The National Cyber Security Centre (NCSC) have produced a guide to help charities understand current cyber security threats and to point out to what extent the sector is affected and whether it is being targeted, and, crucially, where charities can go for help.

The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber security.

Since the NCSC was created in 2016 as part of the Government’s National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online.

The Charity Commission for England and Wales registers and regulates charities in England and Wales, to ensure that the public can support charities with confidence. It works in partnership with the NCSC to enhance the cyber resilience of charities.

This latest report draws on consultation with experts within the NCSC, other government departments and open sources, and was written with the support of The Charity Commission for England and Wales.

Charities in the UK range from large, internationally recognised organisations to small, local community ones.

The range of activity by UK charities is diverse, benefitting many sections of society, both here and overseas. All charities with an annual income of over £5,000 are required to register with a UK charity regulator.

The DCMS Cyber Security Breaches Survey measures the policies and processes organisations have for cyber security, and the impact of breaches and attacks.

In the 2022 survey, 30% of UK charities identified a cyber attack in the last 12 months. Of those attacks, 38% had an impact on the service with 19% “resulting in a negative outcome”.

Why is the charity sector particularly vulnerable?

The charity sector faces the same cyber risks as private sector and government organisations but there are some reasons why charities could be particularly vulnerable to a cyber attack:

• Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information, or to disrupt charities’ activities
• Charities may feel reluctant to spend resources, money, oversight and staff effort on enhancing cyber security rather than on front line charitable work. In fact, charities are less likely than businesses to employ technical cyber security controls.
• Charities have a high volume of staff who work part time, including volunteers, and so might have less capacity to absorb security procedures
• Charities are more likely to rely on staff using personal IT (Bring Your Own Device) which is less easy to secure and manage then centrally issued IT (64% of charities report their staff regularly using their own devices, vs 45% of businesses)
• And finally, the impact of any cyber attack on a charity might be particularly high as charities often have limited funds, minimal insurance coverage and, by their very nature, are a supplier of last resort providing services where there is insufficient government or affordable private sector alternatives. Only 22% of charities have cyber security insurance as part of a wider insurance policy, and only 5% have a specific cyber security insurance policy. The lower the charity’s income, the less likely they are to have cyber security insurance.

Lindy Cameron, the Chief Executive Officer at NCSC, said:

"More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever.

During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain.

Cyber attacks affecting services, funds or compromising sensitive data can be devastating financially and reputationally, potentially putting vulnerable people at risk.

The NCSC continues to support this vital sector and encourages all readers of this report to implement the guidance within it."

Helen Stephenson, Chief Executive of the Charity Commission for England and Wales, added:

"Charities play a crucial role in our society and in every community. They save lives, and they provide many of the services that make life worth living.

All charities ultimately rely on public trust and continued public generosity. So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support.

Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance. We welcome this report and urge trustees to take early action to protect their charities from cyber harm."

Who might target the charity sector?

Like any other organisation, charities are increasingly reliant on IT, and cyber criminals make no distinction between charities and business.

They often rely on supplier organisations to handle financial transactions, or to provide

technical support. Even if a charity is not targeted, the organisations in their supply chain may be

Cyber criminals

Cyber criminals are motivated by financial gain. They may seek to directly steal funds held by charities or seek to capitalise indirectly through fraud, extortion or data theft.

Cyber criminals vary from advanced, professional groups to small-scale fraudsters. The technical skill required to commit cyber offences varies depending on the goal of the attacker and some of the tools required are available through online criminal forums.

There is growing availability of criminal services for hire; the offender can buy ‘off the shelf’ services from another criminal group and so do not need to have advanced technical skills themselves.

This change has led to an increase in the scale of cyber crime and a less targeted approach to victims - criminals will indiscriminately target all organisations.

This means cyber criminals, rather than targeting organisations specifically, will attack thousands of organisations using largely automated tools that require little technical knowledge. A charity with few resources could be devastated if caught up by (for example) a ransomware attack.

They are more vulnerable to attack, perhaps via unpatched vulnerabilities on unmanaged devices, or due to untrained volunteers and staff.

Once attacked, a relatively small financial or reputational loss may be disastrous.

Nation States

Nation states conduct cyber activities to further their own national agenda and prosperity, or to disrupt professionals working on issues the state disagrees with, including human rights or those wanting regime change.

Russia, Iran and North Korea have all been identified as using criminal actors for state ends, operating to raise funds and cause disruption using criminal malware techniques.

While they are unlikely to specifically target charities as a sector the range of hostile activity is so broad that UK charities will have been victims.

The UK charities most at risk from nation state attacks are those that operate either directly, or through local partner organisations, overseas.

Others that could be at risk are those which play a role in helping formulate and deliver UK domestic and foreign policy.

State actors, for example from China, have also used cyber techniques against UK institutions for Intellectual Property theft which is a risk for charities working on science or technology.

Hacktivists

Hacktivist is a term used to describe computer hackers motivated by a specific cause, for example to further political or personal agendas or in reaction to events or actions they perceive as unjust.

Hacktivists have successfully used distributed denial of service (DDoS) attacks to disrupt websites, or have exploited weak security to deface them.

The charity sector is not a priority target for hacktivists, but even a limited website takedown or defacement could have financial, operational or reputational implications.

There are examples of hacktivist groups launching cyber attacks against government and private sector websites so charities that support contentious issues could be at risk of attack.

Insider Threat

Insider threat is the deliberate or accidental threat to an organisation’s security from someone who has authorised access such as an employee, volunteer, contractor or supplier.

Malicious insiders can pass on credentials to attackers or conduct activities such as stealing data. They may be motivated by a variety of reasons such as a grievance against the organisation, ethical concerns about its activity or have financial pressures leaving them vulnerable to coercion.

However, insider threats are not always malicious. Employee breaches of security can stem from unclear or onerous processes, lack of training or simply mistakes.

Insiders are a risk to any organisation but charities may be more vulnerable due to a high turnover of staff, for example if a lot of volunteers are involved, and if there is limited staff training or security monitoring.

Supply chain attacks (suppliers and third parties)

Cyber threats may not come from direct attacks on charities but they could still be affected.

It is common, especially for smaller charities, to outsource the responsibilities for running, maintaining and securing their IT and data to specialist support companies.

Charities may also share data with external organisations such as marketing companies.

Cyber criminals and other groups may be able to gain access to charities’ networks and/or information through these companies.

The main methods of cyber attack

Phishing

‘Phishing’ is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.

Phishing is often untargeted, in the form of a mass email, text or cold calling campaign.

However an attacker may use more targeted information to make their messages more persuasive and realistic (sometimes known as ‘spear phishing’).

The outward facing nature of charities, culture of trust in the sector, reliance on volunteers, staff members using personal IT, and reluctance to spend limited funding on cyber security training and measures could make them particularly vulnerable to criminality.

Fake organisations and websites

Criminals can exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity, or they can set up fake charities or impersonate well-known charity names to add credibility in phishing campaigns.

Although not directly targeting charities by cyber means, this activity has potential financial and reputational ramifications for genuine charities.

Business Email Compromise

Business Email Compromise (BEC) is a form of phishing attack where a criminal attempts to trick someone into transferring funds, or revealing sensitive information.

In BEC a cyber criminal initially compromises a business email account through social engineering or computer intrusion techniques. After using this access to check out the organisation, the criminal then pretends to be the account owner over email or phone conversations to redirect payments to fraudulent bank accounts.

BEC actors can create auto-forwarding rules within email to decrease the victim’s ability to observe fraudulent communications.

This attack route took advantage of the shift to remote working during the pandemic, with staff working in isolation at home and their IT less able to be monitored for unusual activity.

Ransomware

Ransomware is the most harmful cyber crime threat to the UK today. It is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files.

A criminal group will then demand a ransom in exchange for decryption, while threatening to delete or leak the data they have stolen.

The technique is now so evolved that criminal groups offer Ransomware as a Service (RaaS), whereby ransomware variants and commodity listings are available off the shelf for a one-off payment or a share of the profits.

How you can mitigate the risks

• Read and implement the NCSC’s guidance that has been especially created for charities
• Consider using the NCSC’s Active Cyber Defence services, which can provide a range of automated protections, free of charge to charities
• Improve your staff (and volunteers’) cyber awareness by taking advantage of our Security Awareness Training
• Make sure the charity’s board understands its responsibility regarding cyber security, and knows what questions to ask
• Use Cyber Essentials, a government-backed scheme that will help protect your organisation from cyber attacks (and convince potential donors that you take cyber security seriously). At the time of writing (January 26, 2023), IASME and the NCSC are offering small charities the chance to achieve Cyber Essentials and Cyber Essentials+ for free using some of the UK's leading tech experts (including some of our Trusted Partners) as certifiable bodies.
• Contact the EMCRC for further advice, services or advice on what you can do to mitigate the risks to your charity or if you have been the victim of a cyber-crime.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).