Cyber security and data protection for charities

In our May 2020 newsletter (click here for the link) we commented on the increase in attempted frauds and cybercrime against charities. Indeed, our own grant giving clients have been talking to us about the increase in attempted grant fraud they have seen during the pandemic and most have seen an increase in cyber scams.

To protect your charity, we look at 5 key questions you need to be asking

  1. Are your staff aware of type of attempts that can be made?
    • Phishing – the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
    • Smishing – the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
    • Vishing – the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
    • USB devices – once connected these devices can act like a keyboard to send pre written code to target devices and bypass your security.
  2. Do your staff know what to do if there is an attack?  
    • Who should staff report their concerns to? Do you have internal IT support or use an external service?  The worst thing any employee can do, is to do nothing. Staff need to feel able to raise concerns and know who these should be sent to so these can be dealt with promptly and before any breach affects or infects other systems.
    • Have staff had training around what to do including a practice scenario?
  3. Do you have safeguards in place to mitigate either the risk of a successful breach or the impact should a breach occur?
    • Do your systems require multi factor authentication? This is where an access code is required once you log in, this is sent to a separate device to mitigate the risk of identification should the original device be infected.  For users of Xero software this extra layer of protection will become mandatory this summer.
    • Do you run updates regularly or on a timely basis?  Often updates include fixes for know system weaknesses the longer these remain uninstalled the greater the risk of a breach being successful.
    • Do you take regular back ups of your servers / data?  Should a breach occur a recent back up could allow systems to be restored with minimal disruption
    • Connected devices ( IoT – internet of things) – where other systems are operating through your internet system (i.e. security camera’s / video doorbell systems, etc) ensure that you change default passwords as these can be easily compromised.
  4. Do you have suitable insurance cover?
    • Cyber security insurance cover is one of those policies where using a broker is the best way to ensure you have the most appropriate cover for your needs and ensure you understand what you need to maintain to ensure you are compliant, in the event of a claim being required.  The quality of cover can be very varied so it is always worth understanding what your policy provider will provide when a breach occurs or a claim is made.
  5. In the event of a data breach and the loss of data do you have a plan in place? 
    • Have you considered how you will go about information sharing as this could have the biggest impact on your reputation.  An example of where such an incident has been handled well: In a 2020 data breach experienced by Compassion UK, the charity acted immediately to notify all supporters on their database that their data may have been compromised and provided a service (via their insurance policy) to allow supporters to check whether they had been affected.  

To find out more on cyber essentials and how to protect your charity visit the National Cyber Security Centre here.