Insights
Cyber crime continues to be a huge problem for individuals, businesses, and charities around the world, costing them over £4 trillion annually. To put that in perspective, if cyber crime was a country, it would be the third biggest global economy after the USA and China.
Since the pandemic struck at the beginning of 2020, many cyber criminals have changed the way that they operate. That’s because the change in working practices, such as the move to home working, has presented many security vulnerabilities that these criminals have been quick to exploit.
In 2022, the cybersecurity landscape will continue to evolve as many organisations return to pre-pandemic work practices, while still retaining some of the flexible working arrangements they adopted in 2020.
That means it’s important to understand what the top cyber security risks of 2022 are likely to be, and what your charity can do to mitigate these risks.
Phishing is a huge cyber security problem. More than 75% of targeted cyberattacks start with someone at an organisation opening a malicious email.
What’s changed over the last 18 months is that many employees working from home have become used to using applications running in the cloud – known as software-as-a-service or SaaS apps – instead of programs running on their charity’s own computers. Many of these SaaS apps contain confidential data about service users or donors.
SaaS apps can be accessed by anyone who has the appropriate logon credentials such as a password, so employees should be wary of “conversation hijacking” attacks. That’s when a cyber criminal poses as a fellow employee and engages in an email conversation. After a while the criminal invents some pretext to ask for the victim’s SaaS app login credentials.
The after-effects of the pandemic, such as the shift towards hybrid working environments, make it much more likely that these attacks will succeed because employees have become used to interacting with colleagues over email, when previously they may have talked in person.
How your charity can protect itself: The best way to provide extra security for password protected accounts (such as SaaS app accounts) is to activate two-factor authentication. This ensures that a cyber criminal cannot access an account even if they manage to get hold of the password.
Ransomware is a cyber security problem that just won’t go away. The first half of 2021 saw a 102% increase in ransomware attacks compared to the beginning of 2020, so it’s a security problem that’s only getting more prevalent.
To make matters worse, ransomware groups are increasingly adopting an even more troubling approach to their criminal activities: doubling down on the threat that they pose. Not only do they encrypt their victims’ data and demand a ransom payment to regain access to it, but now they often add extra pressure by threatening to publish all the data online if the ransom is not paid.
That means that a data loss incident becomes a data breach incident as well. Some cyber criminals also threaten cyber attacks on victims’ suppliers and customers to put them under even more pressure to pay the ransom.
How your charity can protect itself: Ensuring you take regular backups of your data can help mitigate the risk of losing data in a ransomware attack. However, a backup will not protect your charity if cyber criminals publish your data online. It is essential to run good endpoint protection software to try to prevent ransomware from getting on to your systems in the first place.
There’s nothing illegal about cryptocurrencies such as Bitcoin, but there’s no doubt that Bitcoin has been a boon for cyber criminals for making illicit payments and receiving the proceeds of ransomware attacks. The Social Science Research Network (SSRN) estimated that more than £50 billion of illegal activity involved Bitcoin back in 2018, and this number is likely to be substantially higher today.
A single Bitcoin is also worth substantially more today than it was in 2018, so it’s likely that there will be a rise in malware that silently installs Bitcoin mining software onto victims’ computers. This software hijacks the computer’s processing power and puts it to work to generate Bitcoins, consuming electricity and slowing down the computer as it does so.
Once the Bitcoin mining software is running on the computer, it may also install other malware such as keyloggers to try to steal passwords and other confidential data.
How your charity can protect itself: As with ransomware, the best protection against this type of software is to ensure that you have good endpoint protection in place. Staff should also be educated not to download software from untrusted sources, or to download any non-job-related software onto any computers that they bring to work.
Most office environments have better cyber security measures in place than people have in their homes. That’s not particularly surprising, as there’s usually more for cyber criminals to steal in offices than in homes. And that may explain why more than half of all consumers have experienced a cyber crime, with about one in three falling victim in the past year alone.
As charity workers return to the office in 2022, cyber criminals will target individuals’ laptops and mobile devices with malware which can then infect office computer systems. There is likely to be a rise in mobile apps which contain hidden malware and can go on to infect office systems when the mobile device is brought into the office and connected to the network.
How your charity can protect itself: Charity employees should be educated to be very careful about the software they download onto mobile devices. Phones that have been rooted or jailbroken by their owners are insecure and should not be allowed onto your charity’s network. Overall mobile device security can be increased by using a mobile device management system.
Cyber criminals were quick to exploit the pandemic by using it as a pretext for phishing emails, fake apps, and intriguing links to malicious websites. One quarter of all employees have noticed an increase in fraudulent emails, spam, and phishing attempts in their corporate inbox since the beginning of the COVID-19.
As 2022 progresses, there are bound to be more COVID-19-related developments around the word – new variants, new vaccine news, and offers of booster shots, for example. Cyber criminals will be eager to exploit these developments to continue to trick charity employees into downloading malicious software or providing confidential information that can be used to break into charity computer systems.
How your charity can protect itself: The best way to defend against these types of attacks is to raise awareness of the risks and to help staff spot suspicious emails and apps through security training programs. It is important that these programs are continually revisited rather than being on-off box ticking exercises.