As of June 2024, there are over 170,000 registered charities in the UK, all of which are at risk of falling victim to an online fraud or cybercrime. Charities are an essential part of society, providing support to the worthiest causes and aiding some of the most vulnerable groups and individuals. As such, a cyber-attack can have devastating effects, taking funding and resources away from where it is most needed.

The focus of charities and the structure of how they operate can make them more likely than others to be successfully targeted by online criminals. Charities tend to rely on the hands of many, functioning with lots of part time staff and volunteers, often using their own devices to work from. As well as this, the important nature of their work means that focus and resources are being directed to where they are most needed, which can side-line cybersecurity as an issue to be considered. Inadvertently, this increases their online vulnerability, something which criminals are aware of and will capitalize on. Amongst various issues, insider threat is one of the things that charities should be aware and vigilant of when considering their cybersecurity.

What Is An Insider Threat?

As the name suggests, insider threats are cyber security threats posed by those that work within an organisation. This could be current or former employees, volunteers, contractors, or partners. They can be malicious, coming from somebody with a particular agenda, such as espionage, fraud, or sabotage. However, many insider threats are accidental, resulting from careless or negligent cyber security behaviours.

In a charity, malicious insider threats could occur if somebody takes strong ethical issue with the work of the charity, or if they feel they have been mistreated or wronged in a particular way. For a disgruntled employee, expressing their issues using cyber is a way to cause chaos and damage to the organisation, or prevent the charity from performing their day-to-day functions.

On the other hand, accidental insider threat can occur completely by mistake, simply by somebody being unaware or unclear on what safe working practice looks like online. For example, many charities let their volunteers and employees work from their own devices, otherwise known as Bring-Your-Own-Device (BYOD). Storing sensitive company data on unsecured personal devices increases the vulnerability of the data. The user may be visiting other websites in their own time that could be infected with malware, or accessing their personal email inbox which may contain lots of spam and phishing emails. Certain things which may not be accessible on a centrally managed company device are readily available, increasing the potential attack surface for a criminal.

Additionally, charities may not have the assets to invest in thorough training, meaning their employees and volunteers may not be vigilant to what an online threat looks like. Phishing is one of the most common forms of cybercrime, where criminals send seemingly legitimate emails, attempting to trick their victims into clicking an infected link or downloading a malicious attachment. For a charity, this email could appear to come from a donor or client and may be difficult to spot. Falling victim to a phishing email and subsequently revealing sensitive information about the charity or any log in credentials is an accidental insider threat, but it is a risk that can be reduced with training and awareness. Phishing attempts often contain certain characteristics, such as a sense of importance or urgency, encouraging the recipient to act quickly. Knowing what to look for can reduce the chances of a phishing attempt being successful, avoiding a cyber incident occurring from the actions of somebody within the charity.

How Can Insider Threats Be Mitigated?

There are various things that can be done to reduce the risk of insider threat within a charity. Firstly, taking the time to understand the data which the charity holds, allows stakeholders to identify what data is sensitive, and put in the necessary permissions and protections to safeguard this. From there, formulating a clear policy about safe online working means that everybody is aware of what they can and cannot be expected to share online, as well as what being safe looks like. This could involve encrypting certain data, forbidding any work being done over public Wi-Fi connections, or requiring the use of a VPN for work activity.

Additionally, with charities relying on support from so many individuals, it is important that they have a clear process for what happens when somebody no longer works or volunteers for them. Ensuring that people’s data access is regularly reviewed helps to protect against any former volunteers or employees being able to access things they should not, reducing the risk of a malicious insider threat. This goes hand in hand with having appropriate data permissions for everybody. Depending on people’s roles, volunteers and employees should not be able to access sensitive data that is not pertinent to their work, and there should be solutions in place to ensure this.

Security Awareness Training is another valuable investment for charities that not only reduces the risk of insider threat but also improves the overall cybersecurity position of the organisation. Training teaches what the online risk profile looks like for charities, how people can keep themselves safe online, and what to look out for in terms of a potential attack. Not only does this reduce the chances of an accidental insider threat, but it also reinforces any policies the charity has around working online. If people are aware of why they are being asked to do something, they are more likely to do it, as well as more likely to report something suspicious as soon as they see it.

How Can The ECRC Help With This?

Joining the ECRC as a free member ensures that your charity and staff are supported in implementing simple changes to improve cyber resilience. When you join as a free member, you are automatically enrolled onto our email programme. This sends you bite-sized cybersecurity information, as well as practical changes you can implement quickly and easily, to your day to day working habits.

Additionally, the ECRC’s communications regularly signpost towards the various free policing and NCSC resources that exist to support small businesses and charities. To name a few, the NCSC’s Small Charity Guide, Exercise in a Box and Cyber Action Plan, are all fantastic free resources that help organisations to take stock of their current cybersecurity position and begin implementing the necessary changes to improve their cyber resilience. Amongst others, these can all be found on our website here.

Finally, Security Awareness Training (SAT) is offered by the ECRC for any charity that may be interested. This is delivered by students working as part of the CyberPATH programme. Through CyberPATH, students are trained and monitored by senior ethical hackers to provide a selection of services, which supports the future cyber talent pipeline and keeps the cost to a minimum. Training can be issued across either a full or half day and is tailored to the needs of its specific audience. It is designed to be contextually relevant and accessible for all abilities.

The work done by charities is of critical importance and deserves to be protected. Whilst it may not appear to be an urgent issue, making preventative investments into cyber resilience helps safeguard these organisations and saves vast amounts of time and money further down the line. Any costs incurred securing a charity will always be far outweighed by the potential financial, emotional, and reputational costs of a cyber-attack. Take the first step today and join the ECRC as a free member.

If you are a charity concerned about insider threat, or have any questions about cyber resilience and how the ECRC can help you, please book a chat with us today!

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)