The rise of ever more sophisticated malware, ransomware, bots and other threats have dominated cybersecurity firms’ predictions for 2018. But as soon as the words ‘cybersecurity’ are spoken, they can create a disconnect between the technologies and jargon involved, and the reality of organisations working with people’s data every day. Is it time for charities to get back to basics and work on better cyber awareness among staff, volunteers and trustees? In our recent article, we covered the main areas of vulnerability that charities need to be aware of going into 2018, and what they can do to be better protected. Here we explore the whys and hows of adopting a more cyber-aware culture that ensures everyone plays their part in keeping data secure and services running. A survey undertaken in August 2017 by the DCMS (Department of Culture, Media and Sport) as part of the National cybersecurity Programme looked into the attitudes of charities to cybersecurity. It found that smaller charities typically saw cybersecurity as more of an issue for businesses than the charity sector. As a result, cybersecurity was deprioritised. Common reasoning was that businesses would be more likely to have reserves of cash to target, whereas charities might be thought to have less to steal. But as Richard Cooper, Director of Programmes at Charity Digital explains, cyber criminals aren’t discriminate about who they ensnare: “They usually operate a mass market approach and will happily exploit a small charity. In fact, they often target smaller organisations because they are less well equipped to repel attacks. Because attacks are often automated, conning a small charity out of a few thousand pounds is cost effective for them.”
Phishing - online fraud where fraudsters attempt to hoax users into getting hold of sensitive information - will continue to present a threat to all kinds and sizes of organisations in 2018. While it’s difficult to estimate just how many emails are hoaxes, figures from IBM research show that a remarkable 91% of malware (malicious software) is delivered by phishing emails, whereby someone clicks a link in an email, infecting the computer without their knowledge. There are two specific issues with phishing, says Cooper: “The first is financial loss. Most small charities can ill afford to lose any money to a scam. The second is the loss of personal information on clients. While the impact noted above is a real consequence, under GDPR the fines for the loss of sensitive personal data are draconian, so in both cases, the impact could be to force the charity to close down.” These types of attacks are a prime example of why the word ‘cyber’ is misleading- it’s people, not technology, that are often the weakest link in an organisation’s defences. According to Martyn Croft, founder of the Charities Security Forum and former CIO of the Salvation Army, charities tend to get targeted by phishing in two different ways: “Type one is to say: if you don’t comply or give me this information, something bad will happen. For instance, if you don’t validate your PayPal account, we’re going to cease it. Charities often get targeted by a different psychological imperative. These emails say: something bad has happened and I appeal for you to help by giving me your credit card details.” Fraud techniques like these are known as ‘social engineering.’ These phishing campaigns often ride on the back of actual crises in the news or legitimate appeals, using pressure tactics to convince people to take urgent action. Small charities are being targeted because they tend to have less checks in place, and staff and volunteers typically receive less online security training. “It’s a different dynamic and it’s crafted appeal to people’s willingness to give,” says Croft, “though in this case it’s done by the bad guys.” “Could you tell the difference between a legitimate appeal and one coming from a bad guy who just wants your credit card details? These things are very difficult to spot.” Added to this, social media has opened up a new medium for con artists to operate, with instances of Facebook and Twitter fraud on the rise. Croft says that while there are technology solutions that can be put in place to spot these sorts of scams and avoid being reeled in, they tend to be quite expensive and are never going to be 100% effective. In the end, there is no substitute for educating staff and volunteers on what they should and shouldn’t click or reply to. The Charity Commission, as well as the Charities Aid Foundation, offer some sound guidance for charity workers on how to become savvy about phishing and stay protected. Some organisations use simulated phishing emails to train their staff and test their responses, as well as teaching them how to spot a fraudulent email. The Charity Commission’s website posts regulatory alerts and warnings about vulnerabilities and scams that charities should be on their guard against.
In November 2017 the ICO (Information Commissioner’s Office) warned charity workers about the consequences of misusing data, after an employee was prosecuted for making copies of sensitive information and sending the spreadsheets to his personal email address without the knowledge of the charity. The worker, employed by the Rochdale Connections Trust, was ordered to pay a total of £1,860.25. It’s not the only recent incident – 2016 saw the ICO take on leading dementia charity The Alzheimer’s Society when volunteers used their personal email addresses to share information about Alzheimer’s sufferers and their families. What happened in these examples were not large-scale cybersecurity breaches by sophisticated criminal gangs, but a simple case of individual charity workers and volunteers putting data at risk because of not knowing what they were doing was wrong – presumably because nobody had told them. We can’t blame the individuals, but the organisations themselves for failing to communicate basic data responsibility among their staff. Last year’s DCMS survey into charity cybersecurity found that it was uncommon for UK charities to provide cybersecurity training to their staff and volunteers. Many talked about the barriers to training staff, assumed training would be expensive, and did not prioritise spending on training above other areas that might need funding, such as IT equipment upgrades. But as Cooper points out, there are lots of areas of cybersecurity that involve very little cost. “Anti-virus and firewall software is relatively cheap and easy to implement. Both Symantec and BitDefender have donation programmes on Charity Digital Exchange, making it even cheaper,” he says. “But the most obvious area is developing policies and procedures and training staff. Most breaches have pretty banal causes, for example leaving an administrator password as ‘admin’, downloading a list of clients into a spreadsheet and emailing it to the wrong address, leaving a memory stick on a bus. All of these things can be avoided through enforcing policies and staff training.”
Instilling a mindset of cybersecurity awareness doesn’t have to be time-consuming or costly. There are plenty of resources out there for small organisations to get started, such as the NSCS (National cybersecurity Centre)’s guidance on building a user policy around the use of data and devices. And training on a limited budget can involve outsourcing it to experts or online tools. Educational tools and videos such as the Cyber Essentials Scheme and the NSCS’s video portal are entirely free resources that can be provided to staff to read up on in their own time. Croft advises that new recruits in a charity undergo a simple induction that tests their understanding of the basics before being allowed access to any important data or systems.
As we head into 2018 and the era of GDPR (General Data Protection Regulation), data security is not a responsibility to be taken lightly by any size organisation. For the Rochdale Connections Trust, a charity of 8-10 people, the ICO fine represented a significant blow, but it’s nothing compared to the potential fines that organisations face for a data breach after GDPR kicks off in 2018, when those in breach will face fines of 4% of their annual turnover or up to 20 million Euros. Point 6.3 in the Charity Commissions guidelines for responsibilities of charity trustees makes keeping assets such as data and intellectual property safe a core duty of trustees, whether or not they claim to ’get’ IT. Additionally, failure to protect a charity’s reputation, its fund and assets, or public trust and confidence - all of which are potential consequences of a cybersecurity breach - are listed as issues serious enough for the Commission to intervene. This makes cybersecurity awareness an issue that senior management cannot ignore. If a charity’s trustees appear to have their heads in the sand, it may be time for them to reconsider the makeup of their board. “It’s a board responsibility," says Croft. “I’ve heard people say ‘I don’t know anything about IT’- well you should do. Ignorance is no longer a good defence.” “I had a situation where someone came to the board about cybersecurity training, and the board came trotting out to say ‘she doesn’t need to do any of this induction stuff, she’s very experienced, she’s a non exec director, we daren’t ask her to do it.’ At that point you’ve got to say ‘no, everybody does it.’” “If we expect our staff to do security training, then we expect all staff to do it, including our senior management and trustees, and why wouldn’t we expect our trustees to do that?”
The Charity Commission’s guidance on risk management requires that charities regularly review and assess the risks faced by their charity, recording in a risk register how they might practically reduce the level of risk. This should include IT failures, loss of data and breaches of data protection law. It’s necessary for any board of trustees to assess the impact of any of these things on beneficiaries and other stakeholders, and have a plan in place to prevent them wherever possible, as well as a plan for how to carry on with services if IT systems are affected by a hack. If your core data is kept in the cloud, security is in the hands of the provider. But if your data is kept on-premise, having good backups in place is essential. Backup and recovery software such as Veritas Backup and Veritas System Recovery are available at a discount on Charity Digital Exchange. Under GDPR, organisations will be required to inform the individuals affected, and depending on the risk to the individuals, the ICO. Should the worst happen, Tim Cockle, Head of Digital Strategy at non-profit IT consultancy Eduserv says it’s important to act fast. “The speed of information today is one of the biggest risks out there. Bad news travels fast on social media. When you do have an issue you need to reassure people as quickly as possible that you’re doing what you can and you’re going to inform them, otherwise it will run away with itself and you’ll be caught up with that.” But most importantly, there needs to be a sense of ownership at the top: “An individual needs to be seen as someone that drives programmes forward and can actually make things happen. Because it’s an arms race.” “This kind of conversation isn’t an IT conversation, it’s a business conversation: how do we respect our donors? How do we put beneficiaries at the heart of what we do? But cyber, what does it sound like? It sounds like IT and someone else’s problem when it really isn’t. it’s up to every individual.”