By sharing information about cyber security breaches, the charity sector can work together to make charities much more secure
Thousands of organisations are attacked by cyber criminals every day and since the start of the pandemic these numbers have spiked by more than 300%, according to the FBI, as hackers target organisations with large numbers of staff working from home.
But you could be forgiven for not being aware of these facts. That’s because the overwhelming majority of organisations, including businesses and charities, are reluctant to talk about their cyber security breaches.
If a data breach results in certain types of personal data being compromised then charities may be obliged to inform the Information Commissioner’s Office (ICO). But there is no obligation to report breach more publicly and certainly no requirement to report the police.
As a result, there is a huge gap between the numbers published in the Office of National Statistics’ annual crime survey and the number of cyber crimes reported to Action Fraud, the UK’s cyber crime reporting centre. A report from the Institute or Directors found that less than 30% of cyber breaches in the UK are reported to the police.
There are a number of reasons why charities that experience a cyber breach may be reluctant to report a cyber breach. The primary reason may well be a feeling that there is not really anything to be gained by doing so. That’s because many cyber attacks are launched from overseas, so charities may think that there is little chance of the perpetrators being caught and brought to justice.
Many security breaches result in the loss of data rather than money, and when that’s the case there may also be a feeling that law enforcement can’t do anything about that. Cash may be recovered, but once data is compromised it can’t be ‘uncompromised’.
Charities may also feel that when a breach has occurred their priorities are to get the situation under control, fix the damage, and prevent the same incident happening again. Involving the police, some charities might believe, would only divert resources and hamper remediation efforts.
But perhaps the biggest motivation for charities staying silent after a cyber breach is the fear that the incident will harm the organisation’s reputation. If a charity’s cyber security measures can’t be trusted then donors might be reluctant to trust the organisation with their money, and other constituents – particularly service users – might worry that the charity can’t be trusted with private information.
The problem with a culture of secrecy surrounding charity cyber security breaches is that it misses a huge opportunity for all charities to benefit from sharing information and learning from it. In fact, there’s a very strong case to be made that it would be far more beneficial for charities to be open about cyber security incidents they experience.
Just for starters, charities talking openly about cyber security breaches raises awareness that all organisations, including charities, are targets for cyber criminals and that the risks of a cyber attack are real.
The fact that charities are targeted with such frequency should help to reinforce that cyber security is a process that needs to evolve constantly to stay abreast of the latest tactics that cyber criminals use.
Although it may be tempting for some charities to think that by installing endpoint protection software they have done all they can to prevent being hacked, the free exchange of information about charity security breaches should help disabuse these charities of that notion.
More information about charity cyber security breaches and the frequency with which they happen would also make it easier for charities to fully appreciate the risk of a breach and to react by allocating an appropriate amount of resources to managing that risk.
Keeping quiet about cyber security breaches encourages charities to underestimate cyber security risk and in the end that does nobody any favours. If charity leaders are not fully aware of the risks that charities face, it is much harder for the person responsible for cyber security to get those leaders to approve spending on the necessary security measures.
Perhaps the most important benefit of talking more openly is that it would enable charities to share information about specific security incidents they have experienced and for others to learn from those experiences, any mistakes that may have been made, and effective actions that were taken in response.
There is no doubt that cyber criminals specifically target the charity sector because they know that charities often lack the sophisticated cyber security expertise that large businesses may have at their disposal, so understanding how cyber criminals are attacking charities specifically is extremely important for the charity sector as a whole.
Talking about cyber security incidents is, in the end, a kind of public good. When all charities are confident enough to discuss them, then all charities benefit. And ultimately there should be no reason for charities to feel that it’s a subject that is better not discussed in public.
That’s because cyber security breaches in the charity sector are inevitable: cyber criminals’ priority is to overcome organisations’ security measures and to steal their data or their money. Charities, on the other hand, have much more on their plates. They have to carry out all their charitable activities: service provision, fundraising, awareness raising, and so on, while still trying to keep cyber criminals at bay.
Put in that context, fears that donors and service users may shun charities that have been breached are likely unfounded. The more they understand that any charity can, and sometimes will, fall victim to an attack, the less they will ‘punish’ a specific charity after an incident occurs.
Charities should expect to keep out some of the cyber criminals all of the time, but it’s simply not realistic or possible to keep out all of the cyber criminals all of the time.
By sharing information about the cyber security breaches they experience, and what works and what doesn’t to prevent them, the charity sector as a whole can work together to make cyber criminals’ lives a lot harder and charities much more secure.