As we reach the end of 2017, we take a look back at some of the biggest lessons of the past year for charities and non-profit organisations when it comes to their cybersecurity, and set out our top tips on how to be better prepared in 2018. The bad news: penalties for organisations that fail to keep their sensitive data secure against cyber attacks have never been higher, and criminals have never been cleverer at getting at and using that data to their own ends. The good news is that peace of mind doesn’t have to cost the earth or draw away from a charity’s essential purpose.
The world of cybersecurity can seem complex, nagging and paranoia-filled. We are told to trust nothing and take every precaution, but for many charitable organisations working hard to make a difference on the front lines in their communities, cybersecurity can be relegated to a low priority. Unfortunately though, it’s not just big businesses and the largest charities with thousands of stakeholder records that are targeted by cyber criminals. The reality is that, according to crime statistics, just under half of all businesses in the UK were victims of malware, viruses and online fraudsters in the last twelve months, while the Office of National Statistics estimated that last year around one in ten UK citizens were victims of online fraud or cyber crime. Cyber attacks are real and they have a very real impact on business continuity. In May this year, the NHS saw the crippling effects of cyber crime on its services, as the WannaCry ransomware bug swept the globe – a virulent type of virus that makes data or systems unavailable until the victim pays a ransom. Although the virus was eventually halted by a security researcher, thousands of operations and appointments were cancelled, phones were down, staff were left without access to thousands of patient records, and patients in critical need were forced to travel further for accident and emergency services. The actual cost of the disruption to the NHS - including cancelled appointments, additional IT support, data restoration, staff working overtime to resolve problems - is not known. Overall, the attack infected around 230,000 computers in 150 countries worldwide, asking victims to pay between £288 and £477 or face having their data wiped. Ransomware including – but in no way limited to – WannaCry has dominated the world of security in 2017, with figures from global security firm Kaspersky showing that an organisation is hit with ransomware every 40 seconds on average, with new variants of the bug cropping up at an alarming rate. Tim Cockle, head of digital strategy at non-profit digital consultant Eduserv, has advised many CEOs of middle sized charities, who have said cybersecurity is high on their risk registers. With the stricter rules under data protection under GDPR (General Data Protection Regulation) coming into force in 2018, this is hardly surprising, as organisations risk fines of up to 4% of their annual turnover for a breach of personal data. But even more crucially: “It’s the single thing that can stop a charitable organisation’s services,” says Cockle. “Previously it could have been a bomb or a gas explosion or something similarly dramatic, that takes out a building or stops services. Those things are quite unlikely. Actually, a cyber attack can cripple your operations and services, but the likeliness is actually not so remote, it’s going on all the time, so how can it not be on your risk register?”
If cyber crime statistics are anything to go by, it’s a digital wild west out there. But a recent report from the National Audit Office (NAO) said that the NHS could have avoided being a victim of the WannaCry outbreak with relatively basic security checks in place, as the attack itself did not use sophisticated technology. This shows the difference that just getting the basics in place can make.
cybersecurity can encompass many areas, and those that are aware of the implications of an attack may not know what support is available to them or where to start. A government study of UK charities this year revealed that there is very low awareness among charities about where to get trustworthy information. However there are plenty of helpful resources out there for those willing to be proactive. The Government’s Cyber Essential Scheme, for example, is a good introduction to cybersecurity fundamentals, applicable to all sorts of organisations looking to protect themselves against the most common cyber attacks. It costs to get accredited under the scheme, but it is a far smaller commitment than GDPR compliance, and anyone can read the information and align themselves with the basic principles, with a checklist of simple steps to take. The National cybersecurity Centre’s 10 Steps to cybersecurity is also a good place to start, and there is now an accompanying video library featuring guidance on how small organisations can boost their cyber resilience. Many of the fixes are simple and straightforward enough to seem like common sense, but many organisations don’t practice them. These include having basic protections in place such as enabling firewalls and malware protection on your organisation’s browsers, and enabling system restore to back up your system to its previous state so your data will be safe should the worst happen. And of course, protecting everything with strong passwords (our guide to password management for charities has some pointers in this area). With these basics under their belt, most organisations will have a safe foundation in place. This way, charities can spend less of their limited time and resources firefighting problems, and more time furthering their cause. However, there a few practical steps that charities in particular should prioritise if they want to lay the foundations of good security resilience. These three tasks should be the top of any charity’s cybersecurity checklist in 2018.
Legacy systems and outdated software might still be ticking along in an organisation, but they could represent a significant hole in its data security. Cyber criminals are evolving their technologies and methods all the time, so software that was safe from meddling hands a few years ago may not be equipped against today’s threats. The older the technology, the longer criminals have had to learn its weaknesses. For this reason, charities are often attractive to cyber criminals. Antivirus or security software relies on being kept updated to do its job, but this equally applies to all software. Microsoft Office 2003, for example, reached end of life support back in April 2014, meaning that Microsoft has long since ended critical security updates. Productivity software may seem unrelated to security, but it can open up vulnerabilities in a whole network. Relying on old technology can mean more time spent maintaining it and firefighting problems, which, while may not be a security issue can impact an organisation’s ability to operate efficiently, and even its bottom line. The cost of replacing old software may seem prohibitive for those with limited budgets, but it’s important for them to evaluate whether doing nothing about it could cost their organisation in the long run. A good first step would be to assess what’s being used and ensure updates are switched on, documenting everything and how often it needs upgrading. Next, by registering their charity on the Charity Digital Exchange donation programme eligible organisations can gain access to the latest software at a heavy discount (charities only pay an admin fee). This includes versions of the newest security programmes from popular vendors such as Bitdefender and Symantec, but there is an extensive catalogue to choose from of business-related apps and services.
For those organisations still running outdated operating systems on their machines, the security risks can be even bigger. The Microsoft Windows security lifecycle means that old versions of Windows are gradually ‘phased out’ when new ones arrive every few years. After this time period has passed, the company stops sending out security updates, potentially leaving the system open to attacks which Microsoft can no longer fix. For computers running Windows 8, Microsoft ended support for this operating system in January 2016, when the last batch of security patches were delivered. Windows 8.1 has been recently added as a service pack to ensure that the system is covered until 2023, but the pack needs to be installed in order for the system to be protected.
Windows 7 is a similar story, and will remain protected until 2020 with the right updates installed. These systems have entered what’s called ‘extended support’, where Microsoft will continue to patch any security vulnerabilities for a period of time, but won’t add new features. Windows Vista’s extended support ended in April 2017, and Windows XP has been unsupported, and therefor exposed to attackers, for over two years. Microsoft issued an emergency patch to protect its XP operating system against WannaCry this year, but it’s unclear how much of a difference the patch actually made. When Windows 10 came out, Microsoft promoted the system as the ’last version of Windows’, meaning there won’t be a Windows 11 or 12. Instead, the company wants to keep rolling out newer versions, so you may never have to pay for Windows again. It’s possible this could change, but for now Microsoft is adamant it will be the last. Microsoft will continue to keep it updated with security patches. The safest bet for the long term is to upgrade to Windows 10. Research from security firm Kryptos – the company employing the researcher who triggered the ‘kill switch’ on WannaCry – shows that China was, by a long way, the country worst hit by the ransomware. Experts think this is because of the low adoption rates of Windows 10, together with insecure firewall technology. For those organisations that may be unable to upgrade because they have pirated, free, Home or basic editions of Windows, they can request an upgrade license through the Charity Digital Exchange software upgrade programme. And where it may not be possible or practical to upgrade due to compatibility with old hardware or other legacy systems, there are some ways of manage the risks of unsupported platforms. This guidance for NHS IT departments may have some helpful tips. At the very least, it’s time to ensure data is backed up or moved to the cloud.
With many charities relying on a shifting team of volunteers or remote workers, it’s inevitable that BYOD (Bring Your Own Device) has taken off in the sector. Organisations of every ilk have been able to take advantage of mobile technologies despite limited budgets, by allowing people to use their own kit and become more productive and efficient without the charity having to spend a pound on devices or their upkeep.
This might seem a like a win-win, but with organisations carrying sensitive data on their donors and beneficiaries, BYOD can be a risky mix. Information can be taken anywhere and it’s far harder to control who is accessing it or whether or not it has fallen into unsafe hands. One sensible option is to provide support for certain business-friendly apps like Office 365 and Salesforce.com which allow people to more securely access their information from any device. Discounted subscriptions for charities can be found on Charity Digital Exchange. Controlling access rights and permissions are also an essential part of keeping data secure on cloud software accessed from any device. This gives IT some degree of control over who has access to what data. A good first step would be to check what privileges each software account has and ensure everyone has only the access they need. Accounts with administrative privileges should only be used to perform admin tasks and given to those that need them, as browsing the web or checking email from an admin account could leave them open to attack. Transport for London reported that a staggering 1078 laptops were found in lost property in 2016, having been left on buses or trains. Across the UK in 2017, figures from the annual Crime Survey of England and Wales show that almost half a million people (446,000) had their mobile phones stolen last year, from public transport, pubs and restaurants or from work. It’s important to account for when a device is lost or stolen - data can easily fall into the wrong hands without a remote wipe function or a way of removing access to the account. BYOD also represents a particular danger when staff leave an organisation, in ensuring important data doesn’t walk out with them. Thankfully, apps such as Office 365 have a good level of control to manage the process of people leaving, including measures such as disabling access after they leave, remotely wiping files and diverting incoming emails. After a recent report into VSA (Victims Services Alliance) organisations on their handling of personal information, the ICO (Information Commissioner’s Office) found a few areas that were sorely lacking, and recommends that charitable organisations have a formal home and remote working policy to ensure all information is kept safe outside of the office. It recommends that charities draw up a set of guidelines around their use of data and remote devices, and share this with all staff and volunteers. This policy should include basic measures such as ensuring devices used for the organisation’s purposes, even if they belong to a staff member or volunteer, having antivirus installed to protect them from malware, and password protection. Ultimately good cybersecurity is as much about people management as it is technology solutions, and having a clear set of guidelines in place makes it easy for each individual to do the right thing.