NCSC report outlines key cyber threats facing UK charity sector

Case Studies show how disruptive and costly incidents can be, including a ransomware attack on the Edinburgh Festival Fringe Society that ended up costing £95,000 and a business e-mail compromise incident, which subsequently cost a hospice in the West Midlands £17,000.

The NCSC’s report also warns about the threat from cyber criminals taking advantage of public generosity during times of hardship by masquerading as charities to receive donations. This trend has been observed recently following the Russian invasion of Ukraine.

For their part, charities are actively encouraged to follow the NCSC’s guidance in order to help improve their own cyber resilience and should also sign up to free Active Cyber Defence tools that will assist in mitigating the threats highlighted.

Understanding the risks

NCSC CEO Lindy Cameron noted: “The UK’s charities are doing fantastic work every day. Digital services and online fundraising are now playing a crucial role here. While it’s only right that technology should play a part in helping charities, this does open up the possibility of cyber attacks. On that basis, it’s important for charities to understand the risks.”

Cameron continued: “The NCSC is here to help. I would urge all charities to reduce their vulnerability by reading our latest report, following our guidance and making use of the tools available to them.”

Stuart Andrew, Minister for Civil Society and Youth, said: “As charity fundraising and services increasingly move online, charities are more susceptible than ever to cyber attacks. It’s therefore vital that they’re aware of how to stay safe and mitigate against risks. This new report from the NCSC provides crucial guidance when it comes to protection from cyber harm and I would strongly urge all charitable organisations to follow its advice.”

Helen Stephenson, CEO of the Charity Commission for England and Wales, explained: “Charities play a crucial role in our society and in every community. They save lives and provide many of the services that make life worth living. All charities ultimately rely on public trust and continued public generosity, though, so the impact of any cyber attack can be devastating, not just for the organisation and those who rely upon its services, but also in terms of undermining public confidence and support.”

Stephenson went on to comment: “Taking steps to stay secure online is not an optional extra for trustees, but rather a core part of good governance. We welcome this report from the NCSC and encourage trustees to take early action in order to protect their charities from cyber harm.”

Overarching cyber threats

The NCSC report aims to highlight the overarching cyber threats posed to the sector and equip UK charities with the information they need to take action and boost their cyber resilience. It outlines how charities are vulnerable to the same cyber risks as commercial businesses, but might be seen as more attractive targets.

The key threats for charities to remain vigilant against include phishing, ransomware, business e-mail compromise and fake organisations and websites.

The NCSC has published a range of free guidance and advice to help charities improve their cyber defences, including the Small Charities Guide and Free Training for Small Charities.

Charities are also eligible to take up some services offered as part of the NCSC’s Active Cyber Defence Programme. This includes free tools and services, among them Web Check, Mail Check and Exercise in a Box.

Organisations looking to ensure they have baseline cyber security protections in place should consider taking up Cyber Essentials, itself a Government-backed certification scheme designed to help mitigate the majority of cyber attacks.

Smaller organisations in the charity sector can now access free support and put the necessary controls in place under the new Funded Cyber Essentials Programme, which the NCSC launched just prior to Christmas.