Original article by Kirsty Marrins at Charity Digital – to read the full article please click here
How Charities Can Protect Themselves from Fraud
Sign up to the Active Cyber Defence Programme
The NCSC provides a range of free cyber security services and tools as part of its Active Cyber Defence Programme.
Carry out a risk assessment
Identify where your charity may be at risk from fraud and what level of risk each area poses. For example, everyone working for a charity is at risk of receiving phishing emails, however not everyone would be exposed to the threat of internal financial fraud.
Provide training
It’s important that employees understand the ways that fraud can occur, especially new types of fraud. Practical training can help them identify suspicious activity, as well as how to report it internally — or even externally in a whistleblowing scenario.
Strengthen your IT
You can strengthen security by implementing two-factor authentication for email etc as well as ensuring that software is regularly updated via automated updates. The latter is sometimes referred to as ’patch management’.
Putting the right cyber security technology in place is essential.
Use fraud detection tools
The NCSC provides a free Early Warning service. By registering, your charity will be alerted to the presence of malware and vulnerabilities affecting your network, including high level alerts that suggest your system has been compromised.
Have a response plan
Ensure that everyone knows the steps they need to take in the event of fraud or a major security breach. An incident response plan can help you to respond quickly, and effectively, and potentially minimise the damage.
Take out cyber insurance
According to the 2022 Cyber Security Breaches Survey by the Department for Digital, Culture, Media and Sport, 30% of charities identified a cyber attack in the last 12 months. Yet only 22% of charities had cyber security insurance (as part of a wide insurance policy) and just 5% had a specific cyber insurance policy. With the rise in technology and AI fraud, charities should ensure that they have cyber insurance.
What to do If Your Charity Has Been a Victim of Fraud
If your charity has fallen victim to fraud, there are several things that you will need to do.
Report the fraud
For serious incidents, such as a significant loss of money or a ransom attack, you must report it to Action Fraud, which is the UK’s national fraud and cyber crime reporting centre. Trustees must report the incident to the Charity Commission as soon as possible.
Review your risk register
Make sure that you review and update your risk register at your next board meeting.
Step up security
If necessary, step up security. For example, if the fraud occurred internally then set up a system whereby two people need to sign off payments. If it was cyber fraud, ensure that your IT systems are up-to-date, purchase additional security software and ensure staff are trained to spot anything suspicious.