The Charity Commission has issued an alert to charities and has provided regulatory advice on cyber attacks under the Charities Act 2011, following the recent ransomware attack on NHS services
Over 200,000 organisations, including the National Health Service (NHS), in 150 countries have been affected by a recent ransomware attack. The vulnerabilities exploited by the hackers are the same for charities as they are for individuals, public or private sector organisations.
Protection advice has been issued by the City of London Police and National Cyber Security Centre (NCSC) which the Charity Commission urges all charities to follow.
The advice includes key protection information, urging all organisations to:
- install system updates on all devices as soon as they become available;
- install anti-virus software on all devices and keep it updated;
- create regular backups of your important/business critical files to a device that is not left connected to your network, as any malware infection could be spread to that too; and
- do not meet any stated demands and pay a ransom – this may be requested via Bitcoins (a form of digital or ‘crypto’ currency).
The NCSC guidance also includes specific software patches to use which prevents infected computers on a network from being infected with the ‘WannaCry’ Ransomware.
Charities have also been urged to be cautious if they receive any unsolicited communications from the NHS.
The protect advice is:
- any email address can be spoofed – do not open attachments or click on the links within any unsolicited emails you receive, and never respond to emails that ask for personal/charity information or financial details; and
- the sender’s name and number in a text message can be spoofed – so even if the message appears to be from an organisation you know of, continue to exercise caution, particularly if the texts are asking you to click on a link or call a number.
Harvey Grenville, head of investigations and enforcement at the Charity Commission said: ‘Charities need to be aware of the imminent danger posed by ransomware threats and take appropriate steps to protect their charity from cyber-attack – a charity’s valuable assets and good reputation can be put at risk from these dangerous scams.
‘I urge all charities, if they suspect they may have fallen victim to cyber fraud, to report it immediately to Action Fraud and to the Commission, under its serious incident reporting regime.’
If a charity has fallen victim to cyber-attack, it should be reported to Action Fraud by calling 0300 123 2040, or visiting ActionFraud.
Trustees are advised to also report suspected or known fraud incidents to the Commission by emailing RSI@charitycommission.gsi.gov.uk
Additional in-depth technical guidance on how to protect your organisation from ransomware can be found here.