What can charities do to reduce their risk of digital fraud?
Firstly, recognise the risk and have a look at the culture of the organisation and see where are the most important parts to address.
It’s a bit of a gap analysis really, but once you recognise the risk it’s easier to see whether you need to focus on your staff and your staff awareness etc...
The very nature of lockdown and maybe future working, where staff might be physically dispersed, means that you need to think how you are going to communicate with your staff, how are you going to securely give this awareness out, how are you going to share infographics and posters and how your online training might work - so those are key things.
The other side of it is of course to look at your IT. Where is your data, where are your systems, what is it that the fraudsters are after.
Ensure that the business processes around the movement of money is solid. And again that goes back to culture to a certain extent. So this is all down to internal processes, what’s the authorisation process and double check core processes for these kinds of transactions.
And thirdly, looking at your IT systems, depending on the size of the IT system you have, whether you have IT staff there, make sure that your backups are robust, they’re working and they’re not attached to the computers you’re backing up.
I’ve unfortunately had to deal with some of our customers who’ve been hit by ransomware and realised their backup services weren’t working properly and lost a lot of data. You don’t want to be in that position. It’s best to prepare for these things, so question how well you are backing up your systems. Do you test those resources to make sure if you need to get the data back you can get it back quickly and keep your business running.
Make sure your mobile devices are encrypted and secured. Again, people do lose tablets and laptops and that’s the last thing you want, even if there’s a password on them a fraudster can take the hard disk out and read all the data, read all your emails and everything else on there - that’s not good.
That’s a very straightforward thing to do, so there’s questions you can ask your IT team, individual or supplier on how those things are secured.
Make sure that you just keep everything up-to-date. One of the easiest ways and the most common ways fraudsters get onto systems is to take advantage of known vulnerabilities.
They’re often not very complex fraud scams and they’re taking advantage of things that are published already in the public domain, which may well have standard patches, security updates for, certainly on Windows you’ll see those, certainly on Google Chrome and Firefox and a lot of the other tools and bits of software that people use on their laptops. They’re all subject to regular security updates. If you do those as they arrive, you’ll keep yourself secure.
That’s a very straightforward thing to do. Even the most non-technical people would be able to configure their PCs to do that quite easily using the Microsoft help screens.
Along similar lines, making sure that your antivirus software is up-to-date. Those are very straightforward things and a lot of these ideas and points I’m raising here are detailed quite succinctly on the NCSC website and I’d suggest that charities do have a look at this: this is the National Cyber Security Center.
There has been a focus there for the last year or so on the non-for-profit sector and helping them to become more resilient. There is lots of good material on there, lots of good awareness material. Some of it is written in a very non-technical way so IT, charity IT leaders and certainly the charity trustees can understand what’s required.
From the smallest organisation to medium-to-large charities, there’s lots of useful material there. There are lots of good papers on the ways of addressing some of these risks. Some good infographics as well that will be quite useful to share among your staff so they can understand the part they can play in helping to secure an organisation.
So, slightly changing that culture of trust to one that’s a little bit more cynical and that’s going to try and protect your donors and your donor’s money and try and protect the funds that you’re collecting on behalf of your charity in your campaigns.
And being a little bit more wise to some of these fraudsters out there. The reality is if a fraudster has problems getting through, they generally will just move onto the next and they won’t waste too much time where they find they’re not getting any traction.
I think what we would try and do in CAF, and we've been working with the NCSC and some other suppliers as well, is to provide free services, free materials to help charity’s awareness of these risks, and just try and improve that so that we see less and less fraud affecting the charity sector in the UK.