The National Cyber Security Centre (a part of GCHQ) issued this month its first guidance for smaller charities (https://www.ncsc.gov.uk/charity). The guidance includes several tips across five areas. Many of the recommendations aren’t new, but the relatively short guidance is a useful refresher given the increasing risks in this area.
Most of the tips aren’t exclusive to the not-for-profit sector but charities are particularly attractive to fraudsters because of a combination of factors: the funds held by a charity are often significant, and the amount of personal and financial data a charity has within its IT system can be substantial. Even where significant funds are not held, smaller charities might not appreciate the attractiveness of their data, and they may perceive that cyber protection is not a priority.
The areas covered by the guidance are:
- Backing up your data
- Protecting your charity from malware
- Keeping your smartphones (and tablets) safe
- Using passwords to protect your data
- Avoiding phishing attacks
One of the NCSC’s tips seems particularly timely given – based on a number of conversations we’ve had with organisations over the past year – the increasing number of phishing attempts where the fraudster impersonates an important person within the organisation, perhaps by sending an email which looks authentic. If you are a trustee of a charity, consider how your finance team operates: Does your team know how to deal with an emailed payment request from the Chief Executive? Is your finance team supported when suspicious or unusual activity is challenged? Providing training and support with these types of question will strengthen your charity’s defence against many common types of cyber-attack.
And remember: serious fraud incidents within your charity should be reported to the Charity Commission via RSI@charitycommission.gsi.gov.uk, stating what happened and the steps you’re taking to deal with it.
Of course, fraudsters will target any weakness with an organisation’s system of controls, whether or not it relates directly to an IT system.
At Corrigan Associates we can help organisations with the design and monitoring of their control systems, via a bespoke review or work programme of rolling checks, so that directors and trustees are better placed to protect their businesses and charities against fraud.