Cyber Security for Charities Best Practices

This best practice guide to cyber security for charities, explains why it will be even more important in an AI enabled world. Charities already face increasingly sophisticated cyber security risks, and, with the rise of AI, the risk of cyber attacks will significantly increase, and entirely new cyber threats may well emerge. This resource provides guidance on cyber security for small charities and, at the end, grants for cyber security, training and a common charity cyber security FAQs section that explains the technical terms simply.

To access all of our charity AI services and support click here and to access our huge range of free services to find funding, free help and resources.

Register Now!

Cyber Security for Charities - Threats

The main threats to cyber security threats for charities include:

• Phishing attacks: Cybercriminals impersonate legitimate entities to deceive charity staff into revealing sensitive information or transferring funds.
• Ransomware: Malicious software encrypts charity data, demanding payment for its release.
• Data breaches: Unauthorised access to confidential information, such as donor details, can lead to reputational damage and legal repercussions.
• Website attacks: Hackers exploit vulnerabilities in charity websites to inject malware or deface pages.
• Social engineering: Manipulating individuals to disclose confidential information or perform actions detrimental to the charity's interests.

Cyber Security Breaches Survey 2024 - Charities

The DfS&I published the Cyber security breaches survey 2024 which found that around a third of charities experienced some form of cyber breach or attack last year.  Some 66% of charities income of more than £500,000 pa experienced a cyber incident in the last year.

How Will Charity Cyber Security Change with AI?

As AI technology advances, cyber threats are evolving in tandem, posing new challenges for charities to navigate. Here's how these threats are changing:

• AI-powered scams: Picture this: you receive an email that looks just like it's from your bank or a trusted charity, asking you to update your account details urgently. With AI, scammers can now create incredibly convincing fake emails or websites that are almost indistinguishable from the real thing. They can even use deepfake technology to manipulate audio and video, making their scams even more convincing. These sophisticated scams can easily trick unsuspecting individuals into revealing sensitive information, such as passwords or credit card numbers.
• Misinformation campaigns: AI can be used to spread false information on a massive scale. Imagine a charity launching a new fundraising campaign, only to have it derailed by thousands of fake social media accounts spreading rumours and lies about their work. These misinformation campaigns can damage the charity's reputation, undermine public trust, and make it harder to raise funds and support its cause. With AI, spreading misinformation has become easier and more effective than ever before.
• Increased risk exposure: AI systems are not immune to bias or manipulation. Consider an AI-powered chatbot designed to assist donors on a charity's website. Or being used to analyse your data in your CRM or other system. If not carefully programmed and monitored, the chatbot might inadvertently discriminate against certain groups of people or provide inaccurate information. Hackers could also exploit vulnerabilities in AI algorithms to manipulate outcomes or gain unauthorised access to sensitive data.

What Is The Increasing Charity Cyber Security Threat from AI?

The greatest cyber security risks for charities are likely to be from AI-powered scams and misinformation campaigns. These threats are expected to become even more sophisticated and widespread over the next 5-10 years.  By 2025, it is projected that AI-powered cyber attacks could cost over £6 trillion annually worldwide.   Charities don’t have huge amounts of money or data in comparison to companies but are often seen as easy targets by scammers due to their often weak cyber security.

• Fake Charity AI Scam: Clone and fake charity sites already exist but AI will make creating such sites far simpler, running the risk of far greater numbers undermining trust in charities overall, as well as creating convincing stories and fake imagery, and manipulating emotions to drive donations.
• AI-Powered Phishing:   Many phishing e mails are easy to spot because of poor English and/or being obviously amateur.   AI can very quickly and easily not only make these e mails far more effective but can also be used to personalise these with convincing and emotionally engaging content, tailored to exploit individual vulnerabilities.
• AI-Generated Fake News: Misinformation campaigns may leverage AI to generate convincing fake news articles promoting fraudulent charity events or highlighting fabricated crises. These articles could spread rapidly on social media, deceiving users and driving them to contribute to illegitimate causes. There is also serious risk of these being used demonise charity beneficiaries far more effectively.
• AI-Enhanced Social Engineering: Scammers may employ AI to analyse social media profiles and generate highly targeted messages to solicit donations or personal information. By mimicking the language and behaviour of legitimate organisations, these scams could deceive individuals into believing they are interacting with trusted organisations or individuals.  Here's an example.
• Deepfake Videos: AI-generated deepfake videos could depict fabricated scenes of charity work or testimonials from supposed beneficiaries, aiming to manipulate viewers' emotions and solicit donations. These videos may also be used to spread fake news to demonise or frighten people, particularly groups such as as refugees, women and the BAME and LGBTQI+ communities.

How Should A Charity Respond to a Cyber Attack?

• Immediately isolate affected systems from the network to prevent further spread of the attack. Disconnect compromised devices from the internet and other networked resources.
• Notify appropriate internal and external stakeholders about the cyber attack.
• Seek professional assistance from your IT provider or other IT security experts to assess the extent of the breach, identify vulnerabilities, and implement remediation measures.
• Identify and patch any vulnerabilities exploited during the cyber attack. Update software, firmware, and security configurations to prevent similar incidents in the future.
• Reset passwords and access credentials for compromised accounts and systems.
• Monitor network traffic and system logs for any signs of further malicious activity.
• Review your cyber security and ensure people are made aware of how to protect against cyber attack in the future.  I have created 2 cyber security checklists below - one for charities and a second personal one for their people, such as vulnerable beneficiaries.

Charity Cyber Security Best Practices Checklist

Regular Training:

• Conduct induction, on-the-job or other training to educate people on how to identify and respond to cyber threats.
• Provide practical examples of phishing emails and other common scams to enhance awareness.
• Emphasise the importance of reporting suspicious activities promptly to their line manager or other person nominated to deal with cyber security.

Implement Robust Password Policies:

• Enforce the use of strong passwords comprising a combination of letters, numbers, and special characters, such as !.
• Encourage staff to avoid using easily guessable passwords, such as "password" or "123456".
• Regularly remind employees to update their passwords and avoid sharing them with others.

Enable Multi-Factor Authentication (MFA):

• Enable MFA wherever possible to add an extra layer of security beyond passwords.
• Use authentication methods like SMS verification codes sent to your phone, authenticator apps, or biometric verification.
• Ensure staff understand how MFA works and encourage its use for all accounts, especially those with access to sensitive data.

Keep Software and Systems Updated:

• Regularly install security patches and updates for IT operating systems, applications, and antivirus software.
• Enable automatic updates where feasible to ensure timely protection against known vulnerabilities.
• If applicable, regularly review and assess the compatibility of software and systems with your charity's IT infrastructure.

Backup Critical Data Regularly:

• Enable automatic back up or establish a routine backup schedule for critical data, including accounting, CRM and beneficiary databases.
• Store backup copies securely, preferably offline or in an encrypted cloud storage solution.
• Test data restoration procedures periodically to ensure backups are reliable and accessible when needed.

For Larger Charities, Consider Developing a Cyber Incident Response Plan:

• Create a plan outlining steps to be taken in the event of a cyber security incident, such as a data breach or ransomware attack.
• Assign specific roles and responsibilities to staff members to facilitate a coordinated response.
• Conduct tabletop exercises or simulations to practice incident response procedures and identify areas for improvement.

Cyber Security Checklist for Individuals

Verify Authenticity of Emails and Websites:

• Check the sender's email address for any discrepancies or unusual characters that may indicate phishing.
• Hover over links in emails to preview the URL (e mail address) before clicking, and ensure they lead to legitimate websites.
• Look for secure indicators like HTTPS and a padlock icon in the address bar when visiting websites to verify their authenticity.

Exercise Caution with Unsolicited Communications:

• Be wary of unexpected emails, messages, or phone calls requesting personal or financial information.
• Verify the identity of the sender through independent means, such as contacting the charity directly using trusted contact information.
• Don't feel pressured to respond immediately to urgent requests for information or action; take time to check these are from people or organisations you trust.

Avoid Clicking on Suspicious Links or Attachments:

• Avoid clicking on links or downloading attachments from emails or messages that seem suspicious or unexpected.
• Be cautious of email attachments with file extensions like .exe or .zip, as they may contain malware.
• If in doubt, contact the sender directly to confirm the legitimacy of the attachment before opening it.
• Do not use a phone number or e mail address in the email or message you’ve received, as it may be fake.

Refuse to Share Sensitive Information Unnecessarily:

• Be cautious about sharing sensitive personal or financial information, such as passwords or bank details, especially in response to unsolicited requests.
• Avoid entering sensitive information into AI systems or platforms, unless you have opted out of data sharing and are confident it will not be shared.
• When in doubt, seek clarification from trusted sources or refrain from sharing information altogether.

Review Social Media Privacy Settings and Profile Information:

• Adjust your privacy settings to limit who can see your posts, photos, and personal information. Choose the most restrictive settings possible to maintain control over your data.
• Be cautious about the amount of personal information you include in your social media profiles and minimise the details that are publicly visible.
• Be cautious when accepting friend requests or connections from unfamiliar individuals. Verify the identity of the person and consider whether you trust them before granting access to your personal information.

Grants for Cyber Security for Charities

To find grant funding for cyber security, use the Tech funding search category in Funding Finder.  Another option is the NCSC’s Funded Cyber Essentials Programme for small UK companies and organisations.

Cyber Security - AI Voice Scams

AI voice scams are becoming increasingly prevalent and many remain unaware of the risk.  The following may indicate that a call is scam:

• Voice message scam calls are not live so you might notice that they use generic language.
• Where the call is live, you may be able to spot a slight delay in response as the fraudster types their reply into the software and you may even hear the tap of the keyboard).
• Be suspicious of any call or voice message out of the blue, particularly if it is from an unknown number.

Follow the cyber security methods outlined above, plus these may be helpful:

• Verify who the caller is by asking a question that only the real person would know the answer to.
  • For example, what you had for dinner last night or something discussed at a recent team meeting.
• If you are not sure, hang up and call the person back on the number you have stored for them.
• Consider creating a code word for you team/family that you can use to verify a caller.

Cyber Security Resources and Training

NCSC - AI and cyber security: what you need to know.

NCSC: Cyber Security for small organisations (free online training).

NCSC: Small Business Guide: Cyber Security.

NCSC:  Top tips for staying secure online.

ICO: 11 practical ways to keep your IT systems safe and secure.

Charity Cyber Security FAQS

What is an URL?  In simple terms, an URL in an email is like a web address or a link that you can click on. It's a way for someone to direct you to a specific website or webpage. For example, if you receive an email from a charity with a link to their donation page, the URL in that email would take you directly to that page when you click on it. It's important to be cautious with URLs in emails, as they can sometimes lead to fake websites or scams. Always make sure the URL looks legitimate and matches the website you expect to visit before clicking on it.

What does is HTTPs mean?  HTTPS stands for Hypertext Transfer Protocol Secure. It's a way of making sure that the information you send and receive on a website is encrypted, or scrambled, so it's harder for hackers to read. It's like sending a secret message that only the sender and the intended recipient can understand, keeping your online activities safer and more secure. So, when you see "https://" at the beginning of a web address, it means the website is using this extra layer of security to protect your data.

What is Multi-factor Authentication (MFA)?  Multi-Factor Authentication adds an extra layer of security by requiring users to provide more than one form of identification, like a password and a code sent to their phone, before accessing an account or system.

How do I set up Multi-factor Authentication (MFA)? To set up MFA, go to your account settings on the platform you're using (like email, social media, or banking). Look for the security or privacy settings and find the option to enable MFA. Follow the instructions to link your account with a second form of verification, like a phone number or authentication app. Once set up, you'll need to enter this second code or approve the login on your phone whenever you log in from a new device or location.

What is encryption? Encryption scrambles your data into a secret code, making it unreadable to anyone who doesn't have the key to unlock it. Many messaging apps, email services, and cloud storage platforms offer encryption features built in.

How do I set up encryption?  To encrypt your emails or files, look for options like "encrypt message" or "encrypt attachment" when composing an email or uploading a file. You can also use third-party encryption tools for added security.

How do I create a strong password?  Strong passwords are essential for keeping your accounts secure. Aim for passwords that are at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable information like birthdays or common words. Consider using a passphrase—a series of random words strung together—for added security. If you struggle to remember your passwords, a password manager can help you generate and store strong passwords for each of your accounts.

What is a Password Manager: A password manager is a tool that securely stores and manages all your passwords in one place.

How do I set up a Password Manager? To set up a password manager, choose a reputable service.  Well known ones include LastPass, Dashlane, or 1Password. Sign up for an account and install the password manager's browser extension or mobile app on your devices. Create a strong master password to protect your password manager. Then, whenever you need to log in to a website or service, let the password manager generate and store unique, strong passwords for you. It will automatically fill them in when you visit the login page.

What is phishing? Phishing is a common cyber attack where scammers trick you into giving them your personal or financial information.

How do I protect myself from phishing?  To protect yourself from phishing, be cautious of unexpected emails or messages asking for sensitive information. Check the sender's email address and look for spelling mistakes or suspicious links. If you're unsure whether an email is legitimate, contact the organisation directly using trusted contact details, not those provided in the suspicious message.

What is ransomware? Ransomware is a type of malware that encrypts your files and demands payment for their release.

How do I protect myself from ransomware?  Protect your devices by keeping your antivirus software and firewall up to date. Be cautious of downloading files or clicking on links from unknown or untrusted sources. Regularly back up your important files to an external hard drive or cloud storage service. In the event of a ransomware attack, you can restore your files from the backup without paying the ransom.

What is a social engineering cyber attack? Social engineering is when hackers manipulate people into giving them access to sensitive information or systems.

How do I protect myself from a social engineering attack?  To protect yourself from social engineering attacks, be sceptical of requests for sensitive information, especially if they seem unusual or urgent. Verify the identity of the person making the request through independent means, like calling them back using a known phone number. Don't share personal or financial details unless you're sure of who you're dealing with.

What is a prompt injection attack? A prompt injection attack is when someone tricks a computer system into executing commands or providing sensitive information by inserting malicious code into a prompt or input field. It's like sneaking a command or code into a conversation or form on a computer to make it do something it shouldn't.

How do we respond to a cyber attack?  To respond to a cyber attack, immediately isolate affected IT systems, notify relevant stakeholders, seek professional IT assistance, patch any vulnerabilities, reset passwords and access credentials, monitor network traffic and system logs for further malicious activity. Review your cyber security and ensure people are made aware of how to protect against cyber attack in the future.

Free Charity AI

In addition to the 6 systems within Charity Excellence, we provide a whole range of free charity AI services, toolkits, insight briefings and training.

This Charity Cyber Security Article Is Not Professional Advice

This charity cyber security article is for general interest only and does not constitute professional IT, legal or financial advice.  It has been created partly by using ChatGPT.  I'm not an IT security expert, so not able to provide this, and I cannot write guidance that covers every charity or eventuality.  I have included links to relevant guidance, so you can check to ensure that whatever you do reflects correctly your charity’s needs and your obligations.  In using this resource, you accept that I have no responsibility whatsoever from any harm, loss or other detriment that may arise from your use of my work.  If you need professional advice, you must seek this from someone else. To do so, register, then login and use the Help Finder directory to find pro bono support. Everything is free.