OCTOBER 2019
OCTOBER 2019
Cybercrime is a rapidly growing threat to the charity sector, causing direct harm to charities and beneficiaries alike. Everyone has a part to play in tackling this problem. The Charity Commission for England and Wales, together with government partner, the National Cyber Security Centre, is committed to helping charities address this threat by giving them the understanding and tools they need to combat cybercrime. Public trust and confidence in the sector relies upon good governance in charities, and ensuring effective cyber security is a vital component.
This report highlights the main findings from our cybercrime survey of registered charities in England and Wales during March 2019.
The Commission, supported by the Fraud Advisory Panel, contacted a representative and randomly selected sample of 15,000 charities, achieving a 22% response rate.
The results represent the largest survey ever undertaken into cybercrime in the UK charity sector, and provide insights into the threats facing the sector and the actions required to combat them.
of charities think cybercrime is a major risk to the charity sector
believe cybercrime is a greater risk to the charity sector than other sectors
The initial results of the survey are encouraging, with many charities managing the risk well, but there’s more that can be done.
Charities are increasingly aware of the risk of cybercrime, with larger charities more likely
to appreciate the threat. This may be because larger charities generally have a greater capability to detect cybercrime. Many small and medium sized charities are less aware of the cybercrime threat, yet are probably more at risk.
CHARITIES SHOULD ACKNOWLEDGE THE SUBSTANTIAL THREAT OF CYBERCRIME AND UNDERSTAND THE HARM IT CAN CAUSE THEIR CHARITY.
Phishing and malicious emails are perceived to be the main cyber threat. In most charities the overall responsibility for cyber security sits predominantly with the Board.
CHARITIES SHOULD CLARIFY RESPONSIBILITY FOR MANAGING THE RISK OF CYBERCRIME AND ENSURE IT’S A GOVERNANCE PRIORITY FOR THE BOARD.
(these results relate only to where a cybercrime has occurred in the last 2 years)
Large charities are more likely than smaller charities to be the victim of a cybercrime with phishing/malicious emails the most common method of attack. The high volume of such attacks means that virtually any organisation can fall victim. Smaller charities remain a target.
CHARITIES SHOULD RAISE AWARENESS OF CYBERCRIME AND ENCOURAGE TRUSTEES, STAFF AND VOLUNTEERS TO RAISE CONCERNS, ESPECIALLY WHERE PHISHING ATTACKS AND MALICIOUS EMAILS ARE SUSPECTED.
(these results relate only to where a cybercrime has occurred in the last 2 years)
The effectiveness of internal arrangements, in particular IT controls, combined with the awareness of staff and volunteers, is critical in the speedy identification of cybercrime. Charities should not rely on accidental identification as a control. The high level of reporting to the Board is encouraging but more needs to be done to report to external agencies such as the police.
SUCCESSFUL CYBER-ATTACKS SHOULD BE REPORTED TO THE BOARD AND TO APPROPRIATE EXTERNAL ORGANISATIONS, INCLUDING THE POLICE AND CHARITY COMMISSION.
(these results relate only to where a cybercrime has occurred in the last 2 years)
(these results relate only to where a cybercrime has occurred in the last 2 years)
Encouragingly, two thirds of charities took action to strengthen their defences after a cyber-attack, with revised IT security arrangements and new or updated training the principal responses.
CHARITIES SHOULD ACT EARLY AND REVIEW PREVENTION ARRANGEMENTS BEFORE A CYBERCRIME HAS OCCURRED.
of charities don’t know which type of cyber-attack they’re most vulnerable to
of charities reported the cybercrime to the Board
of cybercrimes were identified by internal IT controls
of charities reported cybercrimes to the police
Trustees can self-assess their charity against the checklist at the end of this report, consider the case studies provided and use the good practice guidance available via the links below. Taking these simple steps will help improve knowledge levels and boost resilience. All charities, regardless of size and type, are encouraged to make an immediate impact by taking action now.
Guidance and further info The National Cyber Security Centre and Charity Commission have worked together to develop resources relevant to charities of all sizes
This guide provides quick, simple, free/low-cost steps to improve cyber security www.ncsc.gov.uk/charity
Guidance for IT teams and cyber security professionals. This guide breaks down the task of defending your networks, systems and information into its essential components, providing advice on how to achieve the best possible security for your charity in each of these areas. www.ncsc.gov.uk/collection/10-steps-to-cyber-security
Hosted by the Charity Commission, these webpages feature best practice guidance from across government, professional organisations and the Charities Against Fraud Group http://www.gov.uk/guidance/protect-your-charity-from-fraud
Part of International Charity Fraud Awareness Week – each year a series of themed webinars and fact sheets is produced, aimed at boosting cyber resilience in the sector. Visit the online hub www.fraudadvisorypanel.org/charity-fraud/get-involved
Relevant for larger charities, this guidance helps Boards and senior managers understand cyber security from a governance perspective, making it easier to have productive conversations with technical colleagues www.ncsc.gov.uk/collection/board-toolkit
CASE STUDY 1
Responding to multiple cyber-attacks
A charity was the subject of five successful malware attacks over a three month period. This included Wannacry ransomware, which exploited vulnerabilities in older non-supported operating systems, and a crypto-virus that entered the charity network using a remote access route.
Cybercriminals attempted to extort 30 Bitcoins from the charity, valued at that time at £186,000. The charity did not pay out, but instead undertook forensic IT activities to quantify the damage and put in place arrangements to mitigate the harm caused.
It was found that server backups had also been compromised. Although staff pay and other charity activities were affected for a three week period, no data breaches were identified.
CASE STUDY 2
Email account hacked and attempted mandate fraud
A charity worker had their email account hacked. A subsequent email sent by a legitimate partner charity was diverted by the hacker, adjusted with new bank account information and then forwarded on to the charity worker as originally intended. The adjusted email now requested that the charity make a £7,000 grant payment to a new bank account, controlled by the hacker, rather than the legitimate account of the partner charity. This is a type of cyber enabled mandate fraud.
Fortunately the charity worker was told that the email account had been hacked and had become suspicious of the email regarding change of bank details. The grant payment was not made. Subsequent checks confirmed that the email had been fraudulently altered. The charity worker took immediate steps to enhance controls by strengthening passwords used and installing a new hard drive on the computer.
CASE STUDY 3
Phishing attack
A large medical funding charity suffered two phishing attacks in a short period of time after fraudsters gained access to the email accounts of four senior officers of that charity. This occurred after the senior officers clicked on links in a hoax email, entering passwords which then allowed fraudsters access to sensitive information.
The police were contacted after the phishing attack was discovered and the incident reported to the Charity Commission and Information Commissioner’s Office. Thanks to the immediate action that was taken there was no financial loss.
The charity has since taken steps to be more open and transparent about security breaches, including listing the phishing attack in their Annual Report. The charity also introduced a staff awareness training programme and hired a cyber-security specialist.
Category Research