Cybercrime has been around for many years but is becoming more and more prevalent in organisations, and charities haven’t by any means been exempt from the issue.
The Cyber Security Breaches Survey 2021 published by the Department for Digital, Culture, Media & Sport shows that over a quarter of charities said they experienced some kind of cyber breach in the past 12 months. In particular, those charities whose income exceeds £500,000 are more at risk.
So, why are charities often specifically targeted?
Firstly, more and more charities are taking online donations and using online services. With the pandemic pushing the digital world to progress at an even faster rate than it was before, these online services are being used more and more. Therefore, unfortunately, cybercrime is also increasing hand in hand.
Remote working over the past year has also been the default for most employees, which has impacted control procedures such as signing off documentation.
Charities generally tend to place a lot of trust in the individuals they work with, be that volunteers, beneficiaries, employees, trustees. Trust is often seen to be part of the culture of working for or with a charity. This readiness to trust others can mean that charities can assume that others are worthy of trust and easily fall into the hands of fraudsters.
Some charities may also have less online security in place, maybe because of cost savings exercises, for example. It is also not uncommon for charity employees to use personal devices for work purposes, again if the charity has not been able to afford the appropriate equipment for its users.
It is probably fair to say that many charities don’t have a trustee responsible for cybercrime on their board, and the issue can often be easily overlooked.
What does the Charity Commission say on the issue?
The Charity Commission hasn’t issued any more guidance for charities on this specific issue; in fact, the most recent alert was back in 2018: “Watch out for CEO fraud”. However, with the rise in use of the internet and remote services, propelled forwards due to the past 12 months of lockdown, it is sad to state, but no real surprise, that more and more charities are falling victim to this fraud. Amongst charities that reported breaches or attacks in the past 12 months, 18% experienced a loss of money or data, according to the Cyber Security Breaches Survey 2021.
What are the main forms of cybercrime?
There are two main types, criminal activity that targets computers and criminal activity that uses computers to target people. The most common forms of cybercrime seen currently are phishing attacks, impersonating emails and viruses.
So, what exactly is phishing? According to phishing.org, “it is a cybercrime in which a target or targets are contacted by email, telephone or text message, by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.”
Criminals could send a phishing email to millions of email addresses in the hope that some people click on a link that either takes you to a fake website or triggers a virus to be installed on the victim’s computer, for example. Spear-phishing a specific type of fraud where the email is targeted to a particular person, purporting to originate from a colleague.
For example, HMRC themselves are even used by scammers who pretend to impersonate a communication from the Revenue – and this has been accentuated during the coronavirus pandemic, for example, offering COVID-19 refunds or links to funding claims that are not genuine.
What can you do to protect your charity from cybercrime?
The key here is not to bury your head in the sand! Not taking action just because your charity has not been affected by cybercrime is not the answer. As is often the case, prevention is better than cure. It may be hard to see how you could be affected if you haven’t yet been the victim of cybercrime, but resolving the issue could become a bigger issue once you have been.
If your charity uses online banking, social media or network-connected devices, if your beneficiaries’ personal data is information held electronically, or if beneficiaries or clients can order, book, or pay online – then you ARE at risk of cybersecurity.
The key is to understand your own IT processes and procedures. What is your IT strategy? Who is the trustee responsible for overseeing this?
Firstly, you should ensure you have the correct software and procedures in place to ensure you are as protected as possible.
The second area to look at is your staff and the training they receive – is it adequate? Are all members of staff aware of the risks, and can they identify a fraudulent email if they receive one? Training to educate staff and trustees really is key to having strong defences against cybercrime. Reminding staff of the importance of strong and unique passwords is such an easy step and helps protect both the individual and the organisation.
There are many agencies out there who can help with both software and training. This dual approach of having the correct software and having a good understanding of the types of crime around and how to identify them will aid in protecting your organisation. Of course, insurance is another way to ensure you are fully covered for any eventuality.
Over the past 12 months, lockdowns have meant that organisations turn from paper records to electronic records if they haven’t already. There is an unspoken assumption that emails are a safe method to deliver information. If the CEO has emailed to confirm that an invoice is ok to pay, would you trust this email as proof? Likely! But is that correct? Not always.
It is also vital to ensure that cybercrime incidents are reported within your organisation and, where necessary, to the relevant agencies.
New training package launched for charities
On 6 May this year, a new e-learning package was launched for charities and small businesses by the National Cyber Security Centre. The aim is to boost charities’ ability to defend against threats posed by cybercriminals. It covers five key areas: backing up your data, protecting your charity against malware, keeping devices secure, the importance of passwords, and defending your organisation against phishing. If you are interested, here is the link to access this free training: https://www.ncsc.gov.uk/blog-post/training-for-small-organisations-and-charities-now-available
For many years now, we have discussed the importance of trust in charities. People want to donate to a worthy cause, and they want transparency over how the money is being used for the causes set out by the charity. It is, therefore, the charity’s duty to make sure those donations count and that the charity is not being defrauded. If we all act responsibly, we can ensure charities make a difference to their beneficiaries and continue to improve the public’s faith in charitable organisations.
This post was written by Alice Boesen, a Manager in the Charities team at Price Bailey. If you require any questions relating to this article, please contact Alice on the form below.
We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide. The authors or the firm can accept no responsibility for loss occasioned by any person acting or refraining from action due to this material.