The simplest answer to this question is maybe – so read on to find out what additional vulnerabilities your charity may have from the people who work for you – both paid staff and volunteers.
One of the biggest assumptions made by charities around cybercrime is that they won’t be affected as they don’t have anything of value to hackers and scammers.
If that were true it doesn’t explain the fact that over a third of our regions’ charities have fallen victim to a cyber-attack during the course of the pandemic. Here we will look to explore why charities are so vulnerable, and how you can work with us to help reduce your chance of becoming a victim in 2022.
These generally come in two forms.
Malicious – often in the form of a disgruntled fired employee who wants to get back at their former company, though they can also come in the form of employees still working at the company. In that case they may be part of an organised crime network or an individual looking to harm the company through fraud, IT sabotage, intellectual property theft or espionage.
Accidental – in the form of employees who unintentionally expose confidential data through poor cyber hygiene, weak passwords or similar.
Whichever one they are they contribute to a significant number of data beaches every year.
According to the ICO
In many cases breaches from former employees stem from an organisational failure to identify a change in employee status at the point the employee leaves the company – a classic disconnect between HR and the IT companies that are responsible for data security. Some companies are more vulnerable to this than others – it often occurs where there are high turnovers of staff or where the HR function is outsourced. But IT and HR policies and procedures are key to help companies combat the threat and make it more difficult for Insiders to operate.
In one highly publicised case a charity co-ordinator defrauded charitable funds to a value of over £45,000.
The fraudster was responsible for paying charity bills but was not an authorised signatory on the charity’s bank account. The fraudster was able to access one of the senior management team’s bank account login details to set up fake payees’ in the name of genuine third parties. The funds were then transferred to the fraudsters own bank account.
Bills were then falsified, and the fraudster used the bank login details to authorise the false bills. When the charity conducted its weekly bank account checks they showed trusted partners being paid, although in reality these were false payments to the fraudster’s personal bank account.
The fraud was carried out over a period of 6 months and was only detected when the fraudster admitted it.
The charity’s bank was contacted to stop the false payees and the fraudulently accessed login details. An internal investigation was carried out on the charity’s bank account and its transactions to establish the full extent of the fraud. All payments were reviewed during the period that the fraudster was employed.
The investigation also considered the potential for wider collusion. Appropriate reports were made to the relevant authorities, including the Charity Commission and the police.
The fraudster’s employment was also terminated, though the money was never recovered.
The impact of this insider attack is clear to see – both economically and reputationally.
And it was able to occur simply because the company did not enact simple security protocols for staff within the organisation.
Threats like these are amongst the most difficult to guard against however there are some key considerations for companies.
You can contact the Cyber Resilience Centre for guidance and support through our e-mail or use our online booking system to make an appointment with one of our team.
We recommend that all businesses in the Eastern region consider joining our growing community as a free member. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
The ECRC is a policing-led, not for profit, membership organisation, with the aim to increase the cyber resilience within small and medium businesses within the East of England (Hertfordshire, Bedfordshire, Cambridgeshire, Norfolk, Suffolk, Essex, and Kent).
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Policing led - business focused.
Click to Open Code Editor