Charities must face up to their cyber risk

  • Many charities are not aware of their dangerous exposure to cyber risk
  • The British Pregnancy Advice Service was fined £200,000 for failing to spot a vulnerability
  • How your insurer can provide support

The challenges of running a charity are many and varied, including the endless drive to maintain a good public profile and keep donations coming in. But, these fundamental responsibilities could be undermined in an instant by a risk that has shouldered its way onto trustees’ portfolios – cyber attack.

An example of exactly what’s now at stake came in March 2014 when The Information Commissioner’s Office (ICO) imposed a fine of £200,000 on a small charity, the British Pregnancy Advice Service (BPAS), for inadvertently exposing thousands of personal details to a hacker.

The charity had failed to realise that its website was storing the name, address, date of birth and telephone number of everyone who requested a call back for advice on pregnancy issues. Consequently, the information wasn’t secure and a hacker was able to exploit a weakness in the site’s code, steal the data and threaten to publish it.

Although this never actually happened – the data was recovered by the police following an injunction by the BPAS – the charity was thrust into the media spotlight, exposing it to public criticism and the subsequent fine was a cautionary example of exactly what’s at stake when small organisations with limited resources neglect their cyber security.

Liability risk

There is no doubt that the modern world demands a more digital operation and charities need to be online. But as they take more donations online and collect financial data in the process, or maintain databases of supporter’s personal details online, they need to appreciate that the risk of developing a liability if they suffer a breach is also increasing.

In addition, EU rules require organisations to demonstrate what security measures they have in place.

Zurich advises all charities, whatever their size, to talk to their insurer and take risk management advice to assess their vulnerabilities and ensure that the personal data they are responsible for is kept under strictly secure conditions.

While good cyber security is absolutely essential to do this correctly, this is not just an issue to be delegated to the IT department. Effective staff training must not be neglected. Take an all-enterprise approach to ensuring everyone knows what is expected of them when handling data, with regular refresher courses.

Too many security breaches stem from simple errors, such as sensitive emails mistakenly addressed to the wrong person or staff mislaying data on mobile drives, and these vulnerabilities are particularly evident in organisations that make use of extensive numbers of volunteers. Zurich can advise on how to do all you can to minimise this risk.

The fundamental lesson to take from the BPAS case is that ignorance is no excuse. Addressing the cyber threat on a limited budget while facing pressure to keep administrative costs low and operational spending to a maximum is tough. But it has to be done, and the right advice can make all the difference.