Cyber fraud risks for charities

24 October 2016

Cyber risk seems to be the new phenomena, but is that the reality? The terminology is new, but the risks have been around for several decades. Cyber fraud is a broad term that covers several aspects of risk. It is often committed by those with low levels of sophistication, but access to tools widely available on the dark web. It is now more prevalent than ever, with instances of data theft and compromised financial systems causing organisations significant losses and reputational damage.

There is a host of risks that fall under this umbrella, but those becoming increasingly common place for charities are:

  • email scams;
  • deployment of malware or malicious code to extract data; and
  • ransomware. 

There are two factors to consider when considering the risks of cyber fraud and security.

The technical aspect:

  • Do you understand your IT infrastructure?
  • How and where do you store your data?
  • How robust are access controls?
  • What systems do you operate and who has access to such information held?
  • What devices do you use and what controls over issue / collection of your IT devices do you use?
  • How secure or sensitive is your data and most importantly, what are you doing to gain assurance in this area?

The behavioural aspect – more money than ever is being spent on increased IT defences, but instances of fraud are increasing, why?

In part, because of people. Those who use your systems are one of the key risks. Whether using systems for non-work related activity or, bringing own devices (BYOD) to assist with flexible / remote working. Do your staff know the common risks and types of scams which often result in fraudulent activity? If you don’t educate you staff, how will they know?

Keeping up with this emerging and varying threat is part of the challenge, however there are some key things you can do to protect your charity and your staff:

  1. remember the worth of your data to others;
  2. establish what good cyber resilience looks like for you;
  3. staff remain the weak link: engage staff in the process;
  4. strength in depth with your IT controls: don’t ignore importance of good basic controls; and
  5. effective incident management / response plan is key to maintaining your reputation.