Following our Charity & Non-profit working lunch in July 2023 where we discussed fraud and cyber risk, we have asked our speaker Jon Stanton from 4Cambridge to put together some highlights from the session that can be used to help your charity or organisation.
Cyber intelligence has seen a consistent decline in the last few years. Potentially due to the economic pressures and uncertainties post Covid. However, email fraud remains one of the most common methods of attack. Below are some interesting stats from the Cyber security breaches survey 2023:
- 56% of charities with income over £0.5m have experienced a cyber-attack or breach.
- 33% of charities have cyber insurance.
- 9% of charity reports covered cyber risk.
- 19% of charities are aware of the 10 steps guidance (for IT professionals).
- 16% of charities have formal incidence response plans.
How you can help?
- Understand the data you hold and where you hold the data.
- Assess the threat from external and internal sources.
- Create some basic standards to address the threats.
- Consider your insurance and cyber risk insurance.
- Cyber security guidance for boards.
“Unlimited spending on cyber security may still not be enough”
The highest risks for any organisation often come from staff and volunteers, by accident, thoughtlessness and often a desire to be helpful which is preyed upon by malicious hackers.
Unfortunately charities are as vulnerable as any organisation- cyber criminals do not discriminate. Trustees and managers cannot afford to be over confident.
Cyber Essentials
The Government has in place a cyber essentials programme that is renewable annually. The accreditation reflects the latest requirements and an extra 1 or 2 steps are added each year to help ensure that organisations remain protected.
Malicious file execution
Organisations should have a policy regarding personal use of machines, the software that can be uploaded and back up procedures. Staff should be regularly reminded of the need to be alert for phishing emails.
Mobile phones & laptops
Lost devices are often the cause of reputational damage. Where personal devices are used, device management can protect organisational data with the ability to wipe data remotely.
Privilege escalation
Inappropriate use of admin rights passwords may mean that harmful software can run in the background. Where admin passwords are necessary they should be segregated from the passwords and logins used for other systems, particularly for email.
Physical access
Passcodes and keys provide physical security but these can still be breached by being too polite. Opening doors for unknown people entering your office can be a risk. Visible ID policies can help or just asking the question.
Anti-virus protection
All devices should have up to date anti-virus protection. Either purchased, or using the available free software. Commercial alternatives are preferred as they provide segregation from the other systems used.
Social media
How do you control what is written about you or your organisation, even incidentally. A birthday cake for the boss celebrated online may give away vital information. A social media policy is key for every organisation.
The level of security and protection should be considerate to the types of data held and the risks. A response should be planned and practiced in case events do not go as expected.