There is no doubt that cybercrime and online fraud pose a significant threat to the charity sector. 58% of charities reported cybercrime as a major risk to the charity sector, as per a 2019 report commissioned by the Charity Commission. A further 22% of charities believed that cybercrime posed a greater risk to the charity sector than any other.
Trustees must ensure that they are equipped with the necessary tools to approach and prevent cybercrime. Public trust and confidence in the charity sector relies upon financial control and best practice in charities, ensuring effective cyber security and approaches to online fraud are essential elements to this.
The Charity Commission outlines that by 2022, one in 6 large charities will have been a victim of cybercrime, in its report entitled 'Preventing Charity Cybercrime'.
What are the main cybercrime risks for charities?
'Phishing' emails and scams present the most common
cyber threat facing charities, alongside hacking and extortion. If
a successful cyber-attack occurs, charities may risk breaching
GDPR, reputational damage and loss of funds.
Larger charities with a high public profile are often considered to be more vulnerable to cyber-attack than their smaller counterparts, trustees may consider the size of their charity when implementing measures to mitigate and protect against risk. This does not mean however that any charity is immune to the risk of cybercrime, all charities may be targeted and must address risk effectively.
Recommendations for cyber security governance measures for charities
Charities should ensure that they have clear processes and procedures in place, which outline who will be responsible for implementing cyber security measures. Typically, the board of trustees is best placed to consider the best security systems and measures, in line with the needs of the charity. Trustees should ensure that managing the risk of cybercrime is prioritised as a matter of governance given its risk and importance.
Measures aimed at raising awareness of the risk of cybercrime and who is responsible for preventing this should be employed to ensure that risks such as phishing or malicious emails are swiftly and consistently identified. Measures should include implementing clear policy surrounding reporting lines, outlining a clear procedure if cyber risk does occur.
The effectiveness of internal controls acts to empower trustees to identify risk and report this to the relevant bodies; being the Charity Commission, their bank, or the Police. It is essential that all successful cyber-attacks are reported to the appropriate external organisations, it will not be enough for incidents to be reported internally.
As cyber-criminal become increasingly sophisticated, charities should prioritise taking effective preventative action, acting early and reporting this to the relevant organisations as a matter of urgency to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.