Cyber Risk and Response

In Advice, Risk Management by Static Author Display Name

Many charities and other non-profit organisations – especially smaller ones – don’t appreciate the value of the data they possess, according to a report by the National Cyber Security Centre (NCSC). What is the risk and how should you respond if you are a victim of cyber-crime?


Unfortunately, cyber-criminals do realise the value of this data and are well-practised when it comes to trying to gain access, making charities vulnerable targets.

While the average person may find it unthinkable to steal from a charity, in addition to cyber criminals there are other parties who may purposefully or inadvertently cause a cyber-attack, data breach, systems outage or leak. These include:

  • Suppliers and third parties—It’s common for charities to outsource the responsibilities of running, maintaining and securing their data which can lead to insecurities.
  • Terrorists—Terrorist groups may deface websites, publish victims’ personal details online or seek to damage the reputation of organisations in order to gain publicity.
  • Nation states—Nation states use cyber-crime to further their agendas and your organisation may fall victim to (or get caught up in) a targeted or wider-scope cyber-attack.
  • Insiders—Disgruntled staff with access to their employer’s data may commit cyber-crimes, such as purposeful data breaches, seeking money or simply for revenge.
  • Hacktivists—Hackers may target charities if they disagree with the charity’s purpose or are motivated by a specific cause; they may use any attack to gain publicity.

In order to prevent cyber-criminals from accessing your charity’s valuable data, follow our Cyber Risk Management Guide for charities, faith-based and non-profit organisations.

The Action Fraud website, introduced below, has a lot of information on avoiding fraud and they regularly release updates and information about new methods that criminals are using, so following their social media accounts or visiting their website regularly is a good idea.


If you are the victim of a cyber-attack, cyber-crime or a similar cyber-enabled fraud, you should remember that the perpetrator is committing a criminal offence; you should contact the police immediately.

The best way to do this is through Action Fraud. Through their website, you can report a crime or even get support for an ongoing incident.

Your IT is technically a ‘crime scene’, so the authorities may want you to undertake specific activities (such as not turning off laptops etc.), to preserve evidence. They can also support your notification to the ICO, if required.

Action Fraud provide support for investigation and resolution and can also refer you to other organisations that may assist further.

Action Fraud should be the first call you make during or immediately after a cyber-attack; with a call to your insurers to report the incident and get further support second (even if you have Cyber Recovery or Cyber Liability).