Cyber Security in the Third Sector - A Deep Dive

Last Thursday I was lucky enough to attend the ACO's first Finance Forum hosted by Charles Stanley, one of the UK’s leading Wealth Managers. It was fantastic to gain more insight into the current topics in Charity Finance led by David Locke, Director of Finance and Operations, and Chris Coopman, Financial Controller from the Royal Agricultural Benevolent Institution (R.A.B.I). These topics included Risk Management and the importance of having a robust strategy to achieve the organisation's aims and targets. Chris went on to explain that one of the biggest risks facing the Third Sector is inadequate financial controls concerning cyber security.

Cyber attacks have become one of the most pressing and increasing threats of today, with 19% of charities facing cyber crime once a month. Charities, due to limited resources and expertise, are considered especially vulnerable. It's important to state here that for-profits consider cyber security an increasing threat, however, in their case, they are better equipped in terms of resources to be able to cope with it. The most common issues include data breaches, ransomware attacks, DDoS attacks, and hacktivism.

Data breaches pose a severe risk, potentially compromising confidential client and donor information, as well as internal data such as transaction history and inventory lists. Ransomware involves encrypting digital files and demanding a ransom for their release. DDoS attacks aim to overwhelm a target website with fake traffic. Hacktivism, driven by ideological motives, is a growing concern for non-profits.

A recent ransomware attack on The British Library left us in awe last week, causing a major outage, and impacting services across multiple locations. With over 11 million annual website visitors and 16,000 daily users of its collections, the library, home to 150 million items, fell victim to a ransomware group. The attack, detected on October 28, prompted protective measures, and an ongoing forensic investigation involves collaboration with the National Cyber Security Centre, the Metropolitan Police, and cybersecurity experts. It seems that even one of the largest libraries in the world could not have anticipated such a large-scale attack. How are we to expect micro and small charities to do the same?

Sam Edwards, a Senior Manager in Non-profit at Moore Kingston Smith, emphasised the cybersecurity risks faced by charities and organisations. He pointed out that in 2022, UK organisations encountered an average of 788 cyber attacks per week, marking a substantial 237% surge compared to the previous year. Charities, in particular, are susceptible targets for cybercriminals, given the substantial amounts of personal data they hold from customers, donors, and stakeholders. Notwithstanding, there happen to be around 169,029 registered charities in England and Wales with a combined annual income of ￡83.8 billion. It was discussed that smaller charities that use third-party suppliers could be at risk. Third-party IT Support is beneficial for charities with minimal funds and can therefore access IT Support to save on cost. However, according to The Cyber Threat Report (2023), only 12% of charities recognise third-party attacks as a risk.

If a hacker gains access to the supplier's systems, they could access the information from all the organisations or companies that the supplier supports with IT. In 2020, this happened to a company called Blackbaud, a popular CRM provider for the third sector. They raised concerns about the potential theft of bank account information and passwords. While Blackbaud initially reported the compromise of personal data, excluding payment details, a recent admission suggests a broader impact. Affected organisations, including the University of Birmingham and the National Trust, collaborated with Blackbaud to assess the extent of the breach. Following this, charities and universities had to manage this by informing all donors and customers. As you can imagine, if this information is leaked, it could not only be extremely damaging to the customers and donors but the charity's reputation.

Charities must not only consider the risks within their own organisation, but also be able to ask for their third-party suppliers' risk management when it comes to cyber security. It is essential for the third sector to consider all the ways their data could be compromised, especially organisations that use their own personal technology or do not have effective cyber training in place. If you are interested in learning more about how you can protect your organisation, please read the Cyber Threat report: UK charity sector (link below) for more information. Additionally, if you have any questions regarding available cyber-security training for your team, please feel free to send me a message.

https://www.ncsc.gov.uk/files/Cyber_threat_report-UK-charity-sector.pdf