Third-Party Cyber Risk for Charities: When Your Technology Suppliers Are the Weak Link
Most charities rely on third-party suppliers for their most critical systems: CRM platforms for donor management, case management systems for beneficiary services, digital fundraising platforms, payroll providers, and cloud email services. Each of these suppliers processes charity data — and under UK GDPR, the charity as data controller remains responsible for ensuring those suppliers have appropriate security measures in place. When a widely-used charity CRM platform suffers a breach, every charity using it is affected simultaneously — as happened in 2023 when a major charity software provider was ransomed.
A 2023 ransomware attack on a major charity software provider simultaneously affected over 200 UK charities — exposing the single-point-of-failure risk of shared charity IT infrastructure.
How Supply Chain Attacks Affect Charities
Charities are particularly exposed to supply chain attacks because many use the same small set of sector-specific software providers — charity CRM systems, online fundraising platforms, grant management systems, and case management software. When one of these providers is compromised, the impact cascades across the entire sector simultaneously. The 2023 attack on a major UK charity software provider demonstrated this: a single ransomware attack disrupted operations for hundreds of charities, exposing donor and beneficiary data across the sector. Charities had little warning and limited ability to assess the impact because they had not conducted security assessments of their suppliers.
Managing Supplier Security for Charities
Charities should apply proportionate supplier security management: create an inventory of all technology suppliers with access to charity data (CRM, case management, fundraising platform, payroll, email, cloud storage); tier by risk (Tier 1: direct access to beneficiary or donor data, high volume; Tier 2: access to operational systems, limited data); require Cyber Essentials certification from Tier 1 suppliers; include a data processing agreement with all data processors; include breach notification obligations in all supplier contracts; and monitor for public news of supplier security incidents. This does not require large resources — a spreadsheet inventory, template DPAs, and a simple supplier questionnaire are sufficient for most charities. Kyanite Blue helps charities implement proportionate supplier security programmes.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.