The charity sector, despite its humane mission, is not immune to cyber threats. Charities collect and manage valuable information, including user details, financial records, and personal data of beneficiaries, making them prime targets for cyber breaches or attacks. In the last 12 months, UK charities have encountered approximately 924,000 cybercrimes of various types1.
The impact of cyber threats on digital operations and service delivery of charities:
- 32% of UK charities reported some form of cyber security breach or attack in the last 12 months1.
- 38% of cyber-attacks on charities affected the service, resulting in 19% adverse outcomes2.
- 39% of charities report seeking information or guidance on cybersecurity from outside their organisation1.
Our Gallagher Cyber Risk Management team has identified the most frequent cyber threats faced by the charity sector and provided practical advice to avoid these:
Phishing attacks
Phishing remains one of the most common types of cyber breaches or attacks, with 83% of charities reporting a phishing attack in the last 12 months1. Cybercriminals often impersonate organisations or individuals to trick employees into divulging sensitive information such as login credentials or financial details.
Gallagher Cyber Risk Management remedial advice: Prioritise employee training on recognising suspicious emails and requests for sensitive information. Keep software updated regularly, implement email filtering systems to stop phishing attempts, and enable multi-factor authentication for added security.
Data breaches
Charities often handle sensitive user information, including their financial details and personally identifiable information. Data breaches resulting from cyberattacks can lead to exposure of sensitive data, potentially violating regulations.
Gallagher Cyber Risk Management remedial advice: Implement strong access controls and encryption for sensitive data, conduct backups, update systems on regular basis, scrutinise third-party vendors rigorously, and establish robust incident response strategies.
Ransomware
Cyber criminals encrypt an organisation’s critical data and demand a ransom for its release. Given the importance of data integrity for charities, ransomware can potentially disrupt the organisation’s operations and break user trust.
Gallagher Cyber Risk Management remedial advice: Educate staff on identifying phishing emails and suspicious links, implement a robust backup strategy, segment networks to restrict access to sensitive data, and stay updated on the latest ransomware trends and techniques.
Supply chain attacks
Charities depend on third-party vendors for services such as fundraising platforms, IT support, and cloud services. However, these vendors can introduce vulnerabilities into the organisation’s infrastructure, which becomes a potential entry point for cyber attackers. Only 26% of charities have undertaken cyber security risk assessments in 20231.
Gallagher Cyber Risk Management remedial advice: Implement vendor security assessments, use secure communication channels such as encrypted emails or secure file transfer protocols, monitor supplier activity on your network, and establish clear contractual obligations.
Insider threats
While charities typically have passionate staff, insider threats cannot be ignored. Unhappy employees or volunteers may intentionally or unintentionally compromise the organisation's security by leaking sensitive information or engaging in malicious activities.
Gallagher Cyber Risk Management remedial advice: Implement monitoring tools to track employee actions, establish clear policies and procedures for handling sensitive information, limit access to sensitive and confidential data, and provide regular security awareness training to employees.
Range and ramifications of cyber threats
Cyber-attacks on charities can take different forms, such as phishing, ransomware, online invoice fraud, insider threats, and activism-driven hacking. The repercussions of these incidents extend beyond immediate financial losses to network and data recovery expenses, potential fines, and liability claims. However, the reputational damage that undermines stakeholder trust and stymies service delivery could potentially be more harmful.
The significance of incident reporting
Reporting a cyber incident immediately upon its discovery is a regulatory obligation and a critical step to mitigate damage and aid the fight against cybercrime. The Information Commissioner's Office (ICO) mandates reporting of data breaches within 72 hours — and stresses the importance of promptly acknowledging and addressing cybersecurity lapses. Beyond compliance, reporting facilitates pattern recognition and establishes preventative measures across the sector.
Fortifying charities against cyber risks
Charitable organisations are responsible for ensuring their system's security and enabling optimal risk management strategies in light of impending cyber-attacks. Charities can considerably enhance cybersecurity by implementing simple measures, including multi-factor authentication, updating anti-virus software, and maintaining cloud backups. The focus should also be placed on updating staff and conducting regular cybersecurity training to minimise the risk of cyber-attacks. Collaborating with experts in cyber risk management can help charities identify vulnerabilities, enforce protections, and stay ahead of evolving cyber threats.
To find out more, please get in touch with Gallagher's Charities SME & Mid-Market Team or call us on 0121 407 4101. We’re here to support you.