Who'd Scam A Charity? | Why Non-Profits Are A Hub For Cyber Crime
16 August 2017 15:46
The popular myth of certain industries believing they're immune from a cyber attack is fading more and more these days. But many are still shocked that hospitals and charities can fall into the victim's category. But why be surprised? They're low hanging fruit for a hacker.
The Growing Threat
You might be sat there thinking “who in the right mind would ever want to scam a charity?”. But when you consider that the UK charity sector is worth a staggering £70bn, and that 67% of the population is engaging in it, it starts to become clear as to why charities are becoming a big, big target for cyber criminals. Add to that the WannaCry attack that crippled the NHS earlier this year, and you’ll find that no mercy is shown in the world of cyber crime.
Just like the NHS, charities can hold a gold mine of valuable data from a number of stakeholders; Donors, supporters, VIPs, fundraisers and volunteers -- they’re all at risk when a data breach occurs. The non-profit sector represented 19.5% of cyber attacks in 2015, which then took a huge leap up to 42.9% of non-profits being attacked in 2016.
But do the majority of charities even realise just how big of a target they have become? Are they putting the right barriers in place to stop successful attacks and breaches? Quite simply, they’re not doing enough.
The Weak Spots
Charities are targeted in the cyber world every day. The most common breaches or attacks last year were via fraudulent emails. Criminals coaxing staff into revealing passwords or financial information, or opening dangerous attachments – followed by viruses, malware and ransomware. Nearly half of UK organisations were targeted by these.
Many charities lack the cyber skills or awareness to deal with these threats. Only 14% of senior charity employees believe that their organisation is “very well prepared for cyber and data security breaches”. An underlying issue is whether enough charities are investing enough to increase security awareness and whether a post-cyber attack plan even exists.
Of course, a charities piggy bank only stretches so far, but cyber attacks are now a matter of when not if. And the costs of experiencing a breach are not something to brush under the carpet -- just ask the NHS. The average breach cost an approx. £20,000 last year, with some rocketing into the millions.
What Can Be Done?
- While many charities can't afford the latest equipment and software, good technical support is important to ensure the security of IT systems. If in-house support is not possible, make arrangements with a third-party to get the techies to be part of the team.
- Many vulnerabilities are exploited through software – operating systems, applications, even the anti-malware that should be protecting your systems. All this software must be kept current and up-to-date with the latest versions. Regular updates reduce the risk of someone exploiting a flaky old application to get access to precious data.
- Introduce a security awareness program to ensure that your users aren't going to open a door for a criminal. Education, testing and reporting is key to making sure your 'weakest link in the chain' turns into an effective human firewall.
- Swot-up on relevant legislation and compliance. Charities need to ensure they meet all requirements, especially those with a security angle. Take a look at the Data Protection Act for a start.
- Information – like databases of supporters, clients, patients, or staff – is precious to any charity. All information, whether safely tucked away in the server room, or going walkabout on removable media such as a laptop or USB stick, must be kept safe. If it’s on the move, keep it encrypted with a strong password to protect the data should it fall into the wrong hands.
- Introduce a process for staff that raises awareness of the importance of securing information. And make it mandatory for staff to demonstrate their information security knowledge before they are let loose on systems.
- Despite best efforts, incidents will happen – data will be lost, equipment will fail, and hackers may compromise systems. It’s a good idea to have an incident response team, and a practised process in place to manage incidents should they occur.
- Striking a balance between liberty and lockdown is important. Don’t let everyone have access to all the charity’s data and IT systems. Ensure that the only people who can access the information are authorised and need to do so.