Charities are not sufficiently investing in cyber security. We examine the rewards of improving security processes, as well as the risks of not doing so
This article is sponsored by Splunk - the world’s first Data-to-Everything Platform designed to remove the barriers between data and action, so that everyone thrives in the Data Age. Splunk empowers IT, DevOps and security teams to transform their organisations with data from any source and on any timescale.
There are many challenges facing charities in 2021. Obstacles to traditional fundraising and service delivery models are the most obvious problems, and charity leaders have dedicated the majority of their attention and resources to overcome them.
2020 was a year of sudden and widespread digital innovation within the UK charity sector. Charities moved their fundraising and service delivery processes online, built remote working set-ups from scratch, and created virtual office spaces to keep their teams connected.
But these digital solutions bring challenges of their own. The more a charity moves its operations online, the more susceptible they become to a cyber attack.
It is clear that cyber security is not a priority for many charities. Throughout the pandemic, we have seen interest in cyber security drop, all while the risks associated with cyber attacks have dramatically increased.
With immediate threats facing many charities’ ability to continue operations throughout 2020, it is understandable that cyber security may not have been the number one priority. But charities that have adopted wider digital frameworks will have no choice but to make cyber security central to working practices – or leave themselves exposed to risks in the long run.
Charities are an appealing target for cyber criminals.
There are a number of reasons for this. For one, charities handle two valuable assets: money and personal data. Corporate businesses handle these too, but they are more likely to invest in cyber security technology, or to have more stringent processes in place. Therefore, charities are viewed as a soft target.
This is exacerbated by the nature of charity work. People get into charity work to do good things, and they expect this good in others. Many charity workers will adopt a trusting attitude in their daily working interactions, and may not subject requests for information to the same degree of scrutiny as someone working in a corporate organisation.
“Charities in England and Wales spend nearly £80 billion of valuable funds per year. They hold financial and personal information that cyber criminals increasingly target, though there’s no definitive estimate of the scale of cybercrime facing the sector.
Some larger charities believe they experience several thousand attempted cyber-attacks every week. Encouragingly, most are prevented by the application of robust defences, such as up-to-date software patching and firewalls, combined with the vigilance of charity staff.”
Proper security processes are key to maintaining supporter trust. All organisations (whether operated for profit or not) cannot function without the trust of the people they work with. But the pressure to maintain this trust weighs more heavily on charities than businesses.
This is because donating to a charity is a personal decision, for which the donor will probably have personal motives. If their information security is compromised, this trust is undermined, and they are far less likely to donate in the future.
The fallout of a cyber attack could include the loss of this trust, or some other impediment to continuing the organisation’s work, such as vital operational data being locked down by ransomware, or much-needed funds unavailable because of suspicious or fraudulent transactions.
There is an understandable reluctance among charities to talk openly about cyber security. There may be a belief that to do so would invite attack. But taking the right precautions to keep your organisation and supporters safe is more likely to deter criminals and fraudsters.
In fact, public investment in cyber security can be a major selling point. When people give to charity, they want transparency. Donors want to know how the money will be spent, and they will feel strongly if they perceive that their money is not being used how they intended.
An investment in cyber security can also help you to mitigate risks when they do occur. Charities with automated risk monitoring will be more likely to become aware of a cyber breach or attack at an early stage – meaning that they will be in a better position to address and contain the attack before its impact becomes severe.
Automated risk monitoring solutions make catching cyber attacks a far more likely prospect. A 2019 government survey into charity cyber crime found that most attacks are discovered through internal control arrangements, with almost a third (30%) identified by internal IT controls and over a quarter (26%) by staff raising a concern.
By contrast, only 23% of attacks were discovered by accident and just 13% were identified by a source external to the charity
The first thing charities can do is to raise awareness of cyber threats within their organisation, and to secure buy-in from organisational leaders for any initiatives that aim to improve cyber security
Our recent podcast, in partnership with the NCSC and the Charity Commission, examined the thinking behind charity leader’s attitudes towards cyber security and examined what is driving current attitudes on the topic.
Our discussion overwhelmingly corroborated the findings of the government’s 2019 inquiry – that charity leaders are aware of the risks that cyber threats present to charities (58% of those surveyed identified it as a major risk to the sector). Instead, there is a tendency to not know where to start, or to think that cyber security solutions are the preserve of larger, well-funded organisations.
Once you are able to convince your charity’s decision-makers and stakeholders that security is a priority, the next step is to implement automated risk-monitoring solutions, such as Splunk Security Monitoring.
These solutions use continuous monitoring, ad hoc search, static and dynamic searches, and visual correlations to determine malicious activity. They also empower your team members to address these concerns when they do crop up.
Some smaller organisations may find that team members tend to bury their heads in the sand when it comes to cyber security. These matters can be scary and may appear too complex to deal with.
But digital solutions can simplify things. Splunk Security Monitoring implements risk-based alerts that focus your team’s attention on threats, not false positives.
This can free up time and resources to focus on other areas, as your team is safe in the knowledge they are protected.
Splunk provide free software and offer complimentary eLearning and support for charities. Registration also qualifies your organisation for preferred access to discount pricing on Splunk Enterprise, Splunk Cloud, and Splunk premium apps such as Enterprise Security and IT Service Intelligence.