We look further into what charities can do to prevent a serious data breach or cyber attack on the Dark Web
This article is sponsored by Skurio, innovative cybersecurity experts.
In our previous article about the Dark Web, we explained what it is and why charities need to be aware of the risks to their data security. We heard from data security monitoring firm Skurio, who gave us a fascinating peek into the hidden world of activity that criminals carry out around buying and selling stolen data, enabling fraud and swapping hacking instructions on organisations of all sizes.
It’s scary to contemplate the harmful things that could be happening in the dark alleys of the internet behind the backs of charities. But hysteria and fear around cyber security can be counter-productive – it can cause people to experience a ’fight or flight’ reaction where they feel powerless and end up doing nothing. Worries around costs and lack of technical know-how can add to the paralysis.
By doing nothing, charities take an unnecessary gamble where they’d be much better off on the ’fight’ side of things and taking proactive action to stay protected. Below, we answer some of the pressing questions we’ve heard from charities and break down some of the straightforward actions they can take.
Organisations should never attempt to access the Dark Web without expert help. For one, it just wouldn’t be a very efficient use of their time, and the costs of hiring someone to do this manually are often not justified. Far away from search engine catalogues, it’s a messy place and it’s very difficult to gain proper visibility into what may be happening in the dark web by browsing it manually.
But more crucially, it can be dangerous and there’s no real reason to try accessing criminal websites yourself. It’s easy to get scammed by other users or to pick up malware. Law enforcement monitor the Dark Web and try to catch people engaging in suspicious activity, with many websites illegal to access and featuring content that you don’t want to be caught viewing.
The best way to monitor the Dark Web is via an automated monitoring solution from a specialist firm like Skurio that will safely and intelligently scan multiple sources and can provide peace of mind. The experts can then provide advice on and help with removing data, informing users, investigating further or taking other actions should a breach be detected.
Whether or not they can undertake Dark Web monitoring, as part of the NCSC (National Cyber Security Centre)’s Cyber Security: Small Charity Guide there are a number of steps that charities should be taking to prevent their data falling into the wrong hands:
For an organisation with supporters and members logging into their website or submitting their information when they donate, this represents a lot of unknowns. Without your charity’s knowledge, supporters could be using the same insecure password that they use across other websites and accounts. The reality is that even if you have great security internally and are doing everything right, their data could be breached elsewhere, and your charity could be in the firing line for it.
For that reason, user awareness and education are very important. Getting people to change their passwords or making them overly complex is difficult and making things less convenient for donors or service users is the last thing a charity wants to do.
However, charities need to try to enforce some level of password security, ideally by having rules that stipulate a strong password. Two-factor authentication is also a tried and trusted way of adding an extra layer of security to logins, requiring users to log in via a code sent to their mobile device.
For internal users such as staff and volunteers, charities should impress the importance of using different passwords. Get a password saving app or user credential management platform such as Dashlane, Lastpass or Okta for your organisation. These apps are a fantastic security tool as they let you store all your various passwords inside a protected environment secured with just one unique password, so users only need to remember one.