Charities must improve their cybersecurity amid a flurry of attacks on the sector, the UK’s National Cyber Security Centre (NCSC) has warned. The NCSC has also published new guidelines to help voluntary organisations build their defences. Security analysts say charities have traditionally underfunded IT and cybersecurity, meaning the impact of attacks can be devastating.
The NCSC launched the guidelines alongside a report into cyberattacks and cyber resilience within the third sector in the UK.
NCSC releases cybersecurity guidance for charities
The guidance released by the NCSC urges charities to shore up their cybersecurity defences in the face of a growing threat. “Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information or to disrupt the charity’s activities,” it says.
Recommendations include ensuring training is up to date, taking advantage of the NCSC’s active cyber tools, and ensuring that board members are aware of the threat posed by cyberattacks.
A UK government cyber breaches survey shows 30% of UK charities suffered a cyberattack in the past 12 months. Of those, 38% say an attack had an impact on the service it provides while 19% “resulted in a negative outcome” for the organisation.
In the guidance, the NCSC highlights areas which exacerbate the risk of cyberattack for charities. With resources often stretched, charitable organisations can sometimes be reluctant to spend money on IT and cybersecurity, for example. This may lead to a high number of volunteers, or to employees bringing their own devices to work, states the guidance. Indeed, 64% of charities report their staff regularly use their own devices, versus 45% of traditional businesses. Both can be issues as volunteers are unlikely to have the necessary expertise to protect a company’s systems against a cyberattack, and insecure devices outside a secure network can prove to be a security nightmare.
The report comes a month after the release of a new Cyber Essentials program that is designed to provide cyber relief for micro and small charities of one to 49 employees.
Charities may not prioritise cybersecurity, warn researchers
A lack of funding in the third sector is part of the problem, says Michael Varley, threat consultant at security company Adarma. “Charities sometimes underestimate the value of the data that they hold,” Varley says. “Many charities work with the most vulnerable people in society during some of the most challenging times of their lives and will therefore hold a vast range of data on the individuals they work with. This data can range from financial and medical data to housing and personal relationship data, all of which can be leveraged by attackers for financial gain and/or identify theft.”
Charities can also have a wider attack surface than other organisations, argues Brian Higgins, security specialist at Comparitech. “Most rely on volunteers who frequently use their own devices, such as mobile phones and laptops, which do not provide the same level of security as a corporate network for example.”
Higgins adds that cybercriminals often see charities as a route to a quick payout. “The underlying ideology of helping people can also see resources like security software or staff training diverted to operational activities and ransomware attacks are seen by criminals as more likely to be paid quickly to avoid any interruption in service availability or access to help and assistance,” he explains.
A charity’s primary mission will often have nothing whatsoever to do with technology, and so raising IT standards can end up being overlooked, agrees Varley. “They most certainly won’t have the latest in defensive technologies to stop the attacks we are seeing,” he says. “Out-of-date equipment may no longer be getting patches and security updates, significantly weakening the charity’s ability to withstand even the most basic of cyberattacks.”