Is your charity cyber secure enough?

To say cyber-attacks can be devastating is an understatement. But when you consider how underfunded charity organisations and their teams are in particular, the realisation that the not-for-profit sector is one of the most targeted is a difficult one to swallow.

Across the UK, there are almost 200,000 registered charities in total – from animal welfare and child protection services, through to cancer relief and mental health support.

And while it should seem unconscionable to pose threat to any of these organisations, the number of perpetrators seeking financial gain from stealing valuable data is evident.

According to the National Cyber Security Centre’s (NCSC) Cyber Threat Assessment, valuable funds, supporter details, and information on beneficiaries, remain primary motivations across the board.

So, what can be done to mitigate these growing risks? Here, client director at Central Networks, Mike Dunleavy, offers some crucial insight…

Understand the risks and how to spot them 

As with any organisation, employees are the first – and often most powerful – line of defence against cyber-attacks. That’s why developing a detailed understanding of what motivates threat actors, as well as how they might attempt to compromise vulnerabilities within your systems, is crucial.

It shouldn’t just be a tick-box exercise, but something that’s constantly on the agenda from one month to the next. Running regular audits of your tech environment and testing employees on their ability to spot malicious phishing or malware attempts are just some examples to help fortify your charity organisation. 

Be mindful though, because trying to adopt a one-size-fits all approach to educating your teams will only result in low engagement. Instead, ensure that training programmes and cyber security insights are specific to individual roles and responsibilities.

By resonating with the day-to-day minutiae of a person’s routine, they can see the true scale of the problem, how exactly it might impact their own work, and what a ‘best practice’ approach to help mitigate any dangers might look like. 

Remember that prevention is always better than the cure 

Once you’re aware of the risks you face as an organisation, you’ll have a better understanding of how you can bolster lines of defence.

With the increasing sophistication of cyber-attacks, it should go without saying that it’s important to get the basics right. Think watertight password policies, multi-factor authentication, and being vigilant when it comes to opening unknown links and accessing unfamiliar sites. 

But if the shift to ‘work from anywhere’ models has taught us anything, it’s that the most effective cyber security strategies run much deeper. No matter where your teams work, a dedicated IT division should have complete control over every device.

This not only enables full visibility over software updates, anti-virus technology, firewalls, Virtual Private Networks (VPNs), and more, but it also enables more robust access control – ensuring only authorised personnel within your non-profit organisation can gain entry to sensitive data. 

From part-time volunteers to full-time employees, it’s important that every colleague knows how to uphold the security stance of the charity right from the very beginning. 

Invest in a tough business continuity plan 

According to The Charity Commission, one in eight charities (12%) have experienced cyber-crime in the past year – yet just 55% see enhanced security as a fairly or very high priority. The reality is, the benevolent nature of these firms places them at a growing risk.

But let’s say all the right procedures are in place, and a perpetrator still manages to slip through the net undetected. What happens then? To help minimise downtime and reverse the effects of a breach as quickly as possible, having a robust business continuity plan in place is a must. 

Whilst the purpose of disaster recovery is to find and repair the root cause of the problem, this strategy helps to keep mission-critical operations running as smoothly as possible on the route to reinstating ‘business as usual’.

As a living document, this should constantly evolve in line with your charity’s evolving needs – with periodical testing ensuring every detail is appropriate, and the person in charge is still capable of carrying our designated tasks.

Such a proactive approach may seem full on, but it will pay dividends if it’s ever needed. And trust us when we say disaster will usually strike when you least expect it. 

Turn the tables on attackers 

Charity or not, anyone who has fallen victim to a cyber security attack will have at least one thing in common: they never thought it would be them. That’s why it’s better to ask too many questions before handing over sensitive data, rather than asking too few and it ending up in the wrong hands. 

Better still, beat attackers to it. While defence is a crucial part of the cyber security equation, it’s only half of the puzzle. Instead of waiting to be notified about a breach, offensive approaches tap into the hacker tradecraft, and utilise human analysts who can think like the enemy to identify any warning signs.

Penetration testing, for example, simulates a real-life attack and shows how the action would unfold, step-by-step – rather than simply scanning for vulnerabilities and handing the insight over in a report. It’s the perfect way for charities to stay agile in today’s constantly evolving cyberwar landscape.

One of our partners, Cyphere, recently spoke about this defence mechanism in greater depth, in our recent Q&A.

Of course, budgets are a significant restraint for any non-profit organisation, but combining as many of these examples as possible will maximise security posture, help protect precious data, and mitigate any financial or reputational damage in the long run.

Keen to continue the conversation? Central Networks has a glowing reputation when it comes to arming companies in this space – from social housing organisations to hospice care services.

If you want to know more about creating a bullet-proof cyber security strategy for your charity, please don’t hesitate to get in touch. We’d be happy to have a no-obligation chat about your requirements.