IT & Technology

How can charities combat cyber-crime?

28 June 2017

Cyber-crime is a very real threat, raising awareness among staff is crucial.

Last year a Third Sector Insight report[i] highlighted that only 14 percent of senior charity employees believed their charity was very well protected against cyber and data risks, suggesting charities need to place far more importance on cyber security.

Charities are as vulnerable to cyber-crime as any other organisation. Not only do they hold valuable stakeholder and donor data, but they can also be perceived as easy targets with less robust systems and controls in place to protect themselves.

Unfortunately, cyber-crime and fraud is on the rise.

The latest figures from The Office for National Statistics[ii] show that in England and Wales there were 3.6 million incidents of fraud and 2 million computer misuse offences. The recent high profile cyber-attack on the NHS, one of the victims of a global ransomware attack that happened in May, highlights that no organisation is safe.

Last year the Institute of Directors[iii] warned that both businesses and charities were not taking cyber security seriously enough. It highlighted a ‘worrying gap’ between awareness of the risks and business preparedness, and said that cyber-crime must stop being treated as the domain of the IT department and should be a board priority.

Losses from fraud and cyber-crime

Estimates of the scale of charity fraud vary hugely, but the most conservative estimates put it at hundreds of millions of pounds each year. Whilst charities can’t eliminate fraud, they need to understand the fraud risks they face, including the growing threat and risk of cyber-crime.

What measures can charities put in place to prevent themselves being victims of cyber-crime?

Fraud and cyber-crime is usually made possible because of poor controls; however, it’s usually how the controls are used in practice that is the issue. Charities need to think objectively about their risks and develop appropriate controls as part of their overall risk framework. This must include educating their staff about the various controls and measures in place.

The types of cyber-crime charities could fall victim to include hacking, phishing scams, ransomware and mandate fraud, and charities need to identify the key areas of weakness within their organisation that could be exploited by online criminals.

Top tips for preventing cyber-crime

To reduce risk, charities should firstly review their technology systems and ensure they have up-to-date software, firewalls and security systems installed. As the Charity Commission[iv] suggests, they should always install software updates as soon as they become available, as they will often include fixes for critical security vulnerabilities.

Charities should also make regular backups of important files, using an external hard drive, memory stick or online storage provider, ensuring no device is left connected to the network, to prevent the spread of malware infections. Should they experience an attack they will have retained most of their data.

While charities operate on tight budgets it’s important their technology is kept as up-to-date as possible. The older the technology, the more open charities are to security risks, so this must be weighed up against the costs. The costs aren’t just financial either; the loss of trust if donor and stakeholder details are compromised could take a long time to recover. 

Education and awareness key

Education is paramount in the fight against cyber-crime. While many high profile cyber-crimes come from hackers breaching security systems, many organisations find their own employees are often at the root causes of security breaches. Employees must be given advice about not clicking on emails or links they are unsure about.

This is one of the main ways computer viruses spread, so making sure everyone understands this is essential.  Raising awareness amongst staff of the common cons used to commit cyber-crime is one of the most important preventative measures and something all charities should be doing.

Other things charities should include in their controls to minimise risk is regular requirements for password changes, as well as monitoring and reviewing which staff have access to data, ensuring access to sensitive data is only given to those whose job requires it.

Developing a policy about the use of personal devices at work is also necessary. With employees increasingly using smart phones and tablets in the workplace to access company data this can compromise data security. This needs to be managed and perhaps restricted if it’s felt to be too much of a risk.

When it comes to managing fraud specifically, charities must ensure they verify all changes to key contacts and that important instructions, including changes to payments, bank details and addresses are made in writing, and followed up by a phone call to the contact. Again, this is something all employees need to be made aware of and ensure they follow.

Whilst no charity can ensure they will be 100% safe, these are just some of the ways charities can protect themselves and prevent themselves being targets of fraud and cyber-crime. Mitigating the risks from cyber-crime within a well-thought out risk framework is crucial in today’s technology-led world and something that must be fully embedded into the workplace culture.

 

[i] http://www.thirdsector.co.uk/cyber-data-security-prepared-charity/article/1417419

[ii] http://www.bbc.co.uk/news/uk-38675683

[iii] http://www.charitydigitalnews.co.uk/2016/03/04/charities-need-to-get-real-about-cyber-security/

[iv] https://www.gov.uk/government/news/regulatory-alert-charities-at-risk-of-cyber-attack

Share this article
Jonathon Orchard

Jonathon is a partner at Sayer Vincent and has previously worked as a freelance internal auditor in the international development sector and head of consultancy at Mango.

Read more articles by this author

Comments

Leave a comment

Your Name:
Your Organisation:
Job Title:
Email Address:
Telephone:
Your comment:
 

Unless you state otherwise, we will publish your comment on the website
Don't publish my comment

Type the letters you see in this picture to verify that a person is creating this email and not an automated program.

The letters are all lowercase