Too many charities only take precautions after an attack. That needs to change – and fast
Most home owners don’t protect their property with burglar alarms until after they’ve been burgled. For the same reasons, the organisations with the best cyber security measures in place are often the ones that have fallen victim to hackers in the past.
The question, then, is why are charities and other organisations waiting until they get hacked – with all the costs associated with this – before they tighten up their cyber security? Why not do it before hackers strike?
A significant proportion of charities don’t protect themselves adequately because they don’t feel at risk – perhaps because they are small, perhaps because they are a charity. After all, who would steal from a charity?
But cyber criminals are simply after money. They don’t discriminate between money belonging to charities or other organisations, or between large charities or smaller ones. Indeed, they may well prefer to target smaller charities, as smaller organisations may have less effective cyber security measures in place.
The majority of charities are aware that cyber crime is a major and growing risk. But there is a disconnect between awareness of the risk on the one hand, and knowing what steps they should take to minimise this risk on the other.
There may also be a feeling of helplessness at some organisations. After all, when leaders of small charities see stories on TV about major cyber security breaches at large corporations, there is inevitably a feeling of “if they can’t protect themselves from hackers, then how can we?”
COVID-19 has also made things considerably more difficult for certain charities. Many are fighting for survival, concentrating on regenerating fundraising activities, restarting services, and looking after the welfare of their staff.
Protecting charity assets and spending money on cyber security in this context may seem like a luxury that these charities feel they cannot afford right now.
The sad truth, though, is that charities are actually at particularly high risk of becoming victims of cyber crimes. One reason for this may be that they are seen as easy targets for cyber criminals. Hackers know that many charities are struggling to raise money and provide services, therefore cyber security is unlikely to be foremost in their minds.
Charities are also particularly vulnerable to cyber attacks and online financial scams because of the very nature of charities. There is a vital layer of trust that goes through the whole charitable sector and unfortunately while this makes charities so valuable and helps to inspire confidence in others, this trust also makes the sector uniquely vulnerable.
Another issue is the makeup of charity workforces. Many charities rely on large numbers of volunteers, but this can make it hard to ensure that everyone has had adequate cyber security training. A well-meaning, but not very tech-savvy volunteer is an attractive target for a cyber criminal’s phishing emails, for example.
So what can charities who feel that they have inadequate cyber security do to start to address the problem?
The first thing to think about is some simple maths: the cost of taking some simple but effective preventative measures now is less than the cost of taking these measures plus the cost of a cyber security breach after one has occurred.
The next thing to think about is that many important cyber security measures cost very little or even nothing at all. Others may involve purchases that are normally expensive but which are available at a heavily discounted rate from the Charity Digital Exchange.
One more thing that’s important is to realise that security starts with people. That means training staff – including volunteers – to help them avoid making security mistakes such as clicking on malicious links in emails or falling victim to a phishing attack.
It’s also important to help all staff to recognise when something looks or feels not quite right, and to give them the confidence to report it to the appropriate person in your organisation. It also involves ensuring that all charity board members and trustees are aware of cyber security risks and why it is vital that they get given the attention they merit.
In terms of practical steps that small charities can take, a good first step is to take a look at the National Cyber Security Centre’s Cyber Security: Small Charity Guide. This offers some key actions that charities can take such as: