To say cyber-attacks can be devastating is an understatement. But when you consider how underfunded charity organisations and their teams are in particular, the realisation that the not-for-profit sector is one of the most targeted is a difficult one to swallow.

Across the UK, there are almost 200,000 registered charities in total – from animal welfare and child protection services, through to cancer relief and mental health support.

And while it should seem unconscionable to pose threat to any of these organisations, the number of perpetrators seeking financial gain from stealing valuable data is evident.

According to the National Cyber Security Centre’s (NCSC) Cyber Threat Assessment, valuable funds, supporter details, and information on beneficiaries, remain primary motivations across the board.

So, what can be done to mitigate these growing risks? Here, client director at Central Networks, Mike Dunleavy, offers some crucial insight…

Understand the risks and how to spot them 

As with any organisation, employees are the first – and often most powerful – line of defence against cyber-attacks. That’s why developing a detailed understanding of what motivates threat actors, as well as how they might attempt to compromise vulnerabilities within your systems, is crucial.

It shouldn’t just be a tick-box exercise, but something that’s constantly on the agenda from one month to the next. Running regular audits of your tech environment and testing employees on their ability to spot malicious phishing or malware attempts are just some examples to help fortify your charity organisation. 

Be mindful though, because trying to adopt a one-size-fits all approach to educating your teams will only result in low engagement. Instead, ensure that training programmes and cyber security insights are specific to individual roles and responsibilities.

By resonating with the day-to-day minutiae of a person’s routine, they can see the true scale of the problem, how exactly it might impact their own work, and what a ‘best practice’ approach to help mitigate any dangers might look like. 

Remember that prevention is always better than the cure 

Once you’re aware of the risks you face as an organisation, you’ll have a better understanding of how you can bolster lines of defence.

With the increasing sophistication of cyber-attacks, it should go without saying that it’s important to get the basics right. Think watertight password policies, multi-factor authentication, and being vigilant when it comes to opening unknown links and accessing unfamiliar sites. 

But if the shift to ‘work from anywhere’ models has taught us anything, it’s that the most effective cyber security strategies run much deeper. No matter where your teams work, a dedicated IT division should have complete control over every device.

This not only enables full visibility over software updates, anti-virus technology, firewalls, Virtual Private Networks (VPNs), and more, but it also enables more robust access control – ensuring only authorised personnel within your non-profit organisation can gain entry to sensitive data. 

From part-time volunteers to full-time employees, it’s important that every colleague knows how to uphold the security stance of the charity right from the very beginning. 

Invest in a tough business continuity plan 

According to The Charity Commission, one in eight charities (12%) have experienced cyber-crime in the past year – yet just 55% see enhanced security as a fairly or very high priority. The reality is, the benevolent nature of these firms places them at a growing risk.

But let’s say all the right procedures are in place, and a perpetrator still manages to slip through the net undetected. What happens then? To help minimise downtime and reverse the effects of a breach as quickly as possible, having a robust business continuity plan in place is a must. 

Whilst the purpose of disaster recovery is to find and repair the root cause of the problem, this strategy helps to keep mission-critical operations running as smoothly as possible on the route to reinstating ‘business as usual’.

As a living document, this should constantly evolve in line with your charity’s evolving needs – with periodical testing ensuring every detail is appropriate, and the person in charge is still capable of carrying our designated tasks.

Such a proactive approach may seem full on, but it will pay dividends if it’s ever needed. And trust us when we say disaster will usually strike when you least expect it. 

Turn the tables on attackers 

Charity or not, anyone who has fallen victim to a cyber security attack will have at least one thing in common: they never thought it would be them. That’s why it’s better to ask too many questions before handing over sensitive data, rather than asking too few and it ending up in the wrong hands. 

Better still, beat attackers to it. While defence is a crucial part of the cyber security equation, it’s only half of the puzzle. Instead of waiting to be notified about a breach, offensive approaches tap into the hacker tradecraft, and utilise human analysts who can think like the enemy to identify any warning signs.

Penetration testing, for example, simulates a real-life attack and shows how the action would unfold, step-by-step – rather than simply scanning for vulnerabilities and handing the insight over in a report. It’s the perfect way for charities to stay agile in today’s constantly evolving cyberwar landscape.

One of our partners, Cyphere, recently spoke about this defence mechanism in greater depth, in our recent Q&A.

Of course, budgets are a significant restraint for any non-profit organisation, but combining as many of these examples as possible will maximise security posture, help protect precious data, and mitigate any financial or reputational damage in the long run.

Keen to continue the conversation? Central Networks has a glowing reputation when it comes to arming companies in this space – from social housing organisations to hospice care services.

If you want to know more about creating a bullet-proof cyber security strategy for your charity, please don’t hesitate to get in touch. We’d be happy to have a no-obligation chat about your requirements. 

Here at Central, we have over 30 years’ experience within the tech industry. We’re passionate about IT and doing a great job for our customers, and we pride ourselves on being a trusted partner that organisations know they can rely on – no matter the time of day, or level of support required.

Our mission is to put IT at the heart of business – ensuring only the right strategic solutions are implemented. And this is something we achieve by working with our network of best-in-class partners.

That’s why, in our new blog series, we’re shining a spotlight on the innovative companies we work with – exploring what they do, how they work with Central, and their top tips and advice.

First up, it’s Harman Singh, Director from Cyphere.

Tell us a bit about your organisation:

Cyphere are a specialist cyber security services provider based out of Greater Manchester and serving globally. Providing technical security assessments and managed security services, we understand, analyse and help solve customer business problems. Working on ‘both sides of the fence’, our expertise includes both offensive and defensive security.

And if you had to sum up your expertise in three words, what would they be?

Cyber security, laughs, and drinks (sometimes!).

Describe your relationship with Central?

Central are trusted partners of Cyphere, who support us in serving customers across multiple sectors — throughout the UK. Central’s team and Cyphere’s cyber skill set are a great market fit for our customers, something which is evidenced by positive client feedback. 

And how long have you worked together?

3 years.

What is penetration testing and why is it important for organisations?

Penetration testing involves running simulation exercises to perform in-depth checks against the security controls in place within an organisation. This exercise could be targeted at web apps, networks, APIs, mobile apps or devices. 

A black box pen test is carried out with zero information from the customer, and therefore replicates more closely the approach that a malicious attacker might take in gaining access to a system. 

A white box pen test, on the other hand, is an exercise carried out with prior network and systems information from the customer. While a different approach, this method ensures the specific depth of assessment required and can provide a more targeted method of evaluation through which we can meet a business’s specific objectives. 

Put simply, we safely mimic actual hackers in order to show our customers where their information is at risk. These tests are followed by guidance which informs businesses of ways to secure their assets.

Share a top tip on how companies can protect their data from a breach:

Brought together, people, processes, and tech can help improve cyber security maturity in any organisation.

In our view, it is not ok to blame people for clicking links. Instead, encouraging staff to utilise any resources available to them to help bolster knowledge around cybersecurity, while underlining its importance via internal culture and processes, is vital. With these steps in place, using tech to add another layer of defensive controls will help bring everything together. Without using all three in tandem, it’s impossible to thoroughly safeguard an organisation. 

Describe what it’s like working with Central in one sentence:

Professional.

What are the biggest cyber security threats facing businesses over the next 12 months

Ensuring basic hygiene on an ongoing basis, supply chain concerns, and gaps during the transition to cloud — or in the cloud — are the main issues arising from digital transformations happening across the globe.

It's critical that organisations know their ‘unknowns’ early, then analyse and act on them in line with a proactive approach to cyber security. Taking shortcuts in cyber security can prove expensive, or worse still you could find that the damage caused by such a move is already too late to act upon.

What is a common mistake organisations make when it comes to cyber security?

Assuming products are already in place, and that they are adequate, or living under the ‘we’re too small to be attacked’ assumption.

And how has the cyber security landscape evolved over the years?

Cybersecurity has come a long way in the last few years. Earlier in the last decade, ransomware was a relatively unknown concept, and now it is one of the most common types of malware. 

Additionally, due to technological advances around mobile, web and cloud, the number of data breaches has increased significantly, as has the cost of such incidences. Cybersecurity experts are constantly working to stay ahead of the latest threats, and businesses are increasingly aware of the importance of protecting their data.

Finally, what are your hopes for the future of the IT sector?

The IT sector has grown exponentially in recent years, and it appears this trend will continue. The sector is expected to benefit from continued growth in the global economy, rising consumer demand, and advances in technology. In addition, the sector is becoming increasingly important in terms of job creation and economic development.

If you have any questions about any of the content covered above, please do get in touch. And for more news and updates, be sure to follow Central on Twitter and LinkedIn.