Small Charities Warned they are at Risk of Devastating Cyber Attacks

21st March 2018

Cyber Attack
Cyber attacks are not relevant to my small charity, are they? With GDPR on the horizon, the National Cyber Security Centre’s assessment of the risk in the charity sector paints a worrying picture, with sensitive, valuable data at risk in many smaller charities.

With payroll at the heart of most organisations, and charities endlessly appearing in the press through high profile, reputationally damaging incidents, the report should be a must read for even the smallest not for profit organisation.

With around 200,000 registered charities in the UK – those with an income of £5k per year – and a respectable number of unregistered charities, the sector is seen as an increasingly ripe opportunity for cyber criminals and other groups, including individuals within the charities themselves, seeking to exploit vulnerabilities in the sector.

UK charities hold funds, personal, financial and commercial data. This is of interest or monetary value to professional and opportunist cyber criminals and other groups.

Small scale attack and financial exploitation is on the up, particularly regarding personal information of staff and donors.

Breaches of procedures through carelessness, ignorance, or multiple (usually unauthorised) sharing of passwords has opened up organisations to malicious attack.

And insider attacks, motivated by grievance, greed or external pressure, mean not for profits need to be secure both internally and externally.

Indeed, accountant Stephen Ashton, who worked for Morris Cerullo World Evangelism has recently been jailed for stealing more than £2.5m from the charity he worked for to pay for his lover’s mortgage and luxury holidays.

And Birmingham charity Amirah Foundation has folded amid financial irregularities, including initial findings by the trustees that say Chief Executive Shaz Manir “on occasion paid herself a full wage more than once in a month”. Here, the board of trustees have reported the allegations to the Charity Commission, the Big Lottery Fund, police and Action Fraud.

In payroll charities are particularly vulnerable and IRIS FMP continues to provide tips and advice to the sector, in it’s role as Trusted Supplier to the NCVO.

The report concludes that the charity sector has a broad lack of specialist staff with the skills needed to cover security and cyber attacks. With GDPR on the horizon not for profits should seek to mitigate risk as much as possible, in those areas at risk. Outsourcing payroll should be one of the first areas to investigate. With cyber incidents now a mainstream media item no charity should be looking to be the next big headline in the press.