How to protect your charity from cyber attacks

Cyber attacks happen daily, affecting organisations of all sizes, including charities. West Midlands Police recorded 3,000 victims of fraud in a single week, with total losses of £1 million.

This article outlines the cyber threats facing charities and provides practical steps trustees can take to protect their organisations. The information is based on guidance from DC Neil Howells of the West Midlands Police Cybercrime Unit, delivered at our recent charity conference.

Why do criminals target charities?

Charities hold valuable data and have trusted reputations that criminals can exploit. Sensitive information, including donor databases containing names, addresses, payment details, and financial histories, can be sold or used for identity theft. Compromised accounts can also allow criminals to redirect donations or make fraudulent payments. Your trusted reputation can enable criminals to impersonate your charity and defraud donors.

Personal data about beneficiaries, volunteers, and staff has value on the criminal market, and limited security resources mean that charities often have weaker defences than commercial organisations.

While criminals do not specifically target your charity, they do send phishing emails and launch network attacks widely, exploiting any weaknesses they find, so your charity is a target simply by existing.

The entry points for attack

The most common entry point for cybercriminals is phishing, which involves fake emails designed to trick people into revealing login credentials or clicking on malicious links.

The common tactics used include brand impersonation, where fake emails appear to come from trusted services such as Microsoft or banks. These often contain messages that create a sense of urgency and fear, claiming that accounts will be suspended unless immediate action is taken.

Another approach is credential harvesting, which uses fake login pages that capture usernames and passwords. This would involve the criminals copying your branding to redirect donations.

Phishing works because people process hundreds of emails daily without careful scrutiny. Sophisticated fake websites look legitimate, and staff or volunteers under time pressure may not notice warning signs.

Finding the weakest link

Most password policies require a combination of complexity, including special characters, numbers, and capital letters. This leads to weak passwords, such as "Password1!", that people write on Post-it notes or reuse across multiple accounts.

Criminals use freely available tools to crack weak passwords. Websites like Crack Station have 20 billion pre-calculated phrases that can quickly reverse encrypted passwords. Examples of weak passwords include "coffeecup1", which takes 58 seconds to crack, common words with numbers, which are virtually instant, and predictable substitutions like "p@ssw0rd", which are ineffective.

Many staff email between work and personal accounts. This creates pathways criminals can exploit. If criminals access your work account, they can view connections to your personal email. If they then obtain personal passwords, they can access banking, iCloud, and other critical accounts.

Criminals use social media to research organisations and craft targeted phishing emails. Staff social media profiles reveal organisational hierarchies, professional connections, and personal information that can be useful for social engineering attacks.

Being held to ransom

Ransomware involves criminals stealing data from your networks and threatening to release it unless you pay a ransom.

The attack starts with initial access, where criminals gain entry through phishing emails, weak passwords, or technical vulnerabilities.

Then, everything on your networks is copied by the criminals, including information on donors, financial records, details about your employees and volunteers, beneficiary data, and any confidential documents.

The next stage is the ransom demand, which typically requires payment in cryptocurrency to prevent a public release of all the data. A negotiation period follows, often with countdown timers on the dark web. If you do not pay, they release your data for free on criminal websites.

During the live demonstrations at our conference, Neil showed actual stolen data on dark web criminal websites. A school in the United States had its entire network data available for free download after refusing to pay, including CCTV footage, staff lists, and student information. West Lothian Council in Scotland had every file, case conference record, and school report for every child in their system accessible online.

These are not theoretical risks. The data is genuinely there for anyone who knows where to look. The organisations that avoid public leaks are typically large companies with substantial security budgets, or those that paid ransoms (which police do not recommend).

It starts with strong passwords

A clear message from Neil is that strong passwords are long, not complex. Length defeats automated cracking tools far more effectively than special characters.

The personal story method involves creating passwords from personal memories that hold meaning for you. Your first car might become "white.vauxhall.nova.crashed", which would take 2,000 years to crack. A favourite restaurant and meal could be "manor.house.steak.carly", taking 11,000 years to crack. A memorable holiday becomes "cornwall.beach.2015.sunburn" requiring thousands of years to crack.

Use dots or other characters instead of spaces. Make them long enough that automated cracking becomes almost impossible.

The password length matters more than complexity - a 20-character phrase beats a 10-character complex password.

Instead, create memorable stories to use as passwords because passwords based on personal memories are easier to remember than random characters. Try to avoid common words and patterns, as single words, even with numbers, are too weak. Do not use predictable substitutions, as changing letters to numbers or symbols does not provide significant help. Never reuse passwords across accounts, as when one service is breached, all accounts using that password are compromised.

The three-tier password system

The key is to implement a practical password approach that staff will actually follow.

The recommended approach is to have 'Centre Point passwords' which are for your most critical accounts, including personal email that can reset other passwords, banking and financial accounts, and work email and core systems. These accounts need your longest, strongest passwords based on memorable personal stories. If criminals access these accounts, they can reset passwords for everything else.

Work passwords should be completely separate for work email and systems, charity databases and CRM (customer relationship management) systems, professional social media, and work-related cloud storage. This means that if your work network is breached, your personal accounts remain secure because you have not reused passwords (and vice versa).

A third set of passwords should cover lower-risk accounts, such as shopping websites, streaming services, and low-value accounts, as well as services you rarely use. If these are compromised, damage is limited because they are not connected to critical accounts.

When a service experiences a data breach (which happens regularly), criminals obtain username and password combinations. They then attempt to use these credentials across various banking, email, and other services. If you have properly compartmentalised your passwords, breaches of low-value accounts cannot compromise your critical accounts.

This approach means you will have password reset reminders for accounts. However, if services are properly compartmentalised, they should not overlap or intersect, making you more secure overall.

Multi-factor authentication

You should also always use multi-factor authentication, which requires additional verification beyond passwords, typically one-time codes sent to phones or email. Even if criminals obtain passwords through phishing or data breaches, they cannot access accounts without also having access to the phones or email addresses associated with the second authentication factor.

It's essential to implement multi-factor authentication on email systems (both work and personal), banking and financial platforms, donor databases, CRM systems, and any system that contains sensitive data. Additionally, implement multi-factor authentication for administrative access to websites, servers, cloud storage, and file sharing.

Most services now offer multi-factor authentication. The security benefit far outweighs the inconvenience of occasional code entry.

Credit monitoring

As an additional defence, monitor credit scores to detect if criminals use stolen credentials to apply for credit in your name. ClearScore provides free credit monitoring, alerting you to credit applications made in your name. Experian is the official credit reference agency, but it charges after a 30-day initial trial period.

Credit monitoring is particularly important for staff handling sensitive data, anyone whose personal information has been in data breaches, victims of phishing or fraud attempts, and senior staff whose identities criminals might target.

Services alert you monthly about credit applications, enabling you to identify fraudulent activity promptly.

Creating a security-aware culture

Many organisations test staff with fake phishing emails and criticise those who fail. However, the flaw with this approach is that it focuses on blame rather than understanding.

A more effective approach is to help people understand what criminals do and how they do it by showing examples of phishing emails and explaining the techniques used to execute them. It is also advisable to establish safe reporting mechanisms that enable staff to report suspicious emails without fear of retribution or criticism. This way, you make security everyone's responsibility, not just an IT problem.

Going a stage further, you can also recognise good security practices by highlighting and rewarding staff who demonstrate good awareness. And of course, you should provide regular training, as short, frequent updates are more effective than annual training sessions. Explain the consequences to help staff understand what happens when attacks succeed -to scare them, but to emphasise the importance.

Trustee responsibilities

Cybersecurity is a governance issue requiring board-level attention.

Therefore, trustees are responsible for ensuring that appropriate security measures are in place, understanding the cyber risks facing the charity, and allocating adequate resources to cybersecurity. This includes monitoring whether security policies are followed, ensuring staff receive appropriate training, and having plans in place for responding to cyber incidents.

Include cyber risk as a regular item on the board agenda and we expect that it will be high on your charity’s risk register. Trustees should receive reports on security incidents and near-misses, updates on security measures and staff training, assessment of risks and potential impacts, and plans for improving security posture.

• Review and approve cybersecurity policies covering password requirements and management, acceptable use of systems and data, email and internet usage, data protection and handling, and incident response procedures.
• Allocate budget for security software and systems, staff training and awareness, professional advice and assessments, and incident response capabilities.
• Ensure adequate insurance coverage for cyber incidents, understanding that many policies exclude cyber attacks or require specific security measures to be in place.
• Conduct independent security assessments to identify vulnerabilities and ensure the implementation of appropriate controls, and make sure your risk register reflects the outcomes of these assessments and the safeguards you have in place.

If a cyberattack succeeds, report it to the Charity Commission as a serious incident, as delays in reporting can exacerbate regulatory consequences. Notify the Information Commissioner's Office if personal data is compromised, as this is a legal requirement under GDPR. Inform affected individuals whose data has been compromised, explaining what happened and what steps you are taking. Contact police cybercrime units for advice on response and investigation. Review what went wrong and implement improvements to prevent recurrence. Consider whether trustee decisions contributed to the breach, and whether governance improvements are needed.

Cyber insurance

Insurance policies often do not cover cyber attacks, particularly when basic security measures are absent, staff ignore clear warnings or policies, the organisation cannot demonstrate appropriate governance, or negligence can be shown.

• Review your insurance coverage to understand what cyber incidents are covered, what security measures are required as policy conditions, whether coverage limits are adequate, and what exclusions apply.
• Consider specialist cyber insurance if your standard policy does not provide adequate cover. This typically covers forensic investigation costs, legal and professional fees, notification costs to affected individuals, regulatory fines (where insurable), business interruption losses, and costs of restoring systems and data.

Even with insurance, prevention remains far cheaper than dealing with successful attacks.

Free support from Police Cybercrime Units

The West Midlands Police Cybercrime Unit offers free support to charities, including

• Cyber escape room exercises offer team-building activities that allow staff to learn about cyber threats by collaborating to "hack" fictional criminal systems.
• Health checks assess cybersecurity measures remotely, providing advice on improvements.
• Tailored presentations deliver educational sessions specifically designed for the needs and contexts of individual charities.
• Guidance and advice help individuals understand cyber risks and implement appropriate controls.

The unit does not investigate breaches (handled by other police units), report to the Information Commissioner's Office, criticise organisations for security failures, or sell products or recommend specific commercial solutions. Their role is purely preventative support and education.

Similar support is available from police cybercrime units across the UK. They work with the Cyber Resilience Centre, another police agency offering resources to organisations. These services are free and exist specifically to help charities and other under-resourced organisations protect themselves.

Digital footprints

Another area of weakness is personal digital footprints. Criminals can use staff social media profiles to research organisations and craft targeted attacks. Therefore, consider what information is publicly available, including organisational structure and reporting lines, key staff names and roles, professional connections and relationships, location information, travel plans, and personal interests that may be useful for social engineering purposes.

The advice is not to delete social media accounts. However, understanding what information is publicly available helps assess risks and make informed decisions about what to share.

Staff should review their privacy settings on social media, exercise caution when sharing location information, avoid posting about work systems or security measures, think twice before accepting connection requests from unknown individuals, and understand that criminals may use anything posted online to their advantage.

Implementing cyber security across your charity

The first thing to review is password policies and transition away from complex but short passwords toward longer, more memorable phrases, and then:

• Enable multi-factor authentication on email, banking, and systems containing sensitive data.
• Contact your local police cybercrime unit to request support and advice.
• Arrange basic cybersecurity awareness training for all staff and trustees.
• Review insurance coverage to understand what cyber incidents are covered.
• Implement the three-tier password system across the organisation.
• Conduct a security assessment of current measures and identify gaps.
• Review what personal data you hold and where it is stored.
• Assess social media exposure for the organisation and key staff.
• Implement document security measures to demonstrate governance in the event of a breach.
• Establish incident response procedures so staff know what to do if they suspect an attack.

For ongoing security, make cyber risk a regular item on the board agenda, with updates on incidents, near-misses, and security measures. Provide regular security awareness updates, as short, frequent training sessions work better than annual sessions.

On an ongoing basis, monitor for suspicious activity, including unusual login attempts and unexpected password reset requests. Keep systems updated by applying security patches promptly. Test backup systems regularly to ensure data can be recovered if systems are compromised. Review and update policies as security requirements evolve.

Invest in prevention

Prevention through staff training, strong passwords, and basic security measures costs far less than recovering from successful attacks.

The costs of successful attacks include ransom payments (if you choose to pay, against police advice), lost productivity while systems are down, forensic investigation fees, legal and professional costs, notification costs to affected individuals, Information Commissioner's Office fines, reputational damage and loss of donor trust, potential loss of contracts or grants, insurance premium increases, and staff time dealing with the aftermath.

The majority of charities cannot afford these costs. The disruption alone can be devastating, particularly for smaller organisations. Investing in prevention through training, implementing appropriate security measures, and fostering a security culture is far more cost-effective than dealing with successful attacks.

Please don't wait until it's too late

Cyber threats to charities are real, current, and affecting organisations daily. The consequences of successful attacks can be severe, including financial loss, reputational damage, and loss of donor trust.

The good news is that many attacks can be prevented through relatively simple measures, including strong, memorable passwords using the personal story method, three-tier password compartmentalisation, multi-factor authentication on critical systems, staff awareness and understanding of threats, creating security cultures where reporting concerns is encouraged, and regular board-level attention to cyber risks.

Trustees have a responsibility to understand these risks and ensure appropriate protections are in place. Start by reviewing password policies, arranging training, and contacting your local police cybercrime unit for free support.

The cost of prevention is far lower than the cost of dealing with successful attacks. Take action now, before your organisation becomes another charity dealing with a devastating data breach.