Liz Brownsell, Partner and Head of Charities, discusses Charity Fraud Awareness Week (17 – 21 October 2022) and our top tips for charities to minimise the risk of fraud and cybercrime.
Despite a common misconception, charities are targeted for cyber-attacks in the same way as companies and other organisations. Charities unfortunately do not have any special protection, and therefore cyber criminals might consider charities to be an easier target.
Cyber-attacks can either occur internally or externally and it is important for charities to raise awareness to ensure that their people know how to:
- minimise risk
- identify issues, and;
- take action by reporting appropriately (see our top tips below).
In a recent survey commissioned by the Department for Digital, Culture, Media and Sport, 30% of charities reported that they had experienced a cyber-attack in the previous 12 months . This survey was carried out between October 2021 and January 2022. 26% of the affected charities experienced a cyber-attack at least once per week during the 12 months* and 38% experienced at least one negative impact of the cyber-attack, which includes loss of money or data.
Charity Fraud Awareness Week is an award-winning campaign, which took place between 17 – 21 October this year, with the purpose of encouraging charities to consider how fraud and cybercrime affects them and to create a safe space to discuss this and share good practice. Various regulators were involved with the initiative, including the Fraud Advisory Panel, which promoted the hashtag #StopCharityFraud to support the week.
In the wake of this campaign, and given the abundance of useful resources and information being made available specifically to the charity sector, now is the perfect time to reflect on how you can protect your charity by minimising exposure to fraud and cybercrime in the digital world.
The Birketts View
It is important for charities to ensure that their people are equipped to deal with fraud or cybercrime situations in order to protect the charity, its data and its funds.
Charity Fraud Awareness Week 2022 has been fantastic in raising awareness of these issues. If this issue has not been high on your agenda, now is a good time to review your current policies, procedures, training and cyber-prevention software and consider what you might need to do to minimise exposure to fraud and cybercrime.
All charity trustees have a duty to safeguard the assets of the charity. Awareness of the issue of cybercrime is steadily increasing, and as resources, guidance and support is increasingly made available to charities, there is a risk that a failure of charity trustees to consider and address this appropriately could amount to mismanagement in the administration of the charity.
Whilst it is, of course, impossible to entirely eliminate the risk of your charity becoming the victim of a cyber-attack, the Charity Commission will increasingly expect charity trustees to take appropriate steps to mitigate against the risks in order to fulfil their duties as charity trustees.
Top tips
- Minimise risk
Anti-virus protection is a basic priority. Whilst this will not entirely protect your charity, it acts as a shield from malicious software viruses and should deter many viruses.
All trustees, staff and volunteers with access to any of the charity’s IT systems should have strong passwords and change these regularly. People should also ensure they use different passwords for each system on their computer to minimise the impact of any successful cyber-attack, in the unfortunate event that any passwords are discovered. - Identify the issue
Training on fraud and cybercrime is a must, in order to ensure that all trustees, staff and volunteers with access to any of the charity’s IT systems understand and are able to identify the signs of a potential cyber-attack, for example identifying a phishing email (a method used by cyber-attackers to trick a person into revealing confidential information or adopting malicious software).
It is important to ensure that all trustees, staff and volunteers with access to any of the charity’s IT systems understand the signs to look out for, as this will minimise the risk of successful cyber-attacks. - Take action
Having clear policies and practices in place will inform your trustees, staff and volunteers of the processes to be followed if they believe there has been an attempted (or successful) cyber-attack. Any policies and procedures must be easily readable and accessible to all people with access to any of the charity’s IT systems to optimise success.
It is important that attempted (or successful) cyber-attacks are promptly reported internally, so that you can take swift action to remedy issues and/or minimise impact. To encourage people to report potential fraud and cybercrime, it is important to promote transparency. This includes avoiding a ‘blame culture’, as this might result in people failing to report suspicions for fear of the potential consequences. This is not an easy ‘tick-box’ exercise, and how you approach this will require careful thought and depend on your charity’s culture and activities.
In addition to having clear policies and procedures on fraud and cybercrime to help ensure that appropriate action is taken internally, it can be helpful to provide the option of reporting fraud or cybercrime under a whistleblowing policy. This allows a person who has a reasonable belief of fraud or cybercrime to report this to an appropriate external third party. Whilst this should generally be used as last resort, having a whistleblowing policy is helpful where a person does not feel comfortable to report internally – for example, if the report they wish to make is about a suspected fraud by a person within the charity.
Conclusion
We are all using digital software more than ever before. It is critical for charities to protect data and cash, both in the best interests of the charity and to maintain public trust and confidence.
We strongly recommend that all charities take time to consider the risk of cybercrime, take steps to minimise and mitigate those risks, and ensure that anyone with access to any of the charity’s IT systems is appropriately trained and supported so as to be able to identify issues as they arise and take appropriate action.
Helpful tools
There are helpful tools widely available online for charities to use free of charge on Government and National Cyber Security Centre websites, including:
The 24/7 cyber-attack helpline;
Online Webinars; and
Online Training.
We would encourage you to take a look at the above tools for some useful guidance to ensure that you have the appropriate safeguards in place.
How can we help?
- Our Employment Team is happy to assist with drafting or reviewing anti-fraud and whistleblowing policies, particularly where charities wish to include bespoke drafting to incorporate their own rules.
- Our Data Protection Team can draft or review data related policies, ensuring these are fully compliant with the updated UK GDPR legislation.
- If your charity is the victim of fraud or a cyber-attack, it is important to consider whether a Serious Incident Report should be submitted to the Charity Commission. Our Charities Team can advise you on the requirements and assist you with drafting an appropriate report.
Resources
- Webinars by NCSC.
- Training created by NCSC for charities and small organisations.
- Article by Third Sector.
- Charity Fraud Awareness Week 2022 announcement on Government website.
- NCSC guidance on the 10 top tips to cyber security.
- Cyber Security: Small charity guide by NCSC.
- Poster on Cyber Security Breaches Survey by the Department for Digital, Culture, Media & Sport.
- IPSOS website – Context of Cyber Security Breaches Survey.
- Whistleblowing legislation.
- Fraud Advisory Panel’s #StopCharityFraud campaign.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at October 2022.