How to keep your charity secure in the ‘new normal’

Mitigating the risks of remote working

A recent survey from DTI shows nearly three-quarters of businesses are planning to maintain an increase in home working. The charity sector is no different, according to a survey conducted with the Charity IT Leaders Group which saw an identical proportion of charities committed to remote working.

In addition to potential savings on the cost of premises, improved flexibility for charity workers is a key factor in the decision.

But the move to remote working brings with it a new range of threats.

There are three key ways in which remote working can increase digital risk:

• Use of unapproved software on devices owned by the organisation
• Access to charity data from personal devices
• Disruption to normal methods for preventing cyber attacks

Charities can lower these risks by introducing and enforcing best-practice; especially with policies related to equipment use and passwords. Increasing awareness of cyber threats is important too.

Avoid exploitation of your brand

The COVID-19 crisis has seen the creation of new organisations, partnerships and services to help those impacted and this has meant setting up new websites.

But charities are not the only ones setting up new sites - fraudsters are also registering domains. These domains can be used for sending spam or phishing emails to your supporters or to set up sites which trick them into giving up personal information or downloading malware.

It can be very hard to tell the difference between these sites and genuine ones. Since the start of the pandemic, DomainTools have assessed over 150k of new COVID-related domains to be a significant threat: with 5% of these high-risk domains imitating charities and not for profit organisations by using a ‘.org’ extension.

This is, however, the tip of the iceberg as the research does not include typo-squatting domains which spoof existing charity domains – these will look very similar but might, for example, have a “.” in a different place or subtle change in spelling. Free services, like dnstwister, can provide charities with a list of potential spoof domains. However, researching and taking down these domains bears inherent risks. Specialist typo-squatting protection is a valuable service to consider as part of your cybersecurity defences.

Prevent ongoing business email compromise and supply chain attacks

By removing the ability of staff to simply cross-check the contents of an email by speaking to a colleague across their desk, remote workers can be more vulnerable to cyber-attack.

When email addresses and passwords and shared and sold on the Dark Web, they can be used to take over email accounts and attempt to get fraudulent payments authorised. Even if your charity takes precautionary steps to prevent this, like using password management, multi-factor authentication and email scanning, the suppliers and partners you work with may not have been so careful.

Using additional steps like phone call verification and monitoring for leaked, lost or stolen credentials are vital to staying one step ahead of cyber-criminals.

Maintain and build trust

With many fundraising activities moving online, keeping the data of your supporters safe has never been more important.

Even if a breach incident has originated with a 3rd or 4th party supplier, it can still impact your reputation. The National Trust, for example, was unfortunate to be included in the 100+ list of educational and charity organisations affected by a ransomware incident via their 3rd party software supplier.

Once this kind of news hits the press, organisations become an open season target for criminals; often using fake domains to directly target anyone who’s data has stolen. Charities can, however, establish an early warning mechanism to detect 3rd party breaches.

By combining the addition of synthetic data records with continuous data monitoring, charities can tell if data leaked from a supplier is being used to mount a phishing campaign – even if the data hasn’t been made available to buy or download.

This cost-effective technique provides reassurance to donors who, according to The Charity Commission, are nine times less likely to donate to an organisation they feel is untrustworthy. That’s why maintaining supporter trust is so important to charity fundraising activities.