We look at the latest cyber threats in the charity sector and offer some advice on how to stay protected
First it might be malicious worms, then malicious phishing emails, and then ransomware again. The cyber threat landscape that charities face changes frequently and rapidly, so its vitally important that charities of all sizes keep a watchful eye on what’s going on and what extra cyber security measures they should be taking.
Understanding what threats charities face and what security incidents have occurred in the charity sector is made harder because many charities are reluctant to talk about it. But charities are obliged to report certain cyber security breaches that involve personal information to the Information Commissioner’s Office (ICO) and this information can provide some valuable insights.
In the most recent reporting quarter, the ICO reveals that there were 58 cyber security incidents in total in the charity and voluntary sector. This may not seem to be a particularly high number, but to put it into perspective there were 40 incidents in the general business sector, 22 in transport, 148 in retail and manufacturing, and 1189 in finance, insurance and credit.
Remember though that these figures are related to personal data only – it’s just the tip of the iceberg because security breaches where money has been stolen or non-personal confidential data has been taken are not included.
But these figures are still revealing. Of the cyber security incidents reported in the charity and voluntary sector, almost half (25) stemmed from phishing attacks, 16 from ransomware attacks, and 8 from unauthorised access. These are the cyber threats that charities should be particularly aware of today.
Phishing has long been a major cyber security problem, but cyber criminals’ efforts to compromise charities’ security may be being made much easier because so many charity staff are working from home.
In fact, 47% of people who were working remotely said that being distracted was the reason that they fell victim to a phishing attack when they were home working, according to research by security company Tessian.
Ransomware attacks have been a problem for several years now and the ICO data shows that these are still a very real problem for charities. Research from Symantec reveals that the file types most commonly used by cyber criminals to infect users’ computers with ransomware (and other malware) are .doc, .dot, and .exe files, which may be included as attachments in phishing emails, or as links which users click on to download them.
It’s worth noting that .exe files (denoting that they are executable files, or programs) are almost never sent in emails legitimately, so charity workers should be trained never to click on any file with a .exe file extension. Similarly, it is unusual ever to encounter a .dot file (a Microsoft Word template file), so these should also be treated with extreme caution.
But the biggest problem is .doc files. These are Microsoft Word documents and they are often attached to legitimate emails. That’s why it is essential to train staff to treat any .doc files they receive with extreme caution. Staff should only open them if they are expecting to receive them and they are sure of the sender.
The security incidents arising from unauthorised access to charity computer systems is interesting because people tend to imagine that these are the result of highly skilled cyber criminals hacking into charities’ systems by finding and exploiting software vulnerabilities.
But the disturbing truth is that charities are susceptible to ‘insider’ attacks, where their own staff are responsible for passing on account passwords or other data to criminals. Even more worrying is the fact that the opportunity for insiders to operate is much greater when staff are working and have access to charity data from home. Forrester Research expects insider data breaches to increase by almost 10% in 2021 compared to 2020, accounting for about a third of all cyber security incidents.
Another result of the pandemic is that many remote workers are using applications and storing data in the cloud from home, and cyber criminals have been quick to exploit this fact: cloud-based cyber attacks rose by more than 600% in early 2020 as cyber criminals looked to exploit this.
Cloud accounts are still being targeted, and charities that have not already should prioritise putting additional security measures in place, such as implementing two-factor authentication for cloud accounts, especially for cloud accounts accessed from home.
Another security measure that charities should consider is a system called Secure Access Service Edge, or SASE (pronounced “sassy”). The concept of SASE was introduced by Gartner just before the pandemic struck. SASE is essentially a type of security-as-a-service offering, enabling remote workers (and office-bound workers) to connect to a SASE hub, where many different security measures such as next generation firewalling, sandboxing, data loss protection, cloud access security broker (CASB) functionality, and much more can be applied.
From there, charity staff are connected to their cloud services, keeping them more secure than if they had connected to the cloud service directly from home, with only their endpoint protection software to keep them secure.
We are likely to hear much more about SASE in the coming months, but in the short-term one of the best things that charities can do to prevent cyber security incidents is to ensure that all their staff and volunteers have received cyber security training and are aware of what to look out for. A good place to staff is the NCSC’s cyber security e-learning package which was published late 2020.