Charity Cyber Security Health Checks

Getting Started: Cyber Security for Charities

Is your charity worried about cyber security, but not sure where to start? Let’s take a look at the most common cyber security challenges charities face, and how to start tackling them.

Understanding the factors which make charities different from other organisations is key to developing the right cyber security approach. We’ve written this blog to coincide with the launch of our charity cyber security health check as a way to help charities understand these factors and make a start on their cyber security journey. Let’s take a look…

Charities are not safe from cyber attacks

There is a common misconception that charities are immune, protected, or somehow afforded special treatment when it comes to cyber attacks. Sadly, this is not true. While some cyber crime groups will avoid charities, many threat actors will think nothing of targeting a charity or its donors as a means to make money.

Cyber threats to charities including ransomware, data breaches, business email compromise, and website cloning are described in detail in the NCSC’s Threat Report on the UK Charity Sector - a must-read for anyone working in security for a charity. Recognising that there is a threat, and then understanding it, is fundamental to deciding what to do about it.

Reputation is everything

A cyber incident such as a data breach can have a huge impact on reputation, resulting in a devastating loss of vital support: donations, publicity, volunteer support, and benefactor engagement. Unlike the private sector where choice may be limited (think of your least favourite airline that you keep being forced back to…!) there are thousands of charities out there to which people can turn instead. It’s vital that charities understand how cyber incidents can affect their reputation, and what they can do about it.

The volunteer conundrum

Charities rely on the dedication, benevolence and generosity of their workforce. Staff, volunteers, and trustees play a vital role in keeping the charity going, but not all of them may be comfortable with technology or cyber security, which makes enforcing compliance difficult. Can you really expect or force volunteers to comply with cyber security policies? Some may not know how to comply, or may be put off volunteering altogether if they feel security is being forced on them. Managing the balance between compliance and maintaining goodwill among personnel is crucial to good cyber security.

Variety is not always a good thing

Charities will often evolve their IT solutions organically as they grow. From humble beginnings with personal computers and some second-hand phones, to a vast mixture of donated, borrowed, and purchased laptops and mobiles, applications and cloud platforms within a few short years. The result is a complex mix of IT which is hard to understand let alone manage.

Another aspect is reliance on third-parties to provide cost-effective IT services. There are some great cloud platforms for managing donations, marketing, customer relations, finance, HR and volunteer coordination. However, they are only as secure as the providers who build them and the users who use them, as seen in the Kokoro and DonorView breaches. Knowing what data and IT services your charity owns, uses, shares, stores, and relies on is essential to managing cyber security risks.

I’m confident with cyber security. Where should I start?

Begin by identifying your charity’s critical IT systems and services. Doing this will help you prioritise your security appropriately. For help and advice on how to do this, check out our recent podcast. From there, you can begin by assessing the cyber security risks to those systems and where controls can be best placed. We’ve got a series of webinars on our website which talk about how to do this here: Clear Cut Cyber - Webinars.

Simple security measures will go a long way, like the NCSC’s excellent (and free) online staff training course, backing up your data, using strong passwords and Multi Factor Authentication (MFA), not sharing IT user accounts, and defining what software and cloud platforms your IT users are and are not allowed to use.

What about cyber security certifications?

Certifications such as the NCSC’s Cyber Essentials scheme are brilliant. However, they can be intimidating for small organisations with limited resources. Don't feel you have to go straight for a certification; your charity may be better off focussing on a smaller set of security controls and measures initially. Unless it's essential to your business, we recommend pursuing a certification when the time is right for your charity; when it’s mature enough to be able to achieve and recertify without overwhelming itself.

I’m new to this. Is there an easier way to get started?

Yes! We recently launched our free cyber security health check for charities. Enter your details and fill out the form online or via email. We’ll review your answers, arrange a quick chat, then provide you with a report detailing your charity’s cyber security health status and some simple recommendations. It’s completely free, and we only use the information you give us to perform the health check.

No details are shared with anyone else, and there’s no obligation to use our services afterwards - you’re free to proceed as you please. If you’re keen to give it a try, visit the link above and get in touch with us. We look forward to hearing from you.