The UK’s National Cyber Security Centre (NCSC) has released its first guidance document for charities, warning that the sector is “absolutely not immune” to attacks.
The GCHQ spin-off penned a new blog post last week claiming that third sector workers may be overly trusting of unsolicited emails, making them more susceptible to social engineering.
“Regardless of the size and nature of your charity or voluntary organization, you will hold information that is of value to a criminal. Also, you will all hold funds — however small — and any loss of money could be very damaging. Not only will it affect your ability to deliver your work, but it may also affect your funders' trust in your ability to manage their money and their details securely,” said the NCSC.
“Many charities also hold sensitive information about their beneficiaries that could be useful to someone with malicious intent, such as the ex-partner of a domestic violence victim who’s trying to track them down. Or just imagine coming into the office one day, switching on your computer and there’s a message saying you can’t access any of your systems until you pay a ransom. If this lockout continued for days (or even weeks), could your charity survive?”
The accompanying report, Cyber Security: Small Charity Guide, lists a range of measures which organizations can take to make them more resilient to attacks.
These include backing up data regularly, keeping mobile devices safe, foiling malware with AV and prompt patching, avoiding phishing attacks and managing passwords securely.
The third sector has been found wanting in the past, not just in cybersecurity expertise but also privacy.
In April 2017, 11 charities were fined by the ICO after a two-year investigation into illegal practices, such as hiring third-parties to investigate donors’ incomes, lifestyles, property values and other personal information in order to profile them by wealth.