your Own Device (BYOD)

Data Protection

Staff training

Supply chain

Insider threat and Covid-19

You might also be interested in: