The charity sector is big business. In the UK, it is estimated that over £5 billion was donated to charities in 2020. This is extremely positive news with many playing their part in trying to help those less fortunate. But when you consider that large sums of money are being processed in this sector, along with personal and sensitive information, it is a highly lucrative target for cyber attackers. Yet, according to recent research by the Charity Commission, only half (58%) of charities think cybercrime is a risk.
About the author
Bindu Sundaresan is Director for AT&T Cybersecurity.
This is a surprising stance by nearly half of the charity industry, especially when a third of charities suffered a cyber-attack during the coronavirus pandemic. With downtime not being an option for these organizations’ critical services, decision-makers within the charity sector must take a proactive approach to cybersecurity. The potential impact of a data breach – damage to reputation, financial and data loss, loss of productivity in serving those in need – is too big to ignore.
There are some common cyber threats to consider:
To prepare for cyber-attacks, organizations in the charity sector need to understand the most common cyber threats, starting with phishing. Hackers will do their best to trick unsuspecting users into interacting with a fake website or download malware that can steal sensitive information or money. Phishing campaigns are typically conducted via email but in recent times, SMS phishing (or smishing) has become popular. These campaigns can be difficult to spot as they use very similar verbiage and branding to the company they are trying to mimic. While phishing attacks are common throughout the year, hackers are opportunistic and will look for high-profile events or disasters to increase their attacks. For instance, when relief was being set up for the Grenfell Tower disaster victims, scammers were targeting well-wishers with unsolicited messages with fake charity appeals. Remember, cybercriminals have no remorse for who their victims are as they play on the naivety of human behavior.
Insider threats are another common security issue that all organizations need to prevent. It doesn’t take a mastermind hacker to exploit a vulnerability to gain access to charity computer systems. Instead, an ‘insider’ attack requires an employee or staff member to hand over passwords or access to the organization’s systems and data to the hacker. Given that research findings estimate that the risk of insider data breaches are set to increase by nearly 10% in 2021, charities must remain vigilant to who has access and privileges to which systems.
Issues in the cloud
With the pandemic forcing the majority of the workforce to work from home, those within the charity sector were similarly impacted. This forced many to adopt digital transformation technologies such as the cloud. By utilizing the cloud to power applications and store data online, it meant most could continue to work from home with minimal disruption. Cyber criminals were aware of this and quickly began exploiting weaknesses and vulnerabilities within the cloud. Indeed, there has been a 630% rise in cloud-based attacks since 2020.
Getting on the security track
To help avoid common cybersecurity threats from impacting your charity, make cybersecurity a priority by getting everyone involved, and document your plan and processes. Greater awareness can go a long way in protecting the data of your non-profit organization. Semi-annual phishing simulation tests help with the effectiveness of security awareness. Maintain an accurate data inventory and focus on information protection beyond just the checklist of compliance requirements.
Furthermore, follow foundational security measures. While consistently updating Operating Systems (OS) comes first in running safe databases and sites, hardening systems using a VPN, antivirus, and firewall is equally crucial. It helps to make systems resistant to attacks. A security assessment can identify vulnerable points to act on them appropriately. At the same time, deploy a tool or service that can support the email management system to prevent ransomware being delivered via phishing. Continually conduct patch management because ransomware uses known openings in common software, such as productivity applications to introduce infected websites. Keep up to date on software and continue to make updates; software is constantly being patched. In addition to this, implement anti-malware tools across the business to proactively scan for malware and prevent the installation of it on systems.
Lastly, evaluate the backup processes that are in place. Adopting a 3-2-1 backup strategy can help protect company assets using diversified backup methods. Keep 3 copies of data: retain the original data copy along with at least two backups in case one or more get lost. Use 2 different storage types: diversifying storage devices can help protect a company in the event of data failure. For example, if data is stored on an internal hard drive, use a secondary device such as an external drive or cloud source. Keep 1 copy of data offsite: retaining two or more copies at the same location can be disastrous in the event of a natural disaster. Storing one copy offsite is a reliable protection strategy.
Here are some additional key rules charities should follow regarding the backup process:
- Can the organization recover from total data loss? Attackers will attempt to find any backup and delete or encrypt them.
- Backups need to be offline to prevent them from being compromised at the same time.
- Good backup strategy would be to run full daily backups on the “Crown Jewels” or business critical systems, and lesser of value systems using incremental backups.
- Also important during the recovery phase is restoring backups efficiently. Learning the nuances of backup restoring during an active incident greatly increases the recovery time.
If understanding the security posture is proving difficult, it is advisable for charitable organizations to seek external consultation to better assess their security gaps. We have reached a point where cybersecurity can no longer be downplayed by the charity sector, especially with The Charity Commission recently revealing that cybercriminals have stolen over £3.5m from charities over the past 12 months. Cyberattacks are becoming more prevalent and, as a result, charities must take a proactive approach to cybersecurity by allocating the necessary resources to protect systems.