Charities are a tempting target for fraudsters – not just because of the high degree of trust involved, but also because charitable organisations across England and Wales spend nearly £80bn a year. And with very little known about the nature and scale of charity fraud, the sector is very vulnerable indeed.
The Charity Commission for England and Wales (partnered by the Fraud Advisory Panel) conducted a study in October 2019. It contacted a representative sample of 15,000 registered charities across England and Wales, receiving a response rate of 22%. This made it the largest ever analysis of fraud committed against UK charities.
The study found that over two thirds of charities think fraud is a major risk. But worryingly, less than 9% have a fraud awareness training programme. How does your organisation stack up?
What to look out for
Cybercrime can take many forms. Here’s a reminder of how a data breach or unauthorised network intrusion can occur:
- Staff receiving fraudulent emails
- Viruses, spyware, malware
- Impersonating organisation in email/online
- Negligence of your own employees or volunteers.
What’s at stake?
More than you might think. Typical losses include:
- Forensic, legal and IT specialists’ expenses
- PR Consultant expenses if your charity’s reputation is harmed
- Data restoration
- Business interruption
- Notification expenses
- Regulatory fines
- 3rd Party liabilities.
10 steps to reduce the risk
There are many free and low-cost resources available to you as a charity to reduce your exposure to cybercrime. We’ve created an article to signpost you to these here.
In the meantime, here are 10 simple economical steps you can take to reduce your risk of falling victim to a costly cyber attack:
- Education and awareness – Train all employees and volunteers in cyber security principles
- Network security – Protect your networks from attack by using firewalls, antivirus software and…
- …ensuring the software and patches are kept up to date
- Incident management – Establish an incident response plan and disaster recovery capability
- Information risk management regime – e.g. formal cyber security policies or other documentation
- Monitoring – Establish a monitoring strategy and produce supporting policies
- Malware protection – Produce relevant policies and establish anti-malware defences
- Managing user privileges – Establish effective management processes
- Removable media controls – Produce a policy to control all access to removable media
- Keep up to date – Fraud is ever-evolving. To stay ahead of the latest threats, ensure you regularly visit https://www.gov.uk/guidance/protect-your-charity-from-fraud