Cybercrime – is my charity at risk because we allow staff to work from home?

The simplest answer to this question is maybe – so read on to find out what additional vulnerabilities your charity may have from having staff working from home.

Photo of male in office looking at donation graph

One of the biggest assumptions made by charities around cybercrime is that they won’t be affected as they don’t have anything of value to hackers and scammers.


If that were true it doesn’t explain the fact that over a third of our regions’ charities have fallen victim to a cyber-attack during the course of the pandemic. Here we will look to explore why charities are so vulnerable, how remote working can add to the list of concerns and how you can work with us to help reduce your chance of becoming a victim in 2022.

Why are charities a target for scammers and hackers?

Photo of a dartboard with dart in the bullseye

You might well ask this question since charities are not cash rich organizations. But all charitable organizations hold personal records and other sensitive data which if publicised could damage the reputation of the charity, impacting on their ability to raise money for their good causes in the future.


Couple this high value data with the fact that almost 50% of charities have very basic or non-existent cyber security protocols and it becomes easier to understand why they are such a high value target. Ultimately, charities exist because the public trust that all or most of the money that they give will go to support something that they believe is a worthwhile cause. Loss of this trust could critically impact all affected charities future operation.


What are the main risks associated with homeworkers?

Working from home during the COVID-19 lockdown was vital for charities to continue delivering services to those in need. But there’s no doubt that your home computer, or a laptop borrowed from the office, is less secure than one running in your workplace under the watchful eye of dedicated IT staff.

Screenshot of phishing email purporting to be from GOV.UK

1. Phishing emails. Employees working remotely can be the largest threat to the security of your network. If they unknowingly follow poor cyber security practices, they might end up giving cybercriminals and hackers access to the network and sensitive data of the company.


Commonly, the hacker will send an email to trick the victim to login to a malicious website that looks exactly like the original website. Once the victim enters the required information, the attacker uses it to hack into an account and carry out identity fraud or steal more sensitive information. The phishing emails may look like from a person or organization you trust. It may be from a social media site, credit card company, streaming app, bank, or even a work colleague or supervisor.


2. Password Theft. Even when an organization uses firewalls, VPNs, and other cybersecurity software for protecting remote work, human error might come into play when employees safeguard the account using weak passwords.

Hackers can exploit human error to get past sophisticated security software. This is the reason they will try to crack the account passwords for accessing sensitive details. You won’t believe it, but twenty-three million people still use the password 123456.

Cybercriminals use different measures for cracking passwords. Often, the hackers design codes to crack a password by trying out various variants. Repeat password is another insecure practice that hackers try to exploit. As soon as the hackers crack the password to an account, they will try accessing other accounts with the same password. Employees repeating their passwords on various applications are at a higher risk of having their accounts hacked. This is particularly true for employees who use the same passwords across personal and work networks.


3. File Sharing. While companies might think of encrypting data that is stored on the corporate network, they might not consider encrypting data when it is in transit from one location to the other. This might result in employees sharing or remotely accessing sensitive details on a regular basis that the company is unable to secure from being intercepted by a hacker.

Photo of laptop and phone being used by someone

4. Personal Devices. Employees often don’t encrypt their own personal devices. Nevertheless, if work is conducted on personal mobile phones, such as logins or phone calls to business accounts, this may cause data breaches.

Some businesses provide their employees with work computers to remotely access the files and information. However, others allow remote employees to work on personal computers. This approach might leave company data at risk.


5. Criminals may exploit the fact that a router password is still on its default setting. Change or update Router and Wi-Fi passwords as part of the working from home process for all staff. Use your web browser to log on to your router (often using the address 192.168.0.1 or 192.168.1.1), find the option to change the router password, and choose something difficult to guess. Also, configure your Wi-Fi to use WPA or WPA2 encryption and to set a strong password with a minimum of 13 characters.


6. Cyber criminals often exploit known vulnerabilities in computer operating system to hack into the system before the operating system is updated to remove the vulnerability. By setting Windows to install updates automatically as soon as they are available you reduce the window of opportunity for these cyber criminals.


Can you protect yourself from these attacks?

Yes, you can.

Here at the centre, we would suggest a whole system or organisation approach to cybersecurity to maximise its effectiveness. That would include carrying out staff awareness sessions to make sure that staff know what to look for – to spot potential attacks, and to identify when an attack has been successfully carried out.


We would also recommend that organisations look at bringing in clear policies around cyber security so that all staff are aware of their responsibilities and what they should be doing to strengthen their remote working set-ups.


The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. Having a clear incident response plan is essential in today's "when" a cyber attack occurs, not "if". If you haven't already got a plan, we have a free template that you can download as a starting point..


So, what should my charity do now?

Here at the centre, we would advise you to do three things now

1. Join our free core membership by clicking here. You will be supported through implementing the changes you need to make to protect your business and your customers. As part of your membership you receive a weekly series of practical steps that you can implement which aligns with Cyber Essentials – the basic government backed kite mark standard for cyber security. As a free member we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.


2. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.


3. Download the free Small Charity Guide, which you can find on our website here.


And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks.


Reporting Cyber Crime