National Cyber Security Centre warns on cyber crime threat to charities
By Annette McGill

The UK’s National Cyber Security Centre (NCSC) says charity  funds, supporter details and information on beneficiaries are being targeted by cyber criminals. It says charities don’t fully realise the value of the personal, financial and commercial data they hold - and how attractive this data could be to criminals.

The NCSC was set up to help protect the UK’s critical services from cyber attack, to manage major incidents, and improve the underlying security of the UK’s digital environment. It  is part of the Government Communications Headquarters (GCHQ).  

NCSC this month issued a Cyber Threat Assessment for the charity sector. The report highlights a series of threats including:

  • Ransomware and extortion
  • Business email attacks
  • Fake organisations and websites

The Threat Assessment says criminals motivated by financial gain are likely to pose the most serious online threat to charities. 

Attacks via suppliers and third parties

The report also raises related to charities outsourcing IT and data management to external support companies and marketing companies. It warns that cyber criminals and other groups may be able to gain access to charities’ networks and/or information through these companies.

Additionally, cyber criminals may be able to access UK-based charity systems through linked branches or projects in other countries where the security culture may be less stringent than in the UK.

Cyber security is especially relevant for charity facilities managers who deal with vendors, services suppliers and short-term contract staff. FMs are also likely to be responsible for security and access systems. The Charities FM Group says charity fms should always check that their vendors and service suppliers have adequate data security and privacy policies in place - and that they are followed. 

Small charities most at risk

The NCSC says that small charities are especially vulnerable to online criminals. It says large charities are able to spend time and money on cyber security, but small charities have a more open culture and are more vulnerable to cyber fraud and extortion. It cites the example of a small charity which  lost £13,000 after its CEO’s emails were hacked to send a fraudulent message instructing their financial manager to release funds.

The NCSC has issued new cyber security guidance for small charities. This offers easy and low-cost steps to protect against attacks, including advice on backing up data, using strong passwords, protecting against malware, keeping devices safe and avoiding phishing attacks.

The NCSC says the scale of cyber crime impacts on charities is unclear, and urges charities to report incidents to the Charity Commission.