You might well ask this question since charities are not cash rich organizations. But all charitable organizations hold personal records and other sensitive data which if publicized could damage the reputation of the charity, impacting on their ability to raise money for their good causes in the future. Couple this high value data with the fact that almost 50% of charities have very basic or non-existent cyber security protocols and it becomes easier to understand why they are such a high value target. Charities exist because the public trust that most of the money that they give will go to support something that they believe is a worthwhile cause. Loss of this trust could critically impact all affected charities future operations.
The Head of the National Cyber Security Centre, Lindy Cameron, sums up the current cyberthreats to charities in the 2023 NCSC Cyber Threat Report on the charity sector.
More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain. Cyber-attacks affecting services, funds or compromising sensitive data can be devastating financially and reputationally, potentially putting vulnerable people at risk. The NCSC continues to support this vital sector and encourages all readers of this report to implement the guidance within it.
Where can I go for help?
Here at the Eastern Cyber Resilience Centre – a Home Office funded and police-led organization - we pride ourselves on providing free guidance and signposting for businesses across all sectors. Consequently we have brought together in one place a range of free guidance packages and tools that charities can access free of charge.
NCSC Small Charity Guide – an excellent introductory guide, aimed specifically at charities, and with tons of guidance about what a charity needs to consider when operating online.
NCSC Cyber Action Plan - Learn how to protect yourself or your small business online with the Cyber Aware Action Plan. Answer a few questions on topics like passwords and two-factor authentication and get a free personalised list of actions that will help you improve your cyber security. This is a great place to start your resilience journey and quickly identify areas that need improvement.
Incident Response Plan - To help you minimize the impact of a cyber-attack we have created a Cyber Incident Response Plan for you to use. Create a plan and then use Exercise in a box to test its effectiveness
NCSC Exercise in a Box - An online tool which helps organisations test and practice their response to a cyber-attack. It is completely free, and you don’t have to be an expert to use it. It includes two exercises, a technical simulation, and a table-top exercise. You just need to register for an account. If you are not confident of running this aloe, your local cyber protect officer can help you for free (no strings attached). Contact us for more details.
NCSC Board Toolkit - Boards are pivotal in improving the cyber security of their organisations. The Board Toolkit has been designed to help board members get to grips with cyber security and know what questions they should be asking their technical experts.
NCSC Cyber Security Training for Staff - Your staff are your first line of defence against a cyber-attack. The NCSC has developed an e-learning training package ‘Stay Safe Online: Top Tips for Staff’ to help educate your staff on a range of key areas including phishing, using strong passwords, securing your devices, and reporting incidents.
Police CyberAlarm - help your business understand and monitor malicious cyber activity. Police CyberAlarm acts like a "CCTV camera" monitoring the traffic seen by a member's connection to the internet. It detects and provide regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. Vulnerability Scanning can be added and used to scan an organisations website and external IP addresses.
What Next?
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and money as well as permanent loss of reputation. But all is not lost.
Whatever you decide to do, doing nothing is no longer an option. Here at the ECRC we are already working closely with over 1200 organisations across the East of England – Small and Medium Businesses, schools and third sector organisations - to help them tackle the continually changing cyber threats that they face.
So come and join our community as free members and let us help you protect your organisation and your customers from the ever presents threats out there in the cyberverse. You’ll receive a monthly newsletter as well as our “Little Steps” emails giving easy to understand bite-sized guidance about how to protect your business. You can also access our affordable student services and Cyber Partners along with regularly updated cyber threat assessments.
Reporting a live cyber-attack 24/7
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
Reporting a cyber-attack which isn't ongoing
Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040