Cybersecurity Challenges for Not-for-Profit Organisations in the UK

Key cybersecurity risks for non-profits

1. Data breaches: Non-profits often rely on third-party vendors for data storage, which can expose them to additional risks if those vendors are compromised.
2. Phishing attacks: Email phishing schemes are prevalent, tricking employees into revealing sensitive information, which can lead to identity theft and financial fraud.
3. Operational disruption: Cyberattacks can lock non-profits out of their systems, hindering their ability to deliver critical services. For instance, a ransomware attack could encrypt vital data, forcing organisations to choose between paying a ransom or losing access to essential information.
4. Reputation damage: A data breach can severely damage a non-profit’s reputation, impacting future fundraising efforts and eroding trust among donors and beneficiaries.

The cybersecurity landscape for Not-for-Profits

According to the National Cyber Security Centre (NCSC), there were around 200,000 charities registered in the UK last year, with a combined annual turnover of £100bn. Organisations in England and Wales were supported by more than one million employees and over five million volunteers. This quantity of valuable data – stored in a single or interconnected system – is like a red rag to a bull for cybercriminals.

Not-for-profits also operate with limited budgets and resources, making them even more attractive targets for cybercriminals. Andrew Hookway, a cybersecurity expert and MD of Extech Cloud, emphasises the importance of cybersecurity in this sector:

“Non-profits are often seen as easy targets due to their limited resources and the sensitive data they handle. It’s imperative that these organisations prioritise cybersecurity to protect not only their operations but also the vulnerable individuals they serve.”

A recent survey revealed that 41% of non-profits have experienced a cyberattack in recent years, yet 56% do not allocate any budget for cybersecurity. This disparity highlights the urgent need for enhanced cybersecurity measures within the sector.

Hookway adds: “Non-profits collect and store sensitive information, including personal data of beneficiaries and donors, making them prime targets for data breaches and this is why the threat of a cyber-attack is so staggeringly high.”

Real-world examples and solutions

Ransomware data breach

Consider the case of a small UK-based charity that provides support to vulnerable families. This organisation, operating on a tight budget, fell victim to a ransomware attack that encrypted their donor database and operational files. The charity faced a difficult decision: pay the ransom or risk losing critical data that could hinder their services.

Ultimately, the charity chose to invest in cybersecurity training for its staff and implemented stronger data protection measures. This proactive approach not only safeguarded their operations but also restored donor confidence.

Extech Clouds Andrew Hookway comments: “In this scenario, the charity’s decision to invest in cybersecurity training and robust data protection is commendable. More organisations should follow suit. At Extech Cloud, we aim to help medium-sized businesses recognise these risks and understand how to effectively mitigate them.”

Another scenario involved a humanitarian charity which experienced a significant cyberattack that compromised the personal data of approximately 500,000 individuals. The breach involved sensitive information, including personal details of vulnerable populations that the charity serves, such as refugees and detainees.

It was reported that the attack was sophisticated and targeted the organisation’s servers, highlighting the increasing risks faced by humanitarian bodies. In response, the charity highlighted the importance of cybersecurity measures and the need for ongoing vigilance in protecting sensitive data.

“This cyberattack serves as a stark reminder of the vulnerabilities that even the most established humanitarian organisations face. Protecting sensitive data is not just about compliance; it’s about safeguarding the trust of those we serve,” Hookway concludes.

Business email comprise (BEC) attack

A hospice in the West Midlands experienced a BEC attack, resulting in a significant financial loss. This type of attack involves cybercriminals gaining access to a legitimate business email account and using it to conduct fraudulent activities.

Cyber attackers gained access to the email account of one senior staff member and sent fraudulent emails to the hospice’s finance department, instructing them to transfer funds to a bank account controlled by the attackers. The emails were crafted to appear legitimate, leveraging the compromised account’s credibility.

The financial consequences were substantial. The hospice lost £17,000 in fraudulent transfers, which represented a significant proportion of their operating budget, impacting their ability to provide essential services to patients.

Hookway says: “A BEC attack can have an emotional impact on staff, who may feel violated and betrayed by the breach of the email system. This incident highlights the personal dimension of cyberattacks, affecting not just the organisation but also the individuals involved. Non-profits need to learn lessons from historical cases, anticipating potential cyberattacks and implementing adequate security measures.”

In this case, the organisation initiated a review of its financial controls and processes, although this diverted valuable resources and attention away from their core mission.

The result was stricter email security measures, including multi-factor authentication (MFA) and regular password updates, to prevent future unauthorised access to email accounts. The hospice also introduced comprehensive cybersecurity training for all staff members, focused on identifying phishing emails, verifying unusual requests, and reporting suspicious activities.

In addition, financial controls were strengthened, including the introduction of verification steps for fund transfers that now requires multiple approvals for significant transactions and verification requests through alternative communication channels.

Why cybersecurity is essential for not-for-profit organisations

As UK cyber threats continue to evolve, not-for-profit cybersecurity at donor trusts and charities must be a priority to protect their operations and the communities they serve. Organisations like these are entrusted with sensitive information, including personal data of donors, beneficiaries, and employees. Given these unique variables, cybersecurity is not just a technical necessity but a fundamental aspect of operational integrity for UK not-for-profits.

Cybersecurity is essential to protect data from breaches that can lead to identity theft, financial fraud, and other malicious activities. Understanding the unique vulnerabilities within your organisation and implementing proactive measures, will allow you to enhance your resilience to cyberattacks.

How to protect your business

Extech Cloud is a Managed Security Services Provider (MSSP) and offers comprehensive cybersecurity solutions tailored to the unique needs of not-for-profit organisations that will protect sensitive data and ensure operational continuity.

With experience implementing multi-factor authentication (MFA), managing regular security updates, and our human risk management (HRM) services, you can significantly reduce the risk of unauthorised access. Extech Cloud can also assist with compliance to data protection regulations, ensuring your organisation meets legal requirements and avoids penalties.

Leveraging Extech Cloud’s cybersecurity services will help enhance your data protection, maintain donor trust, so you can focus on your core mission without the constant worry of cyber threats. Our approach ensures that even organisations with limited IT resources can achieve an elevated level of security.

Get in touch today for some expert advice and support.