8th May 2024 4:29 am
  1. What we do
  2. People
  3. International Services
  4. About Us
  5. Careers
  6. Legal Insights, News & Events
  7. Contact Us
Make a payment
20th February 2024

Cyber risk in the charity sector

Protecting a charity against the risk of cyber attack is an important part of a charity trustee’s duties.

The GDPR and Data Protection Act 2018 also require charities to take “appropriate” steps to keep any personal data they hold secure.

This blog considers the key cyber risks for charities and how these risks can be mitigated.

The threat landscape

The previous 12 months have seen an increase in cyber incidents targeting charities. The National Cyber Security Centre (NCSC) reported an increase in phishing attempts, with 785,000 cyber crimes committed against UK charities. 24% of charities recalled a cyber breach or attack; 8% of charities experienced cyber crime; and 1% of charities became fraud victims as result of cyber crime.

These statistics are slightly lower than the figures reported for businesses in the private sector. However, the consequences of a cyber attack are often more keenly felt by charities, given the sensitive data they hold, the vital services they provide to users, and the ever-present constraints on resources.

Why are charities at particular risk?

Lack of IT and technology monitoring:

Post-covid, charities, like other organisations, have adapted to new ways of working. Increased home working and use of personal devices pose specific security challenges, in contrast to a more traditional office setting. 64% of charities report their staff regularly using their own devices vs. 45% of businesses. It is more difficult to monitor and control the security of these devices, the way in which those devices are being used, and the way in which data is being stored and handled.

Wealth of personal data held:

By their nature, charities are likely to hold sensitive information. This makes them an attractive target for hackers looking to use ransomware. Depending on the work of the charity, they may also be a particular target for hacktivists looking to disrupt the activities of the charity without necessarily seeking financial gain.

Resourcing constraints:

Many charities simply don’t have the financial or human resource to implement sophisticated security measures in the same way as large commercial organisations. Understandably, there will be pressure to focus resources on front-line charity work, so there may be a reluctance at board level to invest in cyber security.

High staff turnover:

Charities are more likely to have a high turnover of staff than other organisations, particularly given their reliance on volunteers. This can make it difficult to properly embed good cyber hygiene throughout the organisation, and it can be a challenge to ensure that all members of staff are up-to-speed with best practice and understand their obligations with regards data privacy and cyber security.

How to strengthen your security position

Understand your data:

As an essential first step, you must understand what data you hold and where. If you suffer a cyber attack, it will be crucial to understand quickly what data has been affected in order to manage your response. This mapping exercise can be quite revealing, and often highlights that you are holding information which is no longer needed (and which should be deleted).  If there any specific batches of data which are more sensitive or valuable, consider applying additional levels of protection to that data.

Protect your key assets:

Identify the assets which you simply couldn’t operate without.  This might be your website, your payroll systems, or your communications platforms. Consider what might need enhanced protection to ensure that you are able to operate in the event that your systems are breached.

Consider technical security measures:

Cyber protection need not be expensive, but it should provide a level of protection which is appropriate to the data you hold and the activities you carry out.  Some key protections which you should consider are:

  • Updated malware protection and regular application of patches
  • Cloud back-ups
  • Passwords
  • Multi-factor authentication
  • Restricted admin rights
  • Network firewalls
  • Network segmentation

For smaller organisations, we recommend the NCSC’s Small Charity Guide, which offers some advice on how to quickly and easily improve cyber security at a low cost.

Develop and test your incident response plan:

Identify ahead of time who has ultimate responsibility for cyber security in your organisation, and make sure that this is clear to all staff.

An incident response plan (IRP) is a highly effective tool to respond to threats swiftly and effectively, and can help contain the incident at the earliest possible stage. It should identify all of the key team members who should be involved in dealing with the response (including any external service providers like forensic IT experts and legal advisers) and outline the steps to be followed. This would include how to maintain essential operations in the event of a system shutdown, which could mean returning to paper-based systems in the short term and using alternative methods of communication.

The IRP should be kept up to date, be readily available, and be regularly tested.  Cyber drills should be as second-nature as fire drills.  Testing your response allows you to identify any weaknesses ahead of time, and remedy these before any actual incident.

Cyber insurance

Only 22% of charities have cyber security coverage as part of a wider insurance policy; 5% have a specific cyber security insurance policy.  Statistics also show that the lower the charity’s income, the less likely they are to have cyber security insurance in place. Trustees should consider whether the potential risks and costs of a cyber attack necessitate cyber insurance.

Embed good practice

Cyber security is everyone’s responsibility, though we often hear of board-level reluctance to actively engage with cyber issues.  The technical nature of the issue can be a blocker, driving trustees to delegate to the IT team or externally, without much further consideration going forward.  However, cyber risk is a board level risk and should be regularly reported on and considered, particularly where new processes or practices are being developed and implemented.

Appropriate training should be provided to all staff, both upon joining and regularly throughout their employment. This could include sessions on how to handle personal data, appropriate use of work/personal devices, email protocols, and what to do in the event of a breach.

Get in touch

For further information on what to do in the event of a cyber attack, please see our five-step plan here.

Written by

Rebecca Roberts Public Law +44 (0)131 473 6093
Emma Maxwell Charities & Third Sector +44 (0)141 273 6797
R e a d .
Cyber attacks on UK entities: A tough start to 2024, with worse to come...

29th April 2024

For those on the front line dealing with cyber attacks, the start of 2024 has provided no respite.

Read more
R e a d .
Data Breach Group Claims in Scotland – would the Scottish courts “return to sender”?

7th March 2024

Understanding Data Breach Group Claims: Lessons from Equiniti Judgment

Read more
R e a d .
Top tips to combat charity fraud in 2024

15th February 2024

We share our top tips on how to keep your organisation safe from malicious attacks.

Read more