UK charities spend nearly £80 billion of valuable funds per year and hold financial and personal information that cybercriminals increasingly target with some larger charities experiencing several thousand attempted cyber-attacks weekly. However, in contrast according to the Charity Commission, only half (58%) of charities think cybercrime is a risk for to the sector.
Suffering a data breach is serious for any organisation. Yet for charities, whose success is built upon their reputations and the goodwill of supporters, the loss of any sensitive information or fraud through phishing attempts can be devastating.
CPO Magazine sat down with Jeremy Hendy, CEO at Skurio to discuss the damage that cyberattacks can have on charities and how to mitigate digital risk. Jeremy has more than 30 years’ experience in high technology industries, working at companies including Texas Instruments, Symbionics and Cadence.
Why is the charity sector a target for cybercriminals?
Cybercriminals are targeting charities to make money. They can do this by stealing funds directly or encrypting key assets and demanding a ransom to unlock them, but cybercriminals are more likely to target personally identifiable information (PII) to generate cash. And it’s no wonder, as charities can hold data on potentially millions of people.
The stolen PII of donors can be used by cybercriminals to take money directly from their bank accounts or, in phishing campaigns, imitating the charity to request more funds. These campaigns can produce results for cybercriminals skilled in manipulation and social engineering, as donors feel they have a connection with the charity and want to help if possible. To make the scam more convincing the email will look almost identical to the real deal, right down to the domain name. With ‘typo squatting’ criminals will use similar domain names to a charity to fool donors, for example instead of anycharity.org.uk they might use anycharity.com.
If the cybercriminal manages to steal the credentials of someone working for a charity, they could use them to take over their email account and send out scam messages directly. Again, this information is often stolen via a phishing attack, which more than eight out of 10 charities have said their staff had experienced.
Finally, if the cybercriminal wants to make a quick profit, they might sell the information either on the open or Dark Web.
What are the specific threats that charitable organisations face?
One of the biggest threats is the exploitation of third-party providers. Charities outsource internal processes for the day-to-day running of their organisation ranging from data storage and software as a service, through to accountancy and human resources. However, this means that confidential data is stored or processed outside the charity’s own IT network.
When one of these third parties is breached, the charity’s data is at risk too. A recent example is the ransomware attack against cloud provider Blackbaud uncovered in May. According to the Information Commissioner’s Office, as of 30th July 125 organisations, including charities and universities, had reported potential data breaches as a result of the attack.
Unfortunately, there is a long tail to any data breach and once credentials have been stolen, cybercriminals can use names and email addresses at any point in the future unless a charity knows what has been stolen and has taken steps to mitigate risk .
The cost of a data breach includes reputational damage as well as direct financial loss. Charities exist through the goodwill of their supporters and if their view of the organisation is tarnished, it could mean donors will be reluctant to make future contributions.
What are the security challenges for the sector?
Charities are scrutinised about how they spend their money by donors, regulators and the media. This scrutiny can be focused on how much an organisation spends on areas that do not go directly to the front line. Charities are justifiably conscious about where their money goes. Clearly, they want to spend as much of it as possible on meeting their aims, yet, funds need to be allocated to back office functions.
With cyber threats on the rise, it’s more important than ever that charities allocate resources towards effective cybersecurity strategies to help protect their data. Investment in this area has wider benefits: getting the right processes and tools and instilling a culture of cyber awareness means data can be protected more efficiently. And this means more time can be spent on the organisation’s core mission.
What can be done to help the sector mitigate the cyber risks that it faces?
There are several steps charities can take to help limit the threat from cybercriminals, many of which can be done for free or little cost. These include awareness training, updating and patching apps and OSs, using firewalls, anti-virus, and multi-factor authentication on application access as well as enforcing good password policies, ideally with a password management tool.
Aside from good security hygiene, charities might wish to consider automated monitoring of the internet to detect if they have been, or are likely to be victims of a cyberattack. The ability to scour the surface, deep and Dark Web for cybercriminal chatter about a particular organisation could indicate that an attack is imminent.
Also, the ability to identify that any stolen or leaked data being shared or traded on the Dark Web is important. With millions of credentials available for sale online, identifying a specific data set can prove challenging. Fortunately, this issue can be resolved through the use of watermarking, where a fabricated, unique set of credentials is inserted into genuine data. As these credentials will not appear anywhere else, if they are part of a stolen data set for sale online, the charity will be able to say for certain that it is theirs.