Online fraud such as phishing will continue to be a huge risk for charities in 2019 - fortunately the NCSC is also stepping up its game supporting the sector with educational resources.
This article is sponsored by CoopSys – providing data security services, advice and audits for the UK charity sector since 1987.
In 2018, more than one in five charities fell victim to cyber attacks, showing that charities are vulnerable to these crimes in the same way as businesses and the public sector.
Data theft is a growing crime area and no matter what type of organisation you are, if you hold commercially sensitive or personal data your organisation is a potential target.
We asked Kate Sinnott, Head of Charity Engagement at the National Cyber Security Centre (a part of GCGQ) what charities need to be most aware of as we go into a new year.
The organisation has recently published a Small Charity Guide on its website to help improve cyber security in the voluntary sector quickly, easily and at low cost. “While it’s next to impossible to predict the next big ransomware virus like WannaCry, for instance, the vast majority of attacks are unsophisticated.” says Sinnott. “Most cyber attacks are successful because people simply have not patched their software and devices against known viruses or not changed a weak password – the sort of things that criminals can easily exploit but people can prevent by taking sensible, cost-effective precautions.”
The cyber crime risks that charities face are broad. There are the more well known crimes like online scamming which can result in financial loss. But we are also seeing an increase in attacks like ransomware which can result in your organisation’s systems being locked down and a ransom demanded.
This can lead to a massive loss in productivity and your charity unable to deliver essential services. And if there is a data breach you could lose information that is pivotal to your organisation and its beneficiaries. “If you suffer an attack and haven’t backed up your data, then you’ve potentially lost years of stewarding supporters, gathering information on your beneficiaries that could set the organisation back a very long time or simply make it unviable,” says Sinnott.
“But arguably worse is the reputational damage – it’s very hard to put a figure on this, but if you haven’t taken reasonable steps to protect your data this will be reflected in the level of fine that the ICO hands out, and you could lose the trust of the people that hand over that data. And the success of the charity sector rests on the trust of the British population.” Financial, operational and reputational damage can all be caused by cyber crime.
In 2018, there have been plenty of warnings about fraudulent emails (known as ‘phishing’) in the charity sector, and this most common type of attack sees no sign of abating - in fact it’s on the rise. “A phishing email is an attack in its own right,” explains Sinnott, “but it hinges on what comes as a result of that attack, whether you’ve clicked on a malicious link or inputted bank details and sensitive information onto a compromised webpage.”
This type of fraud or ‘social engineering’ is often successful because it relies on the trust of people receiving the email. “There is often a community of trust in the charity sector, and a willingness to believe that people really are getting in touch because they want to support the charity,” says Sinnott. “That culture of trust can open charities up to going along with what turns out to be a rouse by criminals.”
The problem with phishing attacks is that they are getting increasingly sophisticated amnd convincing. “Gone are the days of the old adage of being offered an inheritance after a fake prince from a far away land died,” says Sinnott. “Most criminals have moved beyond that model now. It’s increasingly difficult to spot a suspicious email - particularly as criminals sometimes now insert information about you into the email to make it seem even more legitimate." “The NCSC has done a lot of work to make emails safer – including pro-actively stopping 54 million malicious emails being sent in one year spoofing government. But other ‘phishing’ techniques still present a danger to tricking recipients.
Just because an email contains some personal information about you such as your address, don’t automatically think that it is a legitimate email. Often this information is easy for criminals to obtain from the internet such as through a cyber attack on another site you use.”
For example, the cyber attack on British Airways saw information on 380,000 customer transactions stolen by cyber criminals, including names, addresses, email addresses and sensitive payment card details. These details can then be exploited by criminals to tailor emails to people based on the information they know about them. Someone might receive an email that looks like it’s from British Airways, containing information that only the company should know (that the customer bought certain flights from BA recently, for example) asking to reset a password.
“By criminals utilising information they can make the attacks seem a lot more realistic,” says Sinnott. “While it’s right that charities are open and transparent, an attacker could glean a lot of information from a charity’s website that would make their enquiry seem quite realistic, making it a lot more likely that a victim clicks on a fraudulent link and follows instructions without questioning its authenticity.” Charities Aid Foundation has some important guidance on its website on how charities can avoid being reeled in by phishing emails.
Ultimately, cyber crime is a risk and should be treated and managed like any other in an organisation. This means trustees and boards need to understand it in the same that they do other elements of risk such as safeguarding or financial planning.
In early 2019, NCSC will be releasing a toolkit for boards and charity trustees, which will bring together advice and insight on cyber security topics along with practical resources to help boards begin effective discussions on cyber security. “We understand that ultimately cyber security can feel very mystifying and overwhelmingly technical to those that aren’t used to dealing with it in their day to day lives, and we want to change this,” says Sinnott.
Also launching in 2019, NCSC’s free e-learning package will be aimed at both staff and volunteers. Your staff are your first line of defence. You can boost your defences by training and supporting them to work securely, and implementing policies to help manage the risk to your systems”, says Kate.
This could include implementing a sensible password policy, and flagging when an email has come from outside the business. She adds, “It’s also important that they are empowered to voice concerns about poor security practices and security incidents to senior managers, without fear of recrimination.” Beyond that, it’s about deciding who in the IT team is responsible for cyber security.
Kate says, “A board of volunteer trustees may not have the technical knowledge required to secure systems. We recommend that there are people who have ownership of digital, IT and cyber security that can then have the knowledge and understanding to put in place sensible controls to protect the organisation.” NCSC also has a large number of GCHQ certified training courses, some of which are more technical for IT professionals.