Take part in the 2025 Charity Shops Survey!

Now in its 34th year, the survey provides detailed benchmark data, giving you a better understanding of the charity retail sector. Deadline for submissions is 4th July.

Take part and find out more

Sector Focus: Managing cyber fraud risk

02 Jun 2025 Expert insight

Adobe Stock / Яна Василевская
This content has been supplied by a commercial partner.

 

In an era where cyber threats evolve as fast as technology itself, organisations face unprecedented risk from cyber fraud. While much attention is given to external threats, internal systems are often overlooked – yet this can be either your strongest defence, or your biggest vulnerability.

Internal systems

So, how can you ensure your internal systems truly work for you in managing cyber fraud risk?

Start with governance, risk ownership and culture

Cyber fraud is not just an IT issue, it’s a business risk that requires organisation-wide awareness and ownership. A strong tone from the top, clear accountability, investment in technology and a culture where employees feel empowered to report suspicious activity without fear of reprisal are foundational.

We have seen that businesses that embed cyber awareness into their day-to-day operations through training, regular communications, scenario planning, and visible leadership engagement consistently show higher resilience against fraud.

Map the cyber threats and understand your exposure

Your organisation will have several systems being used by different departments. Therefore, to set up internal systems in the best way, it is important to clearly understand the risks and where the weak spots or exposures are. Some of the information that should be considered include:

  • Identifying crucial data and systems (especially those supporting financial transactions or holding personal/customer information).
  • Understanding how data flows across systems and who has access.
  • Assessing third-party access and supply chain vulnerabilities.
  • Monitoring emerging threats and macro risks relevant to the sector you operate in.

Therefore, an effective risk assessment that integrates cyber-specific scenarios should be regularly reviewed and updated to reflect the changing environment.

Implementing controls that are pragmatic, and which actually work

We come across situations where policies and procedures exist on paper but fail in practice. Ensuring your internal systems work means embedding proportionate, well-designed controls that strike a balance between security and usability. There are a number of factors to consider when considering technology controls, which include:

  • Segregation of duties – avoiding giving one individual control over multiple stages of a transaction process.
  • User access management – regularly review user privileges and remove dormant accounts.
  • Multi-factor authentication – particularly for financial systems and remote access.
  • Alerts and exception reporting – these should be actively monitored and not just logged.

Don’t overlook basic hygiene, such as default passwords, outdated software, and lack of patching, as these remain a common root cause.

Carry out simulation and testing, and make improvements

It’s not enough to have controls, these should be tested under pressure and assessed whether they are effective. Regular testing through simulations, such as phishing campaigns or fraud scenario workshops, helps organisations build awareness throughout the organisation and identify weaknesses before fraudsters do.

Lean onto your third line of defence – internal audit assurance

An independent assessment of controls, such as an internal audit function aligned with the organisation’s fraud risk appetite and cybersecurity strategy can provide invaluable insight and assurance.

Consider technology investments with risk priorities

Continued investment in technology is critical to maintaining a secure and modern infrastructure. It ensures that your systems remain resilient and aligned with evolving cyber threats, while also enabling the first line of defence to be regularly refreshed and updated in accordance with the organisation’s strategic priorities.

The focus should centre on identifying and protecting the organisation’s crown jewels, its most valuable assets including all digital assets, supported by strong governance, a continuous improvement mindset, and robust risk management and control frameworks. This proactive approach is essential to building resilience and sustaining trust in an increasingly digital landscape.  

Rakesh Vaitha is director - risk assurance and advisory services at HaysMac

Charity Finance is packed with practical articles and analysis of the latest financial trends, as well as in-depth briefings on technical and legal changes, and benchmarking surveys to help busy finance teams get value for money. Find more information here and subscribe today!

 

More on