Charities - A big target for cyber-criminals?

James Arthur James Arthur

Many charities, particularly smaller ones, do not realise the value that the personal, financial, commercial and other data they hold has to cybercriminals.

Charities typically do not perceive themselves as targets. Yet 44% hold personal data on customers, beneficiaries or donors electronically. And 30% of these charities have experienced breaches or attacks1. In fact, charities reported 137 data security incidents to the ICO in the first quarter of 2018/19. This is more than a six-fold increase from the previous year, an indication that the threat towards the industry is growing at an exponential rate.

Tightening security

Charities should actively consider how they can prevent themselves being an easy target for attackers. The culture of openness makes charities more vulnerable to cyber fraud and extortion, ranging from ransomware and malware to data breaches and phishing. As charities become increasingly reliant on online services, their exposure to attacks grows, risking serious financial and reputational consequences. Investment in cyber security therefore, has never been so pressing as it is now.

But smaller charities may not consider it a priority to commit resources to cyber protection. Instead believing cyber security to be an expensive overhead that will divert money away from the frontline. Or they may not fully understand the threat. Regardless, they have the same duty of care as any other business to safeguard their information. While it is not surprising that charities want to spend scarce resources on fighting poverty or housing the homeless, some argue that those very services could be at risk if they fail to invest in cyber security tools and practices.

Worth the investment

Cyber security doesn’t need to be overly complicated or vastly expensive.

Some examples of simple and effective solutions include:

  • a simple health check that informs a charity’s risk management process in line with the National Cyber Security Centre's 10 steps to cyber
  • vulnerability scans that identify whether sensitive information is leaking
  • implementing training and awareness among staff.

There are a range of solutions from a number of providers but, no matter how much charities pay, there are no options that eliminate 100% of the risk. Charities must employ a pragmatic, balanced and focused approach to cyber security. Not only will this help them respond to the constantly evolving threat landscape, mitigating the risk from increasing levels of cybercrime, it will also go a long way to meeting data protection obligations.

If you would like to discuss this further, please contact James Arthur.


1 National Cyber Security Centre - 10 Steps to Cyber Security

Insider fraud in charities - managing the risk internally Find out more