Fundraising Magazine's Most Influential Fundraisers list is back!

The online poll is open to nominations for anyone working in the sector, whether at charities, umbrella bodies, regulators, agencies, consultancies or independently. We are looking for diverse, talented and accomplished individuals whom you feel are making a real difference to their organisations and the wider sector.

Nominate today!

Clare Mills: How my charity dealt with a cyber breach

11 Nov 2021 Voices

Clare Mills, head of communications and external affairs at NAVCA, on what she learned - and what she did - when her charity was targeted by cyberhackers

Cyberhackers … Ugh.

Faceless criminals using their digital skills to steal data and money. And targeting charities too, right before Christmas.

Surely there’s nothing there to be thankful for – so why am I grateful to the cyberhackers?

Hacked

At the start of December 2020, our CEO Jane Ide had moved on to a new role, and the process to recruit a new CEO had started. In the interim I and my senior colleagues Anna Pashley (head of membership) and Alex Boys (head of business development) were sharing out many of the responsibilities that a CEO carries.

That in itself was a learning experience, but for this piece I’m focusing on my temporary responsibility as NAVCA’s data controller.

We’d had some problems accessing our general mailbox and our IT service had taken steps to find out what was going on.

I had a call… “Someone has accessed the mailbox and changed the password, then they’ve used it to send out some emails.”

Readers, we had been cyberhacked, and potentially had a data breach.

Priorities

My immediate priority was to make sure our digital systems were not still being used by persons unknown for ‘bad things’. The second was to make sure we had security in place to prevent this happening again.

Our fantastic IT service, Resolve IT in Sheffield, were so helpful and calming. It only took them a short amount of time to come back to me with a more detailed report: that the mailbox had been accessed and the password changed; that it had been used to send a (presumably phishing) email to 144 addresses; but that no further penetration of our systems had happened.

It can happen to anyone

Cyberhackers use clever techniques to access mailboxes, steal data, fool people and persuade us to send information and money. Being deceived or making a mistake can happen to anyone.

Figures published by the Department for Digital, Culture, Media and Sport state that “four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%)”.

While we should all have robust processes and systems in place to keep our data and resources safe, attacks are a regular feature and the chance is that some of us will fall victim.

Letting people know

Having dealt with the immediate risks, the next step was to contact everyone whose data was potentially exposed as a result of the attack.

We also had to report this potential data breach to both the Information Commissioner’s Office and the Charity Commission.

We didn’t have vast swathes of emails in the mailbox; our analysis identified around 200 individuals whose personal data had been at risk, and bank account details for just over 200 organisations. But it still felt disappointing, personally, to tell those people that their data had potentially been exposed.

Knowing that cyberattacks are common, and that one small business in the UK is attacked every 19 seconds, helped to reassure me that we would not be the only organisation in this position, and we changed our procedures and updated the security on our accounts to increase the likelihood of withstanding an attack in the future. It was also a good opportunity to provide updated cybersecurity training to everyone in the organisation, which we now run at least annually – cybercriminals update what they do, so we need to stay up to date as well.

Reporting duties

I’d never had to report a potential data breach to the ICO, and I’d never had to contact the Charity Commission about reporting a serious incident either.

Both organisations had a simple and straightforward process to follow and, importantly, a culture of encouraging reporting and transparency. I am pleased to say that this reflected the approach and the culture we maintained at NAVCA.

It was really important to me that our team worked together in our response to the cyberattack. We worked collectively and constructively to learn together and improve our security.

Our chair and trustees were fully supportive of this, and I think it's been really important to set the tone for our team from the very start of the response. We value having an organisational culture where people understand it's OK to say when things have gone wrong, so we can all help each other.

Learning

So, why am I grateful to the cyberhackers? Because I (and the rest of the team) learned a huge amount as a result of the attack.

Firstly, it was fantastic to see everyone in our team working together, supporting each other, and acting in the best interests of those whose data had potentially been exposed, as well as our members and our organisation. Despite the nine months of pandemic and the end-of-year, December fatigue which we were all feeling, people stepped up to do what was needed, quickly, efficiently and collaboratively.

I was proud of our team and our culture which made this possible.

Secondly, it was a chance to test our procedures for dealing with a data breach, responding to a cyberattack, and managing crisis communications.

We’d spent some time in previous months making sure we had procedures in place and thinking through what action would be needed, and in what order. Working through a plan – adapting it slightly in response to circumstances – was so much easier than having to start from scratch. Because we’d had time to plan before we found ourselves in the middle of a situation, we didn’t miss anything.

And thirdly, we used the situation to talk to NAVCA’s members and share our experience.

If there are so many attacks taking place, by skilled digital criminals, the risk of being a victim rises. Organisations are made up of people, and people feel a range of emotions when caught up in a cyberattack. Research from the Money and Mental Health Institute says that “40% of all online scam victims have felt stressed as a result of an online scam. Many victims feel embarrassed and ashamed, often blaming themselves”.

By sharing what happened, we hope that we can demonstrate there’s no need to be negatively affected by those feelings of embarrassment and shame – and there’s no sense in trying to conceal what happened.

Instead, we can contribute to a positive culture where we can be open, learn and draw strength from our experiences.

(Oh and just to be clear – I’m not wishing the cyberhackers a happy Christmas. And I certainly hope I don’t have to go through this ‘learning experience’ again).

Civil Society Voices is the place for informed opinion, and debate about the big issues affecting charities today. We’re always keen to hear from anyone, working or volunteering at a charity, who has something to say. Find out more about contributing and how to get in touch.

 

More on