Cyber Security in the Charity Sector
According to the Covid-19 Voluntary Sector Impact Barometer, 81% of non-profit organisations surveyed said they have changed the way they use digital technology as a result of the pandemic. Whether it’s processing donations online, delivering services digitally or using social media to create outreach, charities have undergone unprecedented digital transformation.
While it is true that two thirds of charities are now delivering their services remotely and have therefore increased their risk, it is also true that over half of charities do not have a digital strategy in place.
Charities are hit by cyber-attacks almost as frequently as commercial businesses. The Cyber Security Breaches Survey 2021 states that just over a quarter (26%) of charities reported they had experienced a cyber breach in the last six months. The rapid evolution of digital service delivery and fundraising has been vital for charities’ survival, it is now imperative that they start seriously addressing some of the online threats they face.
Lack of expertise and lack of awareness
Charity IT systems are likely to be less sophisticated (and older) than those of other businesses, and attackers know this. Yet charities often lack the expertise to recognise just how vulnerable they are. The Charity Commission Annual Report 2019-2020 showed that there is a gap in awareness between the cyber risk charities face and the cyber measures actually put in place. Around 85% of charities in the report thought they were doing everything they could to stop a security breach, but almost half of these didn’t have good-practice measures in place.
Trust is the most important thing a charity can build
Unlike many organisations, charities are much more than the profit they generate. While financial loss can be debilitating, cyber-attacks can also damage reputation and trust. There is sensitive information in a charity database that may include sensitive personal information such as IDs, names, phone numbers, credit card details and tax records. These are attractive to cyber attackers as this data can be sold quickly or can be used to identify other targets. Charities are literally sitting on a data treasure trove.
According to the 2021 Charity Commission report, during the COVID-19 pandemic, public trust in charities rose. While public expectations of charities have not changed, public perception of the relevance of charities has risen. This shows that in times of crisis, charities are organisations that are still seen as vitally helpful and trustworthy. This high regard can easily be damaged by a cyber-attack or data breach.
The rise of remote working means there are more devices and platforms with less control.
Remote working in the charity sector is tied to the increased use of technology, in particular cloud-based platforms. According to the Covid-19 Voluntary Sector Impact Barometer, 82% of non-profits have doubled the use of personal devices through the pandemic. Charities, especially low-income charities, rely on the use of personal devices more than businesses, including both mobile phones and laptops. Even with company owned devices, charities are less likely than other businesses to have implemented security controls.
Many charities have found the cloud network to be helpful to deliver services remotely. It is attractive to smaller organisations and charities that are lacking in IT expertise to use cloud platforms to manage their own cyber security systems, as well as helpful for organisations with a range of office and remote staff. The National Cyber Security Centre has previously issued guidance around charities’ use of cloud-based solutions. The main security concern is not whether the cloud itself is secure, but rather ensuring that it has been set up securely within your charity. Outsourcing cyber security does not address the fundamental lack of awareness and expertise within the organisation itself.
Responsibility for maintaining trust
Public trust in charities is not just a question of reputation. These are organisations that provide safeguarding and duty of care services, as well as having key roles inthe community from arts to conservation. The Charity Commission 2021 research showed that most trustees recognise the importance of taking public expectations into account and feel a collective responsibility to uphold the sector’s reputation.
In the present, digital, post-covid age, trust and cyber security are interwoven. By achieving a basic level, Government endorsed certification like Cyber Essentials, a charity can show its commitment to cyber security and demonstrate that it values customer data.
Charities can get started on their journey by accessing the free Cyber Essentials Readiness Tool, developed on behalf of the National Cyber Security Centre by IASME.
The Readiness tool is an interactive set of questions that addresses different parts of your organisation’s security. Advice and guidance is available specifically for those in the charity sector and a step by step action plan is tailored to your requirements based on your answers to the questions. You will receive specific help in the areas that you need to address in order to achieve Cyber Essentials.
Look out for charity cyber security awareness week on 8th November. IASME in partnership with selected Certification Bodies around the UK will be offering support and guidance as well as a discount to the price of certification to help charities gain Cyber Essentials. Click here for more information.