
For the majority of people, even the thought of stealing from a charity would be abhorrent. But, the reality is that cybercriminals do not discriminate when it comes to their victims.
With the increased use of online fundraising activity and digital operation—in part due to the pandemic—over half of UK charities (51%) now hold electronic records on their customers and 37% enable people to donate online.1 This brings with it increased vulnerabilities and a greater responsibility to keep this data safe.

Despite many charities now having a larger digital footprint, a recent survey by the Charity Commission has highlighted some concerning statistics for charities regarding their cyber awareness.
The Charity Commission’s report found that one in eight charities experienced cybercrime last year.1 And, according to the UK government’s Cyber Security Breaches Survey 2022, out of the organisations that did report attacks, 26% of charities estimate they were attacked at least once a week.2
The indication that only 34% of charities impacted by criminals are reporting breaches to the regulator suggests two things: firstly, many organisations are underestimating the seriousness of a data breach; and secondly, that there is a significant underestimation of the online fraud actually happening within the sector today.

The nature and impact of cyber-attacks
Cybercrime in the charity sector can take many forms, such as phishing and ransomware attacks, online invoice fraud, disgruntled employees (insider attacks) and attacks by ‘hacktivists’ targeting the organisation if they disagree with its purpose or are motivated by a specific cause.
The impact of a cyber incident for a charity can be devastating. Recovering from an attack can be costly in terms of network and data recovery, fines and potential liability claims. If the incident response is too slow, it can lead to prolonged disruption to services which can impact the organisation and, crucially, its service users.
A further consequence of a cyber incident is that it can lead to significant reputational damage for the organisation and its directors. This damage can far outlast the impact of the incident itself.

When should you report a cyber-attack?
If a cyber-attack or other cyber incident (for example, due to human error) results in a data breach, you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.
The definition of a ‘data breach’ is a breach of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”3
If your organisation has experienced a serious incident of online fraud, it is also important to consider contacting the Charity Commission. This can help the regulator to identify trends and patterns of online fraud, and help prevent others from falling victim to similar incidents.
How can charities protect their organisation?
There are some simple actions you can take to improve your organisation’s cybersecurity, including using Multi-Factor Authentication, ensuring all virus software is up to date, and making off-site (cloud) back-ups of your data. Employee cybersecurity training should also be conducted and updated regularly.
Partnering with a cyber risk management specialist can be invaluable as they will be able to highlight your digital vulnerabilities and help you put the necessary systems and protocols in place. Gallagher’s Cyber Risk Management Practice can help charities strengthen their defences through a range of services, including cybersecurity auditing, testing and training.