The biggest cyber security threats facing charities in 2020

The global cyber security market has experienced stratospheric growth from just £2.7 billion in annual sales back in 2004 to about £95 billion today, according to research house Gartner, and annual sales are predicted to skyrocket by almost 40% to about $129 billion in three years’ time.

The reason for this growth in spending is clear and obvious: cybercrime shows no sign of slowing. Charities, as well as businesses of all sizes, continue to fall victim to it, and when they do the results can be catastrophic: the average cost of a data breach in 2019 was about £3 million, according to IBM’s Cost of a Data Breach report.

Some of the biggest cyber threats of 2019 will evolve during 2020, meaning that charities and other organisations need to remain vigilant to minimise the risk of a significant security breach during the year. Here are some of the biggest cyber security threats facing charities in 2020:

Phishing attacks fueled by artificial intelligence

Phishing attacks already pose a huge risk to charities, because criminals specifically target charities with fraudulent phishing emails. That’s because staff and volunteers often receive less online security training than employees in for-profit organisations, according to Professor Mark Button, a counter-fraud expert at the University of Plymouth.

But in 2020 the risk posed by phishing attacks is likely to get worse, according to David Richardson, of security company Lookout.  The reason for this is that cyber-criminals are beginning to use machine learning algorithms to fine-tune and optimise the contents of these phishing emails to make them more effective. "Phishing lures and landing pages will be ‘A/B tested’ by AI algorithms to improve conversion rates," he explained.

More dangerous ransomware

Phishing emails frequently attempt to trick staff into installing ransomware – a type of malware - on charity’s computer systems. So the use of AI to make these emails more effective has important implications for the likelihood of falling victim to a ransomware attack in 2020.

Many organisations believe that they can mitigate the worse effects of a ransomware attack by ensuring that they have high-integrity backups of their systems and data which they can restore if their data becomes encrypted. But, disturbingly, ransomware is increasingly being equipped with "extraction capabilities," meaning that it can steal confidential information such as usernames and passwords before encrypting data. This means that even if an organisation restores its systems from backups the cyber criminals can come back later and access those systems.

Internal fraud and the "malicious insider" threat

Fraud is a huge problem for charities, and it is becoming apparent that fraud facilitated by staff, volunteers, or people working for partner organisations is a major part of the problem: 53% of charities affected by fraud in the past two years knew the perpetrator, according to a report published by the Charity Commission.

Malicious insiders can make cyber-fraudsters’ jobs easier by revealing confidential user names and passwords to these fraudsters, or in some cases setting them up with their own unauthorised accounts on charities’ computer systems, enabling them to access data.

Data loss from cloud storage

Charities are increasingly moving some or all of their operations to the cloud, in part to take advantage of cloud service providers’ cyber security resources and expertise. But there have been a constant stream of data breaches over the last few years caused by "leaky" cloud storage buckets such as Amazon’s S3 storage buckets: misconfigurations meant that these data buckets were "open" and publicly accessible over the internet. These data breaches constitute dangerous cyber security threats.

Amazon recently launched Amazon S3 Block Public Access, a tool which allows administrators to block existing public access and ensure that public access is not granted to newly created items by mistake.  Although helpful, misconfigurations are still possible and, arguably, easy. That means they leaky data buckets will remain a tempting target for hackers, and tens or hundreds of millions more confidential records, some belong to charities, are likely to be accessed by people who have no business doing so in 2020.