Cyber security: you're not as protected as you think

Understanding the risks

Charities are an appealing target for cyber criminals.

There are a number of reasons for this. For one, charities handle two valuable assets: money and personal data. Corporate businesses handle these too, but they are more likely to invest in cyber security technology, or to have more stringent processes in place. Therefore, charities are viewed as a soft target.

This is exacerbated by the nature of charity work. People get into charity work to do good things, and they expect this good in others. Many charity workers will adopt a trusting attitude in their daily working interactions, and may not subject requests for information to the same degree of scrutiny as someone working in a corporate organisation.

“Charities in England and Wales spend nearly £80 billion of valuable funds per year. They hold financial and personal information that cyber criminals increasingly target, though there’s no definitive estimate of the scale of cybercrime facing the sector.

Some larger charities believe they experience several thousand attempted cyber-attacks every week. Encouragingly, most are prevented by the application of robust defences, such as up-to-date software patching and firewalls, combined with the vigilance of charity staff.”

 

 

-   2019 Government Report on Charity Cyber Crime

Proper security processes are key to maintaining supporter trust. All organisations (whether operated for profit or not) cannot function without the trust of the people they work with. But the pressure to maintain this trust weighs more heavily on charities than businesses.

This is because donating to a charity is a personal decision, for which the donor will probably have personal motives. If their information security is compromised, this trust is undermined, and they are far less likely to donate in the future.

The fallout of a cyber attack could include the loss of this trust, or some other impediment to continuing the organisation’s work, such as vital operational data being locked down by ransomware, or much-needed funds unavailable because of suspicious or fraudulent transactions.

Understanding the rewards
 

There is an understandable reluctance among charities to talk openly about cyber security. There may be a belief that to do so would invite attack. But taking the right precautions to keep your organisation and supporters safe is more likely to deter criminals and fraudsters.

In fact, public investment in cyber security can be a major selling point. When people give to charity, they want transparency. Donors want to know how the money will be spent, and they will feel strongly if they perceive that their money is not being used how they intended.

An investment in cyber security can also help you to mitigate risks when they do occur. Charities with automated risk monitoring will be more likely to become aware of a cyber breach or attack at an early stage – meaning that they will be in a better position to address and contain the attack before its impact becomes severe.

Automated risk monitoring solutions make catching cyber attacks a far more likely prospect. A 2019 government survey into charity cyber crime found that most attacks are discovered through internal control arrangements, with almost a third (30%) identified by internal IT controls and over a quarter (26%) by staff raising a concern.

By contrast, only 23% of attacks were discovered by accident and just 13% were identified by a source external to the charity

What charities can do

The first thing charities can do is to raise awareness of cyber threats within their organisation, and to secure buy-in from organisational leaders for any initiatives that aim to improve cyber security

Our recent podcast, in partnership with the NCSC and the Charity Commission, examined the thinking behind charity leader’s attitudes towards cyber security and examined what is driving current attitudes on the topic.

Our discussion overwhelmingly corroborated the findings of the government’s 2019 inquiry – that charity leaders are aware of the risks that cyber threats present to charities (58% of those surveyed identified it as a major risk to the sector). Instead, there is a tendency to not know where to start, or to think that cyber security solutions are the preserve of larger, well-funded organisations.

Once you are able to convince your charity’s decision-makers and stakeholders that security is a priority, the next step is to implement automated risk-monitoring solutions, such as Splunk Security Monitoring.

These solutions use continuous monitoring, ad hoc search, static and dynamic searches, and visual correlations to determine malicious activity. They also empower your team members to address these concerns when they do crop up.

Some smaller organisations may find that team members tend to bury their heads in the sand when it comes to cyber security. These matters can be scary and may appear too complex to deal with.

But digital solutions can simplify things. Splunk Security Monitoring implements risk-based alerts that focus your team’s attention on threats, not false positives.

This can free up time and resources to focus on other areas, as your team is safe in the knowledge they are protected.