There is no primary cause when it comes to charity cyber attacks. There are several factors that could leave your charity exposed. Unfortunately, charities and not-for-profit organisations can be targeted by cybercriminals who seek to exploit their systems and confidential data for their own advantage. According to the Charity Commission for England and Wales there are 169,029 registered charities with a combined annual income of £83.8 billion.
So it is no surprise that we have seen a rise in cyber attacks explicitly aimed at charities. The DCMS (The Department for Digital, Culture, Media and Sport) Cyber Security Breaches Survey 2022 reported that 26% of charities had a cyber attack at least once a week.
While charities are becoming more aware of the importance of cyber security, many factors still contribute to their vulnerability.
In this blog post, we will explore some of the most common causes of cyber attacks on charities, and what steps can be taken to prevent them.
1. Lack of Cyber Security Training for Employees
One of the first main causes of a charity cyber attack is a lack of training for staff in the charity sector. Whilst 82% of businesses claim cyber security is a high priority for their senior management, just 72% of charities say their trustees believe cyber security is a high priority. This statistic is provided by the Cyber Security Breaches Survey and explains a clear differential in the importance each sector places on cyber security.
Within a nonprofit organisation, you have a variety of staff, which includes full-time staff, part-time staff and volunteers. When it comes to organising cyber security training, finding the time and capacity to do the training can be difficult.
However, it is vital to make sure that you book in cyber security training for your staff. This training could ensure that your staff understand the cyber protocols and software that will keep the confidential data they handle safe. Cyber security training can cover things like password protection and multi-factor authentication. Without this training, your staff could be leaving personal data exposed to cyber attackers.
Take a look at the bar chart below which shows the percentage of organisations that have carried out the following activities to identify cyber security risk within the last 12 months.
Source: Cyber Security Breaches Survey.
2. Outdated Software and Systems
Secondly, outdated software and systems could be one of the main factors causing charity cyber attacks. Charities are more likely to use old legacy systems and old versions of software which do not receive the latest support, updates and security patches. This leaves your organisation exposed to new cyber attacks and vulnerabilities.
Charities are also more likely to have staff working on their own personal devices as opposed to those supplied by the organisation itself. According to the DCMS Cyber Security Breaches Survey, 64% of charities report their staff regularly using their own devices). If your nonprofit staff are using their own personal devices and storing confidential data on them, it is far more difficult to apply security across the board and enforce procedures.
Assigning company devices to your staff will help to regulate the security implemented on the device. You would be able to enrol the device to your staff after all of the security software has been implemented on it to ensure security. In terms of using older systems and software, the lack of support and security patches available will put your charity at risk of cyber attacks. Having the most up-to-date software and devices means your staff will receive device support and prompted software updates which will both help to keep the device more secure.
3. Lack of Budget for Cyber Security
The charity sector tends to be on a more restricted budget compared to businesses or other sectors. Therefore the resources they can afford to purchase are limited. As charity funds are budgeted, they’re more likely to spend it on the frontline charity work they provide to the community rather than in the back office on security procedures etc.
As The NCSC states: “the impact of any cyber attack on a charity might be particularly high as charities often have limited funds, minimal insurance coverage and, by their very nature, are a supplier of last resort providing services where there is insufficient government or affordable private sector alternatives.”
However, there are now options for leasing within your organisations, this includes device leasing such as computers and desktops. If your charity is able to be approved for leasing or funding, you will be able to provide organisation owned devices. This will leave a larger amount of budget for things like cyber security best practices and software.
4. Attractive Target for Many Hostile Attacks
Unfortunately,by its very nature the charity sector is an attractive target for different types of malicious attacks. Below is a list of the different types of cyber attackers and what they look to target.
Cyber criminals tend to be motivated by financial gain. They may seek to directly steal money held by charities or seek to capitalise through fraud, extortion or data theft.
Nation States conduct cyber criminal activity to further their own national agenda and prosperity. It can also disrupt professionals working on issues the state disagrees with, including human rights or those wanting regime change.
Hacktivist describes a computer hacker motivated by a specific cause, for example, to further political or personal agendas or in reaction to events or actions they perceive as unjust.
Insider threat is the deliberate or accidental threat to an organisation’s security from someone within the organisation. This person usually has authorised access such as staff member or volunteer.
Supply chain attacks
Cyber threats may not come from direct attacks on charities but they could still be affected. It’s common for smaller charities to outsource their responsibilities for running, maintaining and securing their sensitive data to third party support companies. Therefore an attack on this third party would also impact the charity’s cyber security.
5. Dependence on Online Donations
Lots of charity organisations have the option for donors to make their donations online via their website. This is more likely that a private sector business receiving online payments (44% of charities allow people to donate to them online, according to DCMS Cyber Security Breaches Survey).
These donations have to take place over plugins and other platforms that might not be as secure as they need to be due to a lack of charity resources and cyber security training. Therefore, these online payment mechanisms became even more attractive to cyber attacks. In particular hackers could target donor personal data such as credit card details.
Final Thoughts on Charity Cyber Attacks
In conclusion, charities are indispensable organisations that play a vital role in addressing society’s most pressing challenges. However, they are not immune to cyber attacks, and the consequences can be devastating. In this blog post, we have explored some of the most common causes of cyber attacks against charities, including outdated technology, lack of employee awareness, and lack of budget. While these risks cannot be completely eliminated, there are steps that charities can take to mitigate them, such as booking cyber security training and awareness, regularly updating software, and looking into computer leasing to free up more of your charity’s budget.
Would you like to find out more about mitigating your charity’s chances of experiencing a cyber attacks? Book your FREE Cyber Security Consultation below.