Charity Commission publishes updated guidance for trustees to protect charities from cybercrime and fraud

“There are many small, inexpensive steps charities can take to reduce the risk of any potential internal or external fraudster being successful.”

To mark this year’s Charity Fraud Awareness Week, the Charity Commission for England and Wales, supported by the National Cyber Security Centre (NCSC), released updated guidance to assist trustees in safeguarding their charities against cybercrime and cyber fraud.

What is cybercrime and cyber fraud?

Cybercrime is a broad concept, capturing “any crime that uses computers or the internet”. This can include fraud.

The government guidance cites the most common types of cyber attacks to be aware of:

• Phishing: Phishing occurs where a criminal tricks a victim to visit a malicious website, using a link commonly in an email or text message. The criminal can then use the website to steal sensitive data such as bank details or install malicious software onto the charity’s digital devices. For charities, a criminal may pretend to be a trustee, or the charity’s bank.
• Impersonation: Criminals may pretend to be a real charity online to steal donations. Charities should report any suspicious websites relating to their charity to Action Fraud.
• Malware: Malware is malicious computer software, used by criminals to infect digital devices to steal sensitive data, overload devices with data or delete vital software. The most common type of malware is ransomware, whereby a criminal can threaten to destroy or sell a charity’s data if it does not pay a ransom.

Given that the median cost of a cyber-attack in the UK is more than £22,000, it is clear that such incidents can have a significant financial impact. Beyond the immediate monetary losses, charities also risk losing sensitive data and damaging their public trust and reputation.

The updated guidance comes as the Charity Commission reported that it opened 603 fraud-related cases and 99 cases relating to cybercrime in the last year. Cyber fraud is cited as a key area of concern.

Why are charities at risk?

Like other commercial organisations, charities hold assets that are of financial value to cyber criminals, including money and sensitive data. This may include information about donors, beneficiaries, employees, and volunteers. The Office of the Scottish Charity Regulator has commented that charities often hold such money and data with low levels of security protecting it, and as such charities become an easy target for cyber criminals.

Further, many charities undertake roles previously fulfilled by government, through commissioned services or grants from local authorities. As such, a charity may need to share systems with a “bigger fish” which can attract cyber criminals as a route in, causing significant damage along the way.

The NCSC found in 2017 that there were low levels of awareness of cybercrime amongst smaller charities who do not perceive themselves as a target, or as holding anything of value to a cybercriminal.

The nature of a charitable organisation also significantly differs from a business. Whilst charities are often contacted with offers of money with no strings attached, this would never occur in a business context. By their very nature, charities are therefore open to having their trust exploited by criminals.

Protecting charities from cyber crime

What does the updated guidance say?

The guidance highlights that trustees must manage their charity’s resources responsibly, by being aware of risks to the charity from cyber crime, taking reasonable steps to protect the charity from cyber crime, and responding to cyber attacks properly to reduce the harm to the charity.

Trustees should determine their expectations on preventing cybercrime and ensure that these are met by their charity. These expectations should be proportionate to the size of the charity and the resources available to it.

Small charities

The Charity Commission has issued a number of resources for small charities, including:

• The Small Charity Guide with basic free or low-cost information and tools designed to be put in place quickly. The Charity Commission encourages charities to ask relevant people to read and use the guide to help create a culture of cyber awareness.
• Free online cyber security training for beginners.
• Cyber attack exercises which recreate common cyber attacks.
• The NCSC’s free online service for small charities to check their cyber security, to help look for common weaknesses and to give step-by-step guidance to fix any cyber security issues.

Medium and large charities

For medium and large charities, the Charity Commission signposts organisations to:

• The NCSC’s 10 Steps to Cyber Security technical guidance.
• The Cyber Security Toolkit for Boards.
• The NCSC’s list of certified training courses for medium and large charities.
• The NCSC Cyber Essentials Scheme can be used by medium and large charities to certify that the charity is cyber secure. The scheme can help these charities to understand its level of cyber security, protect it against common cyber attacks and show the public and other stakeholders that it is serious about cyber security.

All charities are also encouraged to use a range of NCSC Active Cyber Defence Tools, most of which are free.

Responding to a cyber attack

The Charity Commission states that all charities should have in place a plan of how to respond to a cyberattack, by way of a policy or cyber attack action plan. The guidance gives tips on what to include in the plan.

If a charity has been the victim of cyber crime, it should report this to Action Fraud. Action Fraud can provide advice and support to limit the damage to the charity, to assist experts and the police in understanding the types of attacks used by cyber criminals and provide insight for other charities to learn from and prevent similar attacks.

Protecting charities from fraud

Fraud is the most common type of abuse within the charity sector, and so trustees are expected to manage the charity’s resources responsibly to identify the risk of fraud, to take action to protect the charity and check that the actions are working.

The updated guidance provides information about what to do if a charity discovers or suspects fraud, with a key emphasis on reporting fraud and attempted fraud to Action Fraud to get further advice. It is also important for charities to understand how the fraud happened to prevent future similar attacks.

For charity trustees, the guidance sets out a number of responsibilities. Namely, charities are expected to know and understand their responsibilities to prevent cybercrime, to have strong financial management and governance, understand the risks to the charity and to promote a culture of fraud awareness.

The guidance suggests a number of actions for charities to prevent fraud, including:

• Adopt and implement an anti-fraud policy, and implement training where required
• Review fraud risks annually, or after a fraud or attempted fraud
• Run checks to ensure that financial controls are being followed
• Overall, charities must promote an anti-fraud culture

By following the updated guidance, charities can put in place better measures to protect themselves from cyber threats and fraud, cultivate a culture of cyber security awareness, and ensure their resources are used effectively to support their missions and beneficiaries.