NCSC warning over cyber risk to charity sector

Under-resourced charities running services and fundraising activities online are increasingly seen as a soft touch by cyber criminals looking to make a quick buck, and are at risk of malicious actors taking advantage of public generosity during challenging times.

In a newly issued report, the UK’s National Cyber Security Centre (NCSC) highlighted how besides launching cyber attacks against charities, cyber criminals are also “inserting” themselves into the third sector, masquerading as legitimate charities to siphon off bona fide donations from the public, as has been observed in numerous incidences relating to charity drives for Ukraine.

The report also guides charity organisations towards bespoke sector advice, and encourages them to take advantage of the NCSC’s free Active Cyber Defence (ACD) tools, such as Web Check, Mail Check, and the ever-popular Exercise in a Box. Some charitable organisations are also currently eligible for free Cyber Essentials assessment and accreditation.

“The UK’s charities are doing fantastic work every day, and digital services and online fundraising are now playing a crucial role in this,” said NCSC CEO Lindy Cameron. “While it is right that technology should play a part in helping charities, this does open up the possibility of cyber attacks and it is important they understand the risks.

“The NCSC is here to help and I urge all charities to reduce their vulnerability by reading our latest report, following our guidance and making use of the tools available to them,” she said.

Helen Stephenson, chief executive of the Charity Commission for England and Wales, added: “Charities play a crucial role in our society and in every community – they save lives, and they provide many of the services that make life worth living. All charities ultimately rely on public trust and continued public generosity.

“So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support.

“Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance. We welcome this report and urge trustees to take early action to protect their charities from cyber harm,” said Stephenson.

There are many reasons why charities are quite so vulnerable to cyber attacks, said the NCSC, including a reluctance to expend limited funds and staff effort on basic security controls, a high-number of casual volunteers untrained in cyber security, and a reliance on bring-your-own-device policies. Many charities also have data on sensitive issues or vulnerable people, making them attractive targets for government-backed actors.

It highlighted a number of recent incidents, including a ransomware attack on the Edinburgh Festival Fringe Society and a business email compromise (BEC) incident at a small, unnamed hospice in the West Midlands, both of which cost thousands of pounds to mitigate.

In the first instance, the Fringe Society found systems and data had been encrypted by ransomware in January 2022. Despite a quick and effective response, and a higher-than-usual degree of preparedness – it had implemented system segregation so its attackers were not able to access everything – recovering from the attack cost £95,000, of which insurance only covered £25,000, forcing the arts charity, which cancelled the 2020 festival due to Covid-19, to dip into its reserves.

The hospice charity, meanwhile, was attacked after a staff member received a phishing email that seemed to be from Microsoft, which asked them to change their password. Later, they received a second email saying this update had not worked, and to re-enter their original credentials.

A day later, one of the hospice’s donors rang to query a strange email they had received from the staff member. A flurry of other calls followed it, at which point the charity turned to its managed services provider (MSP), which found that cyber criminals had taken control of the staff member’s email account and changed the email forwarding rules so that they could not see what their account was sending out. The staff member additionally had access to credit card data on 35,000 users.

Fortunately, the attack was mitigated swiftly, no ransom demand was made, and there was no evidence that the card data was stolen or misused. However, the cost to the hospice was £17,000, money that should have been spent on patient care.

“Even though we have to accept no organisation will ever be 100% secure, we can confidently tell all of our supporters, and those that we care for, that we take the security of their personal data very seriously and have taken every possible step to make our hospice as digitally secure as possible,” said the charity’s operations director

“The reputational damage would have been far worse had we not been honest about a mistake made by a member of staff,” they added.