top of page

Is a weak password leaving your charity exposed to criminals?

Charities, of all sizes, continue to be a target for cyber criminals.


Hijacking a charity’s social media channel gives a criminal instant reputation and the ability to collect funds for their own pockets rather than those charities are set up to protect.


And criminals aren’t using the most sophisticated and technical strategies to get into systems, they are logging in, using employee’s own passwords.


How are they doing that?

Image of person with keyboard with image of padlock

According to Verzion 80% of hacking-related breaches are linked to passwords making them a key target.


Most people have a company email address which is going to be something like jo.bloggs@mycharity.co.uk and this is frequently used as the username as well. So, with a little bit of research most people could figure out someone’s username.


Passwords are a little bit harder to guess, but research has shown that we are creatures of habits and there are a few things we all seem to do.

  • when we are asked to add a number to a password, most of us will add the number to the end

  • over half of users have their name or date of birth in their password or use other easily discoverable information such as pet’s, partner’s or children’s name

  • for work passwords we use the company name somewhere such as MyCharity1

  • we tend to reuse passwords on multiple sites/systems, with employees reusing the same password an average of 13 times according to LassPass

Example of credentials list

Criminals can create lists of these common passwords and then try the username/password combination to try and gain access to your systems.


But they don’t just create these lists themselves, they harvest previously known passwords from other criminal’s data breaches, which is why the last statistic above is particularly important. If a password ends up as part of a data breach, then you must assume that everyone knows it, meaning you can’t use it anymore.


Isn’t it the staffs fault for using weak passwords?

No.

57% of charities have a password policy that ensures users set strong passwords according to the Cyber Security Breaches Survey 2022. But that means that 43% of charities aren’t!


And only 19% of charities say that they have had training or awareness raising sessions on cyber security in the last 12 months.


So how are your employees and volunteers supposed to know what a strong password looks like, if you aren’t telling them, or giving the tools to enable them to follow best practice?


What can I do to help my charity improve?

Screenshot from haveibeenpwned.com
  • See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address and telephone number and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.

  • Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training or if you are a small charity you can get free security training from your local Police Protect officer. Why don’t you make a booking to discuss further?

  • Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

Collage of popular password managers
  • If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords. If you do look at this option, speak to the provider and see if they offer charity pricing. Some won’t advertise the fact but will offer a discount if they can.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs and third sector organisations within the East of England.


Our members can benefit from a range of services, from helping you improve your cyber resilience through our “little steps” programme to being notified about the threats relevant to you.


Why not join our community today?


It’s completely free, with no strings or sales pitches attached.


Policing led – business focused.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page