View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 24, 2023

NCSC releases cybersecurity guidance for charities as attacks mount

Third-sector organisations do not traditionally prioritise cybersecurity, despite being an attractive target for hackers.

By Claudia Glover

Charities must improve their cybersecurity amid a flurry of attacks on the sector, the UK’s National Cyber Security Centre (NCSC) has warned. The NCSC has also published new guidelines to help voluntary organisations build their defences. Security analysts say charities have traditionally underfunded IT and cybersecurity, meaning the impact of attacks can be devastating.

The NCSC has released guidelines for the third sector in wake of mounting cyberattacks. (Photo by g0d4ather/Shutterstock)

The NCSC launched the guidelines alongside a report into cyberattacks and cyber resilience within the third sector in the UK.

NCSC releases cybersecurity guidance for charities

The guidance released by the NCSC urges charities to shore up their cybersecurity defences in the face of a growing threat. “Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information or to disrupt the charity’s activities,” it says.

Recommendations include ensuring training is up to date, taking advantage of the NCSC’s active cyber tools, and ensuring that board members are aware of the threat posed by cyberattacks.

A UK government cyber breaches survey shows 30% of UK charities suffered a cyberattack in the past 12 months. Of those, 38% say an attack had an impact on the service it provides while 19% “resulted in a negative outcome” for the organisation.

In the guidance, the NCSC highlights areas which exacerbate the risk of cyberattack for charities. With resources often stretched, charitable organisations can sometimes be reluctant to spend money on IT and cybersecurity, for example. This may lead to a high number of volunteers, or to employees bringing their own devices to work, states the guidance. Indeed, 64% of charities report their staff regularly use their own devices, versus 45% of traditional businesses. Both can be issues as volunteers are unlikely to have the necessary expertise to protect a company’s systems against a cyberattack, and insecure devices outside a secure network can prove to be a security nightmare.

The report comes a month after the release of a new Cyber Essentials program that is designed to provide cyber relief for micro and small charities of one to 49 employees.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Charities may not prioritise cybersecurity, warn researchers

A lack of funding in the third sector is part of the problem, says Michael Varley, threat consultant at security company Adarma. “Charities sometimes underestimate the value of the data that they hold,” Varley says. “Many charities work with the most vulnerable people in society during some of the most challenging times of their lives and will therefore hold a vast range of data on the individuals they work with. This data can range from financial and medical data to housing and personal relationship data, all of which can be leveraged by attackers for financial gain and/or identify theft.”

Charities can also have a wider attack surface than other organisations, argues Brian Higgins, security specialist at Comparitech. “Most rely on volunteers who frequently use their own devices, such as mobile phones and laptops, which do not provide the same level of security as a corporate network for example.”

Higgins adds that cybercriminals often see charities as a route to a quick payout. “The underlying ideology of helping people can also see resources like security software or staff training diverted to operational activities and ransomware attacks are seen by criminals as more likely to be paid quickly to avoid any interruption in service availability or access to help and assistance,” he explains. 

A charity’s primary mission will often have nothing whatsoever to do with technology, and so raising IT standards can end up being overlooked, agrees Varley. “They most certainly won’t have the latest in defensive technologies to stop the attacks we are seeing,” he says. “Out-of-date equipment may no longer be getting patches and security updates, significantly weakening the charity’s ability to withstand even the most basic of cyberattacks.” 

Read more: The very online future of the charity shop

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.