Cyber fraud - risks and responses.

Article | Nikki Loan | 10th August 2023

If you have any questions or concerns please do not hesitate to speak to your PEM contacts directly

Speak to someone

Following our Charity & Non-profit working lunch in July 2023 where we discussed fraud and cyber risk, we have asked our speaker Jon Stanton from 4Cambridge to put together some highlights from the session that can be used to help your charity or organisation.

Cyber intelligence has seen a consistent decline in the last few years. Potentially due to the economic pressures and uncertainties post Covid. However, email fraud remains one of the most common methods of attack. Below are some interesting stats from the Cyber security breaches survey 2023:

  • 56% of charities with income over £0.5m have experienced a cyber-attack or breach.
  • 33% of charities have cyber insurance.
  • 9% of charity reports covered cyber risk.
  • 19% of charities are aware of the 10 steps guidance (for IT professionals).
  • 16% of charities have formal incidence response plans.

How you can help?

  • Understand the data you hold and where you hold the data.
  • Assess the threat from external and internal sources.
  • Create some basic standards to address the threats.
  • Consider your insurance and cyber risk insurance.
  • Cyber security guidance for boards.

“Unlimited spending on cyber security may still not be enough”

The highest risks for any organisation often come from staff and volunteers, by accident, thoughtlessness and often a desire to be helpful which is preyed upon by malicious hackers.

Unfortunately charities are as vulnerable as any organisation- cyber criminals do not discriminate. Trustees and managers cannot afford to be over confident.

Cyber Essentials

The Government has in place a cyber essentials programme that is renewable annually. The accreditation reflects the latest requirements and an extra 1 or 2 steps are added each year to help ensure that organisations remain protected.

Malicious file execution

Organisations should have a policy regarding personal use of machines, the software that can be uploaded and back up procedures. Staff should be regularly reminded of the need to be alert for phishing emails.

Mobile phones & laptops

Lost devices are often the cause of reputational damage. Where personal devices are used, device management can protect organisational data with the ability to wipe data remotely.

Privilege escalation

Inappropriate use of admin rights passwords may mean that harmful software can run in the background. Where admin passwords are necessary they should be segregated from the passwords and logins used for other systems, particularly for email.

Physical access

Passcodes and keys provide physical security but these can still be breached by being too polite. Opening doors for unknown people entering your office can be a risk. Visible ID policies can help or just asking the question.

Anti-virus protection

All devices should have up to date anti-virus protection. Either purchased, or using the available free software. Commercial alternatives are preferred as they provide segregation from the other systems used.

Social media

How do you control what is written about you or your organisation, even incidentally. A birthday cake for the boss celebrated online may give away vital information. A social media policy is key for every organisation.

The level of security and protection should be considerate to the types of data held and the risks. A response should be planned and practiced in case events do not go as expected.

If you would like to know more about any of the points raised in this article, please contact PEM.

Share this content with your network:
Nikki Loan - Partner - Audits and Accounts - PEM

About the author

Nikki Loan

With over 25 years experience in the charity and not for profit sector, Nikki has provided audit services and accounting support Read more about this author …

Speak to one of our experts


  • I have read and accept the Terms and Conditions. Please read our Privacy Policy to understand how we will use your personal information.