Good causes means nothing to hackers
They may raise money for good causes, such as homeless people, the environment and endangered animals, but to criminals, charities are just another source of money to steal from. And with so much of their operations being carried out digitally, cybersecurity for charities is every bit as important as it is for businesses.
In the UK government’s Cyber Security Breaches Survey 2019, around a fifth (22%) of charities said they had identified a cyber breach or attack in the previous 12 months, and the average annual cost for affected charities was found to be £9,470. This can be from direct financial losses (such as ransomware ransoms), IT support costs or interrupted donations, among other things.
Of course, the extent of attacks varies greatly, and these figures don’t account for, say, the reputational hit charities can take after being hacked or the long-term disruption to operations, which might hinder future fundraising.
Also, charities often handle a large amount of personal data, which means they’re also subject to GDPR, so any breaches could land them in legal trouble too (note: there are some exemptions and other differences for charities when it comes to GDPR).
And like businesses, charities have to pay suppliers and landlords, so they’re also just as likely to be victims of invoice fraud, where hackers intercept invoices and change the bank details to their own.
But that’s not the only problem they face, and cybersecurity for charities also has to take into account how criminals may seek to exploit the reputation of charities for their own gain. According to the Cyber Security Breaches Survey, 22% of charities with an income of more than £500,000 had discovered criminals impersonating them on the internet and in emails. As you can imagine, the crooks take donations meant for charities and pocket them themselves.
^ If cybercriminals could steal the shirt off your back, they would
What’s interesting about this is just how much of difference there is for smaller charities. For those bringing in between £100,000 and £500,000, only 5% had experienced this kind of impersonation. That drops to just 2% for charities smaller than that. Of course, cybersecurity for charities is important no matter what, but these statistics suggest that the bigger a charity gets, the more likely it is to be exploited by hackers.
Why might that be? Perhaps it’s because larger charities have a bigger public profile. They advertise more, then have better ranking websites, and it’s easier to find out who their staff are. As well as attracting the attention of possible donors, this publicity may catch the eye of criminals, and the availability of information about key people within a charity could make it easier to carry out targeted phishing attacks against them. Finally, of course, the bigger the charity is, the more money it is likely to handle.
If you’re running a smaller charity, it might be tempting to look at these figures and breathe a sigh of relief, but they don’t tell the whole story. Spending on cybersecurity for charities is likely to vary a lot depending on how money much they make, and larger organisations will have more people looking out for potential problems than smaller ones. It could be, therefore, that smaller charities report fewer cyber attacks because they simply do not have the resources to detect them.
That makes sense when you think about how a lot of cybercrime works. Some of it can be quite sophisticated and targeted, but a lot of attacks are automated, carried out by software that criminal gangs and novices buy from hackers on the dark web. These tools, which may distribute viruses, ransomware or phishing emails, or scour the internet looking for vulnerable online devices, do not discriminate. They will attack wherever and whenever they can.
You only have to look at the sheer number of personal details that are sold on the dark web to realise the scale of the problem. TMB Group offers a dark monitoring service, which alerts customers when their logins have appeared on the dark web, and we find businesses and charities of all sizes are affected. Naturally, bigger organisations are more likely to be victim to this, because they have more people, and more people means more potential weak points. But that should offer little comfort, because it only takes one person getting hacked for an entire company to be taken down.
It would be nice if cybersecurity for charities didn’t have to exist – a world where criminal hackers had a conscience – but that’s never going to happen. And with the kind of work they do, cyber attacks against charities have the potential to do real harm to those least able to withstand it.
TMB Group works with businesses and charities, providing fully managed IT service and solutions, including robust cyber security. From antivirus and hardware firewalls to security awareness training and device management, we've got you covered. Need our help? Call us on 0333 900 9050 or email firstname.lastname@example.org.
In the meantime, check out our free cyber security guide, which offers some key advice about keeping your business or charity safe from hackers.