By Nazreen Visram, director, public sector: head of charities & citizenship at Barclays.
Charities are increasingly handling transactions and donations via the internet, through cards, mobile devices and direct payment channels, a change accelerated by the Covid-19 pandemic.
While this brings benefits in terms of efficiency and convenience, it also exposes charities to the growing threats of cybercrime and data theft, with the associated risks of financial loss and reputational damage. Cybercriminals are keen to access and exploit the valuable data charities hold and any data breach can be a payday for fraudsters.
Worryingly, over a quarter of all charities – and more than half of those with high incomes – faced a security breach in 2020, statistics from the Department for Digital Culture, Media and Sport reveal.
This has remained a consistent trend according to a 2021 white paper by Charity Digital and the National Cyber Security Centre (NCSC, based on a survey of staff and volunteers in charities across the UK.
Concerns over readiness
The good news is that over 95% of charities think cyber security is important, the report says, with 70% regarding it as extremely important. Nearly half say they have installed more security software, and 46% have invested in additional training and attended more cyber security events.
However only 61% of UK charities have a cyber security breach plan in place, over a quarter don’t even have one, and a tenth don’t know if they have a plan or not.
The survey also found that, when asked to rate their own cyber security out of 10, the average score across the charity sector was just six.
More than 10% said they had other areas of priority, while 7% said they lacked the skills and training to improve their cyber security, and 5% weren’t worried about a cyber security breach.
The report identifies considerable inconsistency around cyber security strategy at senior level, given 44% of senior executives and 78% of trustees are unaware if their charity has a cyber resilience strategy in place or not, while 58% of managers said their organisation has one.
One of the key trends that stood out among those surveyed, perhaps unsurprisingly, is that larger charities have better cyber security measures in place compared to small and micro-charities with fewer resources and less expertise available.
Bearing these factors in mind, charities should not only ensure they have effective cyber fraud strategies and policies in place but also communicate them clearly to everyone in the organisation, while training and educating staff and volunteers on fraud-related threats, from the top down.
It is also important the sector finds ways to help and support the more vulnerable small and micro-charities.
What charities are up against
Cybercrime techniques are becoming increasingly sophisticated. The majority of the cyber attacks against charities involve ‘phishing’. CEO impersonation scams and invoice frauds are also a major issue, and most result from fraudsters targeting an individual staff member or supplier with compromised cyber security as a ’gateway’ into the organisation.
For many years criminals have also been tricking victims into inadvertently downloading malicious ‘malware’ software onto their computers, but it’s now been refined and evolved to infiltrate entire systems and remain hidden for months, taking over whole domains and potentially gaining access to accounting details, or sensitive and confidential information.
Furthermore, the pandemic-driven increase in homeworking has opened up further opportunities to test a charity’s defences and steal its funds.
Finding solutions
The Police Digital Security Centre advises it’s important to identify any vulnerabilities in advance and focus on prevention and ensure that everyone knows what is going to happen when a breach occurs.
Top level actions include hiring the best possible talent to help prevent and tackle cybercrime, investing in cutting edge software to detect and stop cyber threats, backing up data properly and regularly testing and verifying security systems.
But there are quick-wins too. For example: not routinely putting bank details on documents that are sent out; using stronger, more complex passwords rather than repeatedly changing simpler ones, and deleting email accounts immediately when someone leaves the organisation. Charities should avoid routinely giving new joiners access to all documents and files – especially in finance and IT – and only make them available as and when needed.
Further advice
Barclays Cyber Security Operations Centre recommends password-protecting all devices, encouraging staff and volunteers to report and escalate suspected threats, and checking that partner organisations and suppliers are cyber secure.
Organisations must urge everyone to guard their email credentials assiduously, and use some form of second-factor authentication for log-in authorisations.
Homeworkers should be provided with the IT and communications equipment they need, rather than using their own, and be connected to the charity’s IT systems via a virtual private network (VPN).
Providing advice like this is just one of the ways Barclays supports charities in their fight against fraud, and we’re keen to share the full range of our in-depth knowledge and expertise in preventing and responding to cybercrime. Find out more about how we can help your charity with fraud prevention.
