Charities and Community Groups
There are over 450 registered charities in Jersey (as of December 2022). These charities provide services and support for thousands of Islanders. This includes some of the most vulnerable members of our community.
Charity and community groups are vulnerable to cyber attacks for two keys reasons:
Most Jersey charities are small. This means they might not have access to professional knowledge and skills. This includes specialist skills like IT support.
Because charities are small, volunteers may use personal devices for their roles. Personal devices are less likely than work devices to have basic security measures in place. This makes them an easier target for a cyber attacker.
Most charities will have data about that could be attractive to a cyber attacker. This could be information about staff, volunteers, or the people you help. It could include email addresses, names, or home addresses. If you take donations, you might have large amounts of financial information.
If a cyber attack on your charity or community group was successful, it could:
- expose personal information about volunteers, donors and the people you help
- damage your reputation among volunteers and the general public
- reduce donations or volunteer support
These factors will make it harder to carry out your core mission. This is why it’s vital that charity and community groups have basic cyber security measures in place.
We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.
If you have any questions, you can contact us:
- by phone on 01534 500050
- via email (hello@jcsc.je)
- or by booking a meeting with the team
Beginning section How could a cyber attack affect my charity or community group?
How could a cyber attack affect my charity or community group?
A cyber attack could affect your charity or community group in many ways. How it affects you will depend on the type of attack, and what the attackers have managed to access.
This page gives examples of some of the issues you might face.
Service delivery
An attack might mean you can’t access specialist software or web-based services. This could include platforms that you use to manage any cases you handle, or organise your events. It could also include any Client Relationship Management (CRM) applications you use.
If you rely on any of these services to function, you might be able to use paper-based solutions. But these alternatives will most likely make running your services more difficult. In some cases, there might not be alternatives. This will mean that you have stop running some services for days, weeks, or months.
Safeguarding
Every charity or community group working with children has safeguarding responsibilities. This is also true if you work with vulnerable adults. A cyber attack could stop you accessing your records, and make it harder to report concerns. This could put children and vulnerable adults at risk.
Volunteer management
Many charities rely on a rota of volunteers to provide their services. You may rely on a spreadsheet shared by email, or a third party platform to organise your volunteers.
Whichever method you use, you could lose access to it after a cyber security attack. A lack of available volunteers could mean that you can’t provide your services as usual.
Fundraising and finances
A cyber attack could stop your charity or community group from completing basic financial tasks. This includes ordering equipment or paying suppliers. A cyber attack could also stop you from taking donations in the short term.
In the long term, a cyber attack might mean people are wary of donating to you in the future. This could have a long-lasting effect on how you provide your services and whether you can provide them at all.
Beginning section How to protect your charity or community group
How to protect your charity or community group
Potential cyber criminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your charity or community group is safe from every cyber attack.
However, there are several steps staff and volunteers can take to reduce how likely you are to be the victim of a cyber attack.
Back up your important information
- Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
- Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
- Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.
Protect against malware
Malware is a piece of software which is designed to damage, disrupt, or gain access to your systems. All staff and volunteers should take the following steps to stop malware causing harm:
-
You should install antivirus software and firewalls on all devices. This includes any personal devices that volunteers use. Antivirus software detects and removes any malicious software or viruses from your computer. Firewalls create a protective barrier between your network and external networks.
-
Make sure that staff and volunteers only download apps from approved stores. For Android phones and tables, you should use Google Play. For Apple phones and tablets, you should use the Apple App Store.
-
Update all your IT devices regularly. This process is called patching. It means that the developer of your device has identified security issues and fixed them. Your staff and volunteers should also patch any personal devices they use. We recommend that you aim to install patches no more than 14 days after they’re released by the developer.
Secure smartphones and tablets
Many volunteers will use their personal devices to complete their tasks. Your charity or community group may also have shared devices which several volunteers use.
- Make sure that all and volunteers are using strong passwords. The National Cyber Security Centre (NCSC) suggests using a combination of three random words.
- If staff and volunteers need to remember different passwords for different systems, encourage them to use password managers. These store all your passwords securely and safely, which means you only need to remember one strong password.
- Avoid using unknown wi-fi hotspots, especially in public places. Staff and volunteers should use their mobile networks instead.
Be wary of phishing attacks
- Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
- Ensure that staff and volunteers are aware of this risk, and that they remain vigilant.
-
If an attacker uses fishing to get access to your administrator accounts, they can cause a lot of damage. You can limit this damage by making sure that only a few users have access to administrator accounts. This is referred to as the principle of “least privilege.”
-
You should also check who has administrator access on a regular basis. It may be that former volunteers and staff still have access: these old accounts could be used to attack your systems.
For more information, visit our advice and guidance page.
Beginning section The Jersey Charitable Skills Pool (JCSP)
The Jersey Charitable Skills Pool (JCSP)
If you need cyber security support but can’t afford to pay a commercial supplier, you can apply to the Jersey Charitable Skills Pool (JCSP).
JCSP is run by the Channel Islands Information Security Forum (CIISF). Businesses with cyber security staff can donate up to ten hours of staff time per year. This time is pooled into one resource, and charities and not-for-profits can apply to the pool.
If you are successful, JCSP will put you in contact with a specialist who can support you.
You can apply for different types of support including:
- technical support with a specific issue or service
- cyber security training for staff or volunteers
- developing security policies and processes
You can also make a joint application with another charity or community group.
Beginning section Cyber Essentials
Cyber Essentials
Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.
Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.
Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.
Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2 April 2024).
Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.
Find out more about on-Island providers of Cyber Essentials.
Beginning section Jersey Cyber Shield
Jersey Cyber Shield
Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to give you extra protection by working with the security measures you already have in place
We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.
Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)
You can find out more about Jersey Cyber Shield on this page.
Beginning section Useful resources
Useful resources
If you need more information about cyber security, your IT provider should be your first contact.
The UK’s National Cyber Security Centre (NCSC) has advice, guidance, and training for small charities.
- A guide for small charities. This contains information on setting secure passwords, keeping devices safe, and avoiding phishing attacks.
- A report on the threats facing UK charities. It’s likely that Jersey charities and community groups will face similar threats.
- A guide on how to securely use video conferencing.
Beginning section Reporting an incident
Reporting an incident
If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.
In some circumstances, we can provide direct technical support, and help you communicate.
You can also report an incident by phone on 01534 500050, via email (incidentreports@jcsc.je) or online via this form.
Find out more about how we can help.
There are a range of organisations you should contact: in some cases, this will depend on the nature of the incident.
The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.
Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.
Action Fraud. Action Fraud is the UK reporting centre for fraud and cybercrime. You can make a report via the Action Fraud website.