The change in working habits brought about by the pandemic has led to a new generation of cybersecurity threats. Experts from Skurio outline how charities can stay protected
This article is sponsored by Skurio, innovative cybersecurity experts.
We may not be back to normal yet, but charities are already preparing themselves for the long-term changes required for success in a post-pandemic world. As charity digital leaders navigate this transition, there is much for them to consider.
The pandemic has thrown up unprecedented challenges for charities to overcome. It has also fundamentally changed the way we work. Whilst many organisations had to act quickly in order to make the sudden transition to digital, charity leaders may now find they have the breathing room to evaluate and optimise their processes and build towards a sustainable future.
Ensuring the physical safety of everyone who interacts with your charity is, of course, the highest priority, closely followed by developing new, safe ways to raise vital funds. But in order to be able to do this, charities must prioritise security. Changes to the way we work have increased digital risk, so now is the time to ensure that our cyber defences are updated, in order to safeguard against a rising tide of new threats.
The rapid evolution of digital brings with it many advantages for charities; revolutionising the way we raise funds, deliver vital services and spread our message across the globe.
But as charities reap the fruits of technological advancement, fraudsters and hackers also benefit from the wider use of tools like machine learning and increased automation. As more and more of our lives and work move online, it’s no surprise that organisations and individuals are increasingly coming under threat from cyber criminals. The turmoil and uncertainty of the pandemic has created new opportunities for fraud for those willing to exploit them and charities must remain vigilant and prepared for these increased threats.
A recent survey from DTI shows nearly three-quarters of businesses are planning to maintain an increase in home working. The charity sector is no different, according to a survey conducted with the Charity IT Leaders Group which saw an identical proportion of charities committed to remote working.
In addition to potential savings on the cost of premises, improved flexibility for charity workers is a key factor in the decision.
But the move to remote working brings with it a new range of threats.
There are three key ways in which remote working can increase digital risk:
Charities can lower these risks by introducing and enforcing best-practice; especially with policies related to equipment use and passwords. Increasing awareness of cyber threats is important too.
The COVID-19 crisis has seen the creation of new organisations, partnerships and services to help those impacted and this has meant setting up new websites.
But charities are not the only ones setting up new sites - fraudsters are also registering domains. These domains can be used for sending spam or phishing emails to your supporters or to set up sites which trick them into giving up personal information or downloading malware.
It can be very hard to tell the difference between these sites and genuine ones. Since the start of the pandemic, DomainTools have assessed over 150k of new COVID-related domains to be a significant threat: with 5% of these high-risk domains imitating charities and not for profit organisations by using a ‘.org’ extension.
This is, however, the tip of the iceberg as the research does not include typo-squatting domains which spoof existing charity domains – these will look very similar but might, for example, have a “.” in a different place or subtle change in spelling. Free services, like dnstwister, can provide charities with a list of potential spoof domains. However, researching and taking down these domains bears inherent risks. Specialist typo-squatting protection is a valuable service to consider as part of your cybersecurity defences.
By removing the ability of staff to simply cross-check the contents of an email by speaking to a colleague across their desk, remote workers can be more vulnerable to cyber-attack.
When email addresses and passwords and shared and sold on the Dark Web, they can be used to take over email accounts and attempt to get fraudulent payments authorised. Even if your charity takes precautionary steps to prevent this, like using password management, multi-factor authentication and email scanning, the suppliers and partners you work with may not have been so careful.
Using additional steps like phone call verification and monitoring for leaked, lost or stolen credentials are vital to staying one step ahead of cyber-criminals.
With many fundraising activities moving online, keeping the data of your supporters safe has never been more important.
Even if a breach incident has originated with a 3rd or 4th party supplier, it can still impact your reputation. The National Trust, for example, was unfortunate to be included in the 100+ list of educational and charity organisations affected by a ransomware incident via their 3rd party software supplier.
Once this kind of news hits the press, organisations become an open season target for criminals; often using fake domains to directly target anyone who’s data has stolen. Charities can, however, establish an early warning mechanism to detect 3rd party breaches.
By combining the addition of synthetic data records with continuous data monitoring, charities can tell if data leaked from a supplier is being used to mount a phishing campaign – even if the data hasn’t been made available to buy or download.
This cost-effective technique provides reassurance to donors who, according to The Charity Commission, are nine times less likely to donate to an organisation they feel is untrustworthy. That’s why maintaining supporter trust is so important to charity fundraising activities.
Find out how Skurio can keep your organisation secure in the 'new normal'