okolaa - Fotolia

Cyber crime is a top threat to UK charities, says NCSC

Cyber crime poses the most serious threats to UK charities, the National Cyber Security Centre has warned

Many charities, particularly smaller ones, do not realise the value of the personal, financial, commercial and other data they hold to cyber criminals, according to a report by the National Cyber Security Centre (NCSC).

Charities typically do not perceive themselves as targets, but the value of the data they hold to range of cyber criminals makes them vulnerable to attack, warns a Cyber Threat Assessment report.

In light of the new EU and UK data protection laws, continuing high levels of cyber criminality and growing use of online business practices by charities mean investment in cyber security is increasingly imperative for the sector, according to the NCSC, which has issued fresh cyber security guidance to small charities.

The NCSC notes that larger charities, especially those operating like major corporations are in a better position to allocate specific cyber security responsibilities and take a proactive approach to cyber security, but the guidance applies equally to larger charities as well as small businesses.

According to the threat assessment, the culture of openness makes small charities more vulnerable to cyber fraud and extortion, with many falling victim to a range of attacks with potentially devastating consequences.

There are almost 200,000 charities registered in the UK, and the threat assessment reveals how cyber criminals are targeting their funds, supporter details and information on beneficiaries.

The guidance for small charities outlines easy and low-cost steps to protect from attacks, including advice on backing up data, using strong passwords, protecting against malware, keeping devices safe and avoiding phishing attacks.

Read more about business email compromise

  • Almost all UK law firms vulnerable to email fraud, study shows.
  • UK impersonation fraud up 39% in last quarter of 2016.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
  • Business email compromise accounted for $3bn in losses in the US alone in the first six months of 2016. 

Investment in cyber security, the report notes, may not require a financial outlay or take a lot of time and may in the longer term prove cheaper than repairing the damage after a cyber attack.

“The National Cyber Security Centre is committed to supporting charities and we strongly encourage the sector to implement the advice outlined in our guide,” said Alison Whitney, director for engagement at the NCSC.

“Cyber attacks can be devastating both financially and reputationally, but many charities may not realise how vulnerable they are to the threat. That’s why we have created these quick and easy steps that will help charities protect themselves to protect their data, assets, and reputation,” she said.

Writing in the foreword to the Small Charity Guide, NCSC CEO Ciaran Martin said the NCSC is committed to supporting the charity sector. “We encourage you all to implement the quick and easy steps outlined in this guide.”

According to the threat assessment, cyber criminals motivated by financial gain are likely to pose the most serious threat, which could have a paralysing effect on a small charity’s ability to deliver their services. One example details how a UK charity lost £13,000 after its CEO’s email account was hijacked to send a fraudulent message instructing their financial manager to release the funds, which is commonly known as business email compromise, CEO fraud, or whaling.

The assessment notes that the scale of cyber attacks against charities is unclear due to under-reporting and charities are being urged to report such crimes to Action Fraud and the Charity Commission.

Exchanging threat information

The NCSC is encouraging charities to join the Cyber Information Sharing Platform (Cisp) to exchange threat information in a secure and confidential environment at no cost to the charities.

The assessment and guide have been well received by the charity sector, with heads of influential bodies praising the NCSC’s work.

Helen Stephenson, chief executive of the Charity Commission for England and Wales, said charities play a vital role in our society and so the diversion of charitable funds or assets via cyber crime for criminal purposes or personal gain is particularly damaging and shocking.

“The threat assessment confirms what we often see in our casework – unfortunately charities are not immune to fraud and cyber crime, and there are factors that can sometimes increase their vulnerability such as a lack of digital expertise, limited resources and culture of trust.

“We fully endorse the NCSC’s guide on cyber security for charities,” she said. “This will be a valuable resource to help charities protect their work, beneficiaries, funds and reputations from harm and we encourage charities of all sizes to make use of it.”

Pauline Broomhead, CEO of the Foundation for Social Improvement, said the guide will give leaders in smaller charities confidence that they are taking the necessary steps to protect their charity. “It is an excellent guide and we intend to make sure our members are fully aware of the valuable information it contains.”

Stuart Etherington, CEO of the National Council of Voluntary Organisations (NCVO) said awareness and knowledge about cyber security continue to differ among charities, but it is important that all charities protect the data they hold from cyber crime. “That is why this guide for charities is so welcome – it will help trustees and those working in charities understand what the threats are, and what steps they need to take to minimise the risk of a cyber attack.”

Making use of digital technology

Mandy Johnson, CEO of the Small Charities Coalition, said: “We are proactively encouraging small charities to make more use of digital technology, so the timing of this guidance is especially helpful.”

The UK government has also indicated that it is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. Its behavioural change campaign for cyber security, Cyber Aware, promotes simple measures to stay more secure online.

The publication of the NCSC threat assessment and guidance for charities coincides with the government’s publication of the Cyber aware perceptions gap report, which demonstrates common misconceptions that are preventing people from protecting their online security and suggests how these may be overcome. 

According to the report, there is a large and growing gap between the nature of the threat from cyber crime and public perceptions. In particular, the report finds that a large proportion of the public and small and medium-sized enterprises (SMEs) underestimate the risk of cyber crime and feel powerless to protect themselves against it.

Erik Westhovens, architect and evangelist for digital workspace at IT services firm Insight UK said the key to effective cyber security is to understand that vulnerabilities do not solely originate with technology, but with people.

“And this is true for both private and public sector,” he said. “Our own research showed that only less than two-fifths of UK business leaders hope to achieve improved security when implementing IT solutions. This attitude must change.

“As employees are on the frontline of the cyber security war, more often than not, a breach in security can be down to the behaviour of one individual. Therefore every single person across an organisation is responsible for its security and integrity,” said Westhovens.

Appropriate training and tools

However, Westhovens cautioned that this expectation can be met only if businesses give them the appropriate training and tools to do so. “To encourage proactivity, organisations should establish workshops to discuss how they manage and secure their data, what their environment consists of and how thinking about cyber security works in their practice area,” he said.

Westhovens further recommends that organisations look beyond the IT department to establish good cyber security awareness and practices.

“Training employees must be paired with investment in new technologies such as analytics or artificial intelligence,” he said. “It is only by pairing such tools with strong, all-encompassing training programmes that organisations can best safeguard themselves and their customers from the many threats of today.”

Read more on IT risk management

Data Center
Data Management