A report on Cyber Security among Charities, commissioned by the government and conducted by Ipsos MORI was published on 21 August 2017. The research was based on 30 charities of different sizes. The findings showed that many UK charities are too complacent regarding the threat posed to their operations by cyber security breaches.
The report highlighted that two main barriers for making cyber security a priority were:
- a lack of money; and
- a lack of knowledge regarding cyber security .
The report also revealed that while some charities considered that it was important to be fully informed about cyber threats, others thought that this risk was only significant to businesses. Researchers also found that charities that were interviewed did not generally have staff with technical skills that could deal with cyber security.
As a charity you may often have financial constraints and as a result staff and volunteers may be given insufficient or no training in this area. You may also not have the resources to invest in software and therefore do not prioritise information security. As a result the impact a breach could have on your work is often underestimated. The Charities Commission has identified 3 areas in which you are at risk. These are:
- fraud, financial crime, and financial abuse;
- safeguarding issues; and
- abuse of charities for terrorist-related purposes.
A cyber attack on a small UK-based charity last year, where terrorist propaganda and offensive material replaced the website material reinforces that you are also vulnerable to this threat.
Hackers are able to exploit vulnerabilities through software. This includes operating systems, applications and anti-malware protection systems. This software should be kept up to date. Failure to do so may allow hackers to access donors’ personal details and financial information and undermine your ability to carry out your mission (due to loss of funds, data or systems access). It may also damage your reputation and expose you to incur high fines. It is therefore important for you to prioritise the protection of sensitive data.
What can you do to protect your systems?
- Policies: Have an Anti-Fraud Policy and a Code of Ethics which set out how your charity will hold data securely and deal with any breaches that may occur.
- Cyber Insurance Policy: Consider obtaining a policy to protect your charity from the time a data breach occurs. Ensure that it covers legal, IT and regulatory costs that may arise as a result of the breach.
- Encryption of data: Make sure that sensitive data that is sent by email is encrypted so that only people with access to a secret key or password can read it.
- Staff Awareness and Training:
- Promote fraud awareness and understanding;
- Carry out training so that staff are aware of the importance of cyber security and make it mandatory for them to demonstrate that they have knowledge about data breaches and security; and
- Keep up to date with any guidance and regulations in this area which can be easily accessed through the Charities Commission, the National Cyber Security Centre and the Charities Against Fraud
No organisation is immune to cyber security threats and you may suffer collateral damage from an incident even though you may not have been directly targeted. It is therefore important to put safeguards in place against risk and guidelines to deal with any breaches that may take place. If you would like your policies to be reviewed or drafted in order to manage your risk or any information regarding the governance of your charity or your responsibilities as a trustee then please contact our Charity Law team, call 01245 330351 or email [email protected]