Charities play a crucial role in providing support and services to people and wildlife across the globe. As of 2023, there were 169,029 registered charities in England and Wales, whose finances rely heavily on donations and the good will of the public. Due to the nature of their work, a cyber-attack can have devastating consequences for a charity, disrupting potentially life-saving support and undermining public trust and confidence. Additionally, a cyber-attack can take money away from where it was meant to be going, incurring unknown costs that can cause irreparable damage.

Charities vary massively in size, ranging from internationally recognised organisations to local community groups. This variability in size as well as the nature of the work can mean that charities may be reluctant to spend resources, money, and staff on cybersecurity, instead of other things. Subsequently, this can make charities more vulnerable to online fraud and cybercrime, with criminals seeing them as an attractive target. For this reason, it is essential that charities of all sizes are aware of the free and affordable cybersecurity resources that exist to support them. This allows charities to improve their cybersecurity position, saving them valuable money and allowing them to continue their work safe in the knowledge that they have taken measures to protect their organisation.

What makes charities a target for cybercrime?

Charities may be targeted in numerous ways by cybercriminals, however there are certain online behaviours that can increase online vulnerability. Firstly, the structure of many charities involves lots of staff and volunteers working part time. This may make it more difficult to coordinate cybersecurity training for workers, and for safe online working procedures to be absorbed. Furthermore, charities are more likely to rely on their staff using personal IT to do their work, otherwise known as Bring Your Own Device (BYOD). Operating in this way makes it more difficult to ensure the security of these devices, without being centrally regulated by an IT department. Mixing online working with personal use of the internet and social media increases the likelihood of somebody unintentionally visiting a suspicious website of installing malware through phishing.

In terms of how charities are targeted, the attack vectors are similar to those used towards other businesses and individuals. Phishing is a common threat, where criminals use emails, texts, or phone calls to trick somebody into downloading an attachment or clicking a link that is embedded with malware. Phishing attempts take various forms and range from being simplistic and obvious to sophisticated and convincing.

Business Email Compromise (BEC) is a specific type of phishing, where the criminal uses social engineering to gain access to a business email account, before using the account itself to redirect payments to fraudulent bank accounts. For an organisation using BYOD and work from home policies, this could go unnoticed until it is too late.

Ransomware also poses a threat, where malware is used to encrypt charity data or systems, extorting them for money in exchange for decryption. This is particularly costly and can also compromise sensitive and personal information that is pertinent to those that the charity supports.

Finally, criminals can also exploit the credible nature and positive reputation of charities to lure donors into giving money, by setting up fake charities or impersonating real ones on illegitimate websites. This can harm the reputation of a charity and redirect resources from where they should be going.

How can a vulnerability assessment help?

One way to become more resilient to the possibility of a cyber-attack is to take stock of any online vulnerabilities that hackers can exploit. At the ECRC, in addition to our free resources and tools, we also offer several affordable services to help identify such vulnerabilities, at a cost that is affordable for many SMEs.

Our services are provided by students, who are employed on the Cyber Path talent pipeline. These local students are mentored and monitored by senior ethical hackers, facilitating hands-on training for those who may become the future leaders in the fight against cyber-crime. This not only makes their services more affordable than those provided by commercial companies, but by utilizing their skills you are supporting the next generation of cyber-talent.

Web Application Vulnerability and Threat Assessment:

This service assesses your website and web services against the top ten security risks, searching for weaknesses and vulnerabilities. Service reporting outlines any weaknesses in plain language, explaining what it means and providing guidance on how to improve.

Remote Cyber Vulnerability and Threat Assessment:

This involves reviewing your charities’ internet connection remotely, in the same way an attacker would. These are not penetration tests with the goal of complete system compromise and control, rather tests focused on identifying weaknesses that could be used by attackers to achieve those ends. Service reporting is then provided in plain language to explain the findings.

Internal Cyber Security Audit, Vulnerability and Threat Assessment:

This requires access to your internal network to simulate somebody who has gained illegitimate access. It will scan and review your internal networks and systems for elements including poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access sensitive data. Again, service reporting will describe what each weakness means, the risks associated, and guidance on how to fix them.

If you receive a troubling service report and choose to take remedial action, the ECRC partners with several cybersecurity companies who can help you to manage this, however there is no obligation to do so. The ECRC also offers Staff Awareness Training, which is a fantastic option to help educate workers and volunteers about the top cybersecurity risks online as well as how to work safely.

What should you do next?

Signing up as a free member of the ECRC allows you to receive the benefits of our email journey. This allows you to build your cyber resilience gradually through the form of actionable weekly tasks. These emails are concise and designed to be accessible for a non-technical audience.

Being part of the ECRC also signposts you towards relevant resources that are designed to support your charitable organisation. Online assets such as the NCSC’s Small Charity Guide are a fantastic place to learn more about the risk profile and cyber resilience of your organisation.

Finally, if you would like further information on vulnerability assessments or wish to chat about the cyber resilience of yourself or your business, you can book a chat with us here.

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)