What are the emerging risks? was one of the questions aired at a webinar as part of Charity Fraud Awareness Week. While coronavirus loomed large, it was striking that the main cyber risks facing charities and any organisations have not fundamentally changed since before the pandemic, and indeed for years, the webinar heard yesterday, writes Mark Rowe.
Cub Llewelyn-Davies is the Charity Sector Lead at the National Cyber Security Centre (NCSC). Asked by the webinar chair, Alan Bryce, Head of Counter Fraud and Cybercrime at the watchdog the Charity Commission, if particular types of charities might be susceptible to cyber-crime, Llewelyn-Davies replied; in short, no. Unfortunately, everyone is susceptible, he said. He was making a point aired earlier, by Rita Chadha, CEO of the umbrella group Small Charities Coalition, that (small) charities may feel that they – a horse sanctuary, a hospice, fund-raiser to research a cure for cancer – will not be a target for fraudsters.
Unfortunately, as Llewelyn-Davies explained, while some cyber-attacks are against specific targets, ‘a lot are completely untargeted’, so that any charity or anyone may fall victim to ransomware. The NCSC does offer guidance documents, for example against phishing emails; and NCSC advice about ransomware is to back up your information, so that if you are locked out of your IT, it’s no more than an inconvenience, as you have to re-install files. Otherwise, a ransomware attack can be ruinous.
Llewelyn-Davies warned that the ones more susceptible are the ones that are not prepared; unfortunately.
The discussion ranged over many issues common to all workplaces, and as Alan Bryce pointed out at the beginning of the webinar – arranged by the Fraud Advisory Panel, itself a charity, and free to listen to on the Charity Fraud Awareness website – charities are no different in that they can be targeted, and need to be ‘fraud-aware’.
A profound point made by more than one speaker – and also affecting any workplace – was that the sudden move to remote working away from offices happened in the spring and organisations need to review their controls, whether around shredding of documents, IT passwords (are staff sharing them, for the best of intentions, but adding to cyber risk), banking and accounting, HR (on-boarding and exiting of staff) or safe-guarding. Meanwhile, the informal and formal controls routinely in place in an office are lacking in people’s homes – and who else has access to staffers’, or in the case of charities, volunteers’ and trustees’, laptops?!
When asked by Alan Bryce to sum up the session by offering ‘top tips’, at least three speakers – Llewelyn-Davies; David Clarke, the former senior police detective now chairman of the Fraud Advisory Panel, and Caron Bradshaw, Chief Executive of Charity Finance Group – stressed the need to get the basics right, to minimise the risks. Rita Chadha, CEO of the umbrella group the Small Charities Coalition gave the viewpoint of a small charity, which may not have a trustee or staffer who is a specialist in counter-fraud; hence the need to make sure it’s on the agenda, she said. And hence the whole purpose of the webinar and campaign week, to make charities ‘fraud aware’, whether against cyber threats or the many types of fraud – procurement fraud, over-charging, internal diverting of funds.
A charity Counter Fraud Manager, Phil Sapey, outlined a benefit of making staff, volunteers and beneficiaries ‘fraud aware’; they may well be the ones who spot or are suspicious that a fraud is taking place (and they have the motive to want to protect the charity). Hence staff should know where to report their concerns, such as through a whistle-blowing hot-line. Even if a charity has such a way for people to ‘speak up’, an organisation has to do more than ‘tick the box’; the person receiving the concerns has to know what to do with them.
Alan Bryce summed up: “Now more than ever charities need to be fraud aware and take steps themselves to keep themselves safe from harm. By working together we can keep charity fraud out.”
More about the week and materials at the Fraud Advisory Panel website. The webinar is free to listen to from this link.
More in the December 2020 print edition of Professional Security magazine.
