top of page

Charities - what is ransomware and am I at risk?

One of the biggest assumptions made by charities around cybercrime is that they won’t be affected as they don’t have anything of value to hackers and scammers.

If that were true it doesn’t explain the fact that over a third of our regions’ charities have fallen victim to a cyber-attack during the course of the pandemic. Here we will look to explore why charities are so vulnerable, what a ransomware attack is, and how you can work with us to help reduce your chance of becoming a victim in 2022.

Why are charities a target for scammers and hackers?

You might well ask this question since charities are not cash rich organizations. But all charitable organizations hold personal records and other sensitive data which if publicised could damage the reputation of the charity, impacting on their ability to raise money for their good causes in the future. Couple this high value data with the fact that almost 50% of charities have very basic or non-existent cyber security protocols and it becomes easier to understand why they are such a high value target. Ultimately, charities exist because the public trust that all or most of the money that they give will go to support something that they believe is a worthwhile cause. Loss of this trust could critically impact all affected charities future operation.

So what is ransomware?

It is a piece of software that gains access to your network – usually through a phishing attack – and once installed it will either, steal, delete or encrypt data. The attack is commonly followed by a request for money to get your data back or to decrypt it in place within your network. Don’t pay and the data will be published – causing huge reputational damage, or it will be lost forever – impacting on the charities ability to function.

And let’s be very clear about this. The underlying reason for ransomware attacks happening at all is so criminals can make money – they don’t care whether paying the ransom will prevent that organisation from funding a piece of life-saving equipment at the local hospital. They just want your money. And if you do pay, imagine how that could affect your reputation when your donors discover all of their money has gone to a scammer, or worse a terrorist organisation, as part of a ransomware attack.

What should I do next

So I think we’ve explained that falling victim to a ransomware attack is very bad. As such prevention is very much better than cure – that said preparation for the worst-case scenario should form part of a charity’s approach to cyber resilience as well. Here at the ECRC we have a number of simple guides to help you keep cyber hackers at bay. Check out the Charity guide on our website. The guide looks at 5 areas of cyber resilience that all charities should be looking to improve.

In summary

  1. Back up you data – and keep it offline. This means you always have a copy that you can access if your network is compromised.

  2. Restrict access to who can install software in your network, maintain up to date anti-virus software and other software patches

  3. Protect your IT equipment – enable passwords, remote wiping etc.

  4. Use strong passwords everywhere and two factor authentication where possible for important accounts

  5. Make sure that you and your team know what a phishing attack is, how to spot them and how to deal with them when they do occur.

How can we help you now?

Come to the ECRC website to find out more about this and many other areas of cyber resilience.

If you sign up for free membership, we will walk you through the basics and help you to protect your charity and the data that it holds.

And if you progress through to obtaining Cyber Essentials accreditation, you will be fully or partially protected from over 99% of the common cyber threats out there.

Now isn’t that the sort of Christmas present you should be getting for your charity?


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page