Cyber security risks for charities
The most recent Government Cyber Security Breaches Survey highlighted some interesting findings regarding charities and their cyber risk. Charities were reported as having the highest proportion of staff using their own devices to carry out their roles (64% vs 45% of businesses overall), only 26% of charities have board members or trustees responsible for cyber security (vs 34% of businesses). To add to this that charities reported the lowest overall incidence of seeking external support and guidance (41%), there is a significant amount of risk facing our region’s charity sector.
The intention is not to paint a negative picture of charities, it’s to highlight the challenges they face and the importance of ensuring they receive the support they deserve in protecting everything they do for the most vulnerable and in need people across the region. Sadly, charities small and large are not immune from the complexities commercial organisations face and the challenges management structures pose regarding decision making. In fact, charities are more likely to find themselves having to make a decision about systems, processes and tech investments alongside developing services to support more people. Not a comfortable place to be. So, let’s explore some of the security risks within charities.
Charities hold a large amount of information, and alongside more common personal information often there is data and information that is unique to an individuals relationship with the charity, and not shared elsewhere with other organisations across the person’s life. This unique combination can make such information an attractive target for cyber criminals who unfortunately are increasingly targeting charities. Due to the often sensitive information held by one charity about a person, this information is not made accessible to other organisations, further highlighting how it must be kept secure to ensure service users feel secure in what they share.
Beyond this unique blend of information charities often conduct research to understand what services they should be offering and how best to do this. The information gathered in this process can be very sensitive and also of real value in developing the organisation and accessing funding sources, thus creating another target for cyber criminals. Also, as most people working within charities are trusting and accepting, and the working environment and culture are the same, it makes them a fertile ground for social engineering campaigns.
Arguably one of the most critical data and information assets within a charity is donor, funder and supporter information, which will include sensitive financial information and banking details. Add to this that the money held by charities is often hard earned or entrusted to them by donors, supporters and funding bodies, and you have a very appealing target which must be protected from direct attacks and more targeted phishing campaigns and invoice fraud.
Often operating with a blend of employed staff and volunteers, there is a significant human risk element in charities, possibly more so than in other organisations. The challenge here is to ensure that all people working within the charity have the same minimum levels of cyber and information security awareness. Cyber security training can be accessed both online and in person, and can be free of charge or a paid investment, all depending on what the organisation deems it needs to do in order to increase awareness and ensure it’s put in to practice to protect the hard work of all involved in the charity.
One final thought for those of you working in charities: Data and information security isn’t all about systems being compromised and attacked. With charities often using spreadsheets and paper files due to resourcing & time pressures, and also costs of implementing systems and maintaining them, physical security must be given some consideration. Whether this is about ensuring that offices aren’t easily accessed by people, or that physical assets containing important information are securely stored, there is a responsibility to protect this information and ideally use this situation as the impetus to build a cyber security plan which helps mitigate such significant risks.
Getting support from the range of resources out there who can provide quick insights and help you to understand and plan what you need regarding cyber security can be overwhelming. We would suggest starting with this great overview of what’s available from the Eastern Cyber Resilience Centre or heading over to the Small Charity Guide from the National Cyber Security Centre.
If you want to know where to get more cyber security support for your charity get in touch with Cyber East today and we will make sure you speak with the right people. You can also come along to our next event to learn how to better protect your organisation.