Cybercrime

In its Preventing Charity Cybercrime report, the Charity Commission revealed that 58% of charities think cybercrime is a major risk to the sector. Yet despite understanding the dangers charities, and small charities in particular, are failing to do enough to protect themselves. Charities are more vulnerable to cybercrime than any other organisation. This is the warning that has come out from the Charity Commission which found more than half of charities recognised the threat was a very real problem to their operations.

Not only do charities hold valuable stakeholder and donor data, they often have less robust systems and controls in place to protect themselves. And this is why criminals are increasingly targeting the sector with phishing, ransomware, social engineering, malware, phreaking, a virus, website defrauding and hacking - with some facing devastating consequences.

According to the Government’s Cyber Security Breaches Survey 2019, almost a quarter of charities were affected by cybercrime last year. And yet despite these figures, 44% admitted they are not adequately protecting themselves.

Protective systems will help

When it comes to protection for cybercrime it’s high time charities quashed the “head in the sand” attitude. They can start by getting IT systems up to scratch. Ideally you should outsource all your IT provision to a professional - but at the very least you should make sure you always update and upgrade when required.

Last year the UK’s National Cyber Security Centre (NCSC) published a guide to highlight the growing risk of cybercrime to help small charities protect themselves from the most common types of attack. Among its recommendations, the guide advised charities to back up data and protect it with strong passwords, protect the organisation from malware and keep smartphones and tablets safe.

An external expert will help you install a firewall, antivirus software, PKI Services (cryptographic technique for insecure public networks), managed detection services, penetration testing and can assist you with your staff training. The best system for your budget will help deter criminals and should drastically reduce your risk of a breach. But remember, no system is fool proof.

Train your staff

The next course of action for protection is proper staff training. The sector identified phishing attacks - where criminals specifically target charities with fraudulent emails - as a huge problem, especially as more and more criminals use machine-learning algorithms to fine-tune content.

The rise in the number of these incidents is likely to be the result of poor training - with staff and volunteers at charities statistically less likely to be given proper guidance than employees in commercial organisations.

Phishing emails frequently attempt to trick staff into installing ransomware – a type of malware – on a charity’s computer systems. This then increases the charity’s likelihood of falling victim to a ransomware attack. Many organisations believe that they can mitigate a ransomware attack by ensuring that they have high-integrity backups of their systems so they can restore their data if it becomes encrypted.

But, disturbingly, ransomware is increasingly being equipped with extraction capabilities, allowing hackers to steal confidential information such as usernames and passwords before encrypting data. This means that even if a charity restores its systems, the criminals can come back later and gain access again.

Training would help staff identify issues of concern – but it would also help employees spot other problems that could result in breaches. This is particularly important in relation to fraud.

After all, according to the Charity Commission, more than two thirds of charities (69%) think internal insider fraud is the biggest potential threat to the sector, backed up by the fact that 30% of cybercrimes were identified by internal IT controls last year.

Studies suggest charities are vulnerable to internal fraud because of a lack of fraud awareness training, an over-reliance on goodwill and trust, and excessive trust in one or more individuals.

To prevent internal fraud becoming a problem, there are some basic steps all charities should take. These include introducing and enforcing basic financial controls – such as having two signatories to bank accounts and undertaking regular bank reconciliations. On top of this, charities should make sure no one single individual has oversight or control of financial arrangements.

The Charity Commission reports that astonishingly, less than a third (30%) of charities have a whistleblowing policy but staff, volunteers and trustees should be encouraged to speak out if they see something they feel uncomfortable about.

Get your insurance in place

The final weapon in your armoury against cybercrime should be your insurance.

According to the Department for Digital, Culture, media and Sport’s Cyber Security Breaches Survey 2019, the average cost of identified data breaches and attacks in 2019 for charities was £2,150. A sobering thought. Some charities, particularly the larger charities with better funded resources, are aware that their data is sensitive, valuable and vulnerable and will install the best IT systems to protect it.

But, sadly, there remains a staggeringly low adoption rate of cyber liability insurance among charities and this would be a sensible addition to any charity’s armoury. According to a survey by the Department for Digital, Culture, Media & Sport, completed last year, just 4% of charities said that they have some kind of specialised cyber liability insurance in place, while 17% of charities said they were unaware such a thing existed.

Mixed perceptions about the cyber liability insurance market mean that there is a degree of scepticism and confusion about exactly what this insurance covers and how effective it would be in the event of a claim. So, let’s take a look at this.

Minimise your losses

It’s true that not all cyber liability insurance policies are the same. Equally, not all cyber threats can be anticipated or prevented. However, a specialist insurance broker, insurer or other insurance specialist can help you work out the risks, the estimated cost of a breach and bring to your attention a package which can be integrated as part of your charity’s risk management process.

As well as using a broker or other expert, you should make sure you understand what's covered and what you get in terms of training, helplines, access to experts and that you know the different risks.

The impact of cybercrime can be far-reaching for any charity. Loss of income could occur if a hacker accesses your network and causes damage to your systems or data, leaving you unable to operate and earn revenue.

Further costs from a serious data breach might involve legal advice, and time and money informing clients or regulators about the data breach. This may lead to you having to defend and settle claims made against you in the event personal data is lost or stolen. There can also be further costs connected with regulatory investigations and paying penalties imposed by regulators.

Meeting the costs of repair, restoration or replacement of websites, programs or electronic data following a computer hack can also be a burden, and if you’ve been the victim of extortion you may be out of pocket if a criminal holds you to ransom. On top of this, there is the cost to your reputation.

The best cyber liability insurance covers the costs associated with security breaches, loss of third party data and cyber extortion, as well as access to expert IT advice and support, cyber forensics, legal advice and public relations in the event of an attack.

By sending in the cavalry, this package will help cushion the financial impact, get a charity back on its feet and mitigate any reputational damage that may result from negative publicity.

It pays to be prepared

Charities recognise the risks. They know the threat is there and that the attack could cost them dearly. However, all too often charities see cybercrime as just an IT issue. They think that if they put robust IT measures in place, they are safe. But the fact is that even with excellent systems, there can be breaches.

The latest research from the Charity Commission should act as a stark warning for charity decision-makers. And it’s time to act. Charities need a three-pronged approach to cover themselves: excellent IT protection, well trained staff and the right insurance cover. Without it, you might as well leave your office unlocked and ask your staff to leave the door wide open when they leave.