We work with a lot of organisations in the charitable and not-for-profit space so we thought we would put together a quick guide to cyber security for anyone in that industry.
We find its important to understand why and how a breach could occur and then its simpler for organisations to prioritise what they need from a solutions perspective. If you know the reasons why, you can help to prevent a disaster should the worst happen and manage the situation with minimal disruption.
The 2021 Cyber Security Breaches Government Survey states that 79% of charities reported a phishing attack over the last 12 months. Couple this with only 27% of charities having a business continuity plan that covers cyber security and you could end up with a potentially catastrophic situation.
Why are charitable organisations a target?
Generally with funded organisations, hackers believe that their systems and hardware are likely to be less sophisticated. This is due to money being prioritised on the charitable objectives and not infrastructure.
We know from working with our charity clients that hardware is not as readily replaced and solutions are not as heavily invested in as it would be in a commercial business. Laptops get memory extensions or rebuilds, kit gets preserved and its more of a ‘make do and mend’ situation than a buy new situation!
Working in this way means that there can be gaps in protection, unpatched systems and out of date devices. These factors make it far easier for a hacker to infiltrate, the path of least resistance is the path of choice when it comes to malware.
The main reason for singling out a charity is to steal the data it holds. Hackers know that these types of organisations have large databases of varying information on private individuals, funders, beneficiaries and corporates, not to mention the financial data they could intercept.
The wider impact of a breach
The impact of a breach, if it were to be successful could, in truth, put an organisation out of business within six months. This is a worst-case scenario and the biggest scenario measures need to be in place to avoid.
This can easily be done by having a robust and regularly tested business continuity plan.
For a non-terminal breach, here are some more scenarios that could and often do happen;
Loss of campaign activity through CRM system or website hacking. If either of these come to a standstill, you’re no longer able to take donations or contact your base.
If a hacker steals address and credit card details, this results in significant worry and inconvenience for those who donate. It also causes them not to trust you and view it as incompetence. In big organisations this can easily reach the media too.
Without a business continuity plan, you’ll have to spend a huge amount of time and effort putting things right. Restoring and cleaning back-office systems is one thing but then having to tell your base there’s been a breach is another. Minimising negative PR, getting data back and putting the measures in place so it doesn’t happen again takes time.
Whilst your teams are trying to rectify the damage, no time can be spent on your core activities. Productivity loss means revenue and funding loss.
Its also more expensive to put solutions in place quickly, that should have been there in the first place. You may also encounter legal fees and increased insurance premiums also.
What you can do now to minimise the impact
As mentioned before, a business continuity plan is a must and unfortunately, the majority of charitable organisations don’t have one. We’re trying to change that!
Take a look at our blog post here for advice on how to put one together. We can also help you with templates to fill in that form the basis of the plan, just get in touch and we’ll be happy to help.
Good data and information security doesn’t have to cost the earth, it can be cost-effective and any outlay far outweighs the financial impact of a breach.
One of the simplest things to do is to train your teams. They are your first line of defence for things such as phishing scams. Show them what to look out for, encourage them to report anything suspicious and even put them on one of the free online training courses available from the National Cyber Security Centre.
If you’re starting from scratch, prioritise what needs to be done, and implement the quick and easy solutions straight away. This might be strengthening passwords or adding Two Factor Authentication, password protecting email documents or restricting access. Do what you can when you can and make provisions for any upcoming budget you might need.
We find that our charity clients benefit hugely from regular planning, we help them by advising and costing out the solutions they need so they can put a request in to be allocated budget. We also explain why items are needed and the implications if they go ignored.
This type of planning enables you to know exactly what stage your infrastructure is at and you have a clear schedule of what needs replacing/updating. It’s a ‘no nasty surprises’ approach plus you gradually plug away at some of the bigger items that need addressing.
Take a look at our case study here on our work with Whale and Dolphin Conservation.
We’re here to help you with any advice you might need around keeping your organisation protected but more importantly equipped to deal with a breach. Contact our friendly team to arrange a chat and we’ll happily advise.