Your computer is acting strangely, files are disappearing before your eyes, and you realise your charity is experiencing a cyber attack. Here’s what to do – and what not to do
Speed is of the essence if hackers gain access to your charity’s computer systems. For for that reason, it’s important to prepare a plan ahead of time that you can put into action with the minimum of delay.
This plan should include the following steps.
Your most immediate concern when your charity experiences a cyber attack is stop the attack and minimise the damage that it can cause. So the first step should be to disconnect your charity’s network from the internet, cutting off the cyber criminals’ access to your computers and preventing them from exfiltrating any more data.
If your computers are infected by ransomware then they may continue to encrypt your data even when they are disconnected from the internet. The best solution if this is the case is to stop your computers running by putting them into hibernation mode, although this mode may not be possible on some desktop PCs.
Since the best way to recover from a ransomware attack is to restore data from backups, you should also disconnect any backup devices from your computers to help ensure that they do not become infected as well.
Common mistake to avoid: It may be tempting to turn your computers off, but that can destroy valuable forensic evidence experts might need to work out how your cyber security was breached. Ransomware can also sometimes cause more damage on a computer which is turned off and turned on again than on a computer that is hibernated.
The next step is to use a computer on a separate network to change the passwords for any cloud services (such as CRM, email, Office 365) that your charity uses, and any other accounts that your employees log on to, as soon as possible. That’s because one or more of these accounts may have been compromised during the cyber attack.
Worse, they may have been compromised before the attack, enabling the attack to take place. Failing to change the passwords might mean that the cyber criminals could use information from these accounts to launch another attack once your charity recovers.
Common mistake to avoid: Do not reuse the same password for different accounts, as this makes if far easier for cyber criminals if they manage to get hold of it.
The next thing you need to do is understand how the cyber criminals where able to attack your charity successfully, and what you need to do to fix this vulnerability so that they or any other hackers will be unable to exploit it again.
There are many possible reasons that your charity was vulnerable to an attack.
This could include running older, unpatched versions of software, employees inadvertently downloading malware from a phishing email, or someone using an easily-guessable password.
In any case, it is likely that you will need to employ outside experts to get to the bottom of how your charity was attacked, and how to prevent it from happening again.
Common mistake to avoid: It can be tempting to try to do this step without outside help. But a “fresh pair of eyes” can often check your systems more thoroughly and discover problems quicker than someone who is too familiar with your computer systems.
Perhaps the most important step in this whole process is getting a complete understanding of the impact of the cyber attack. To do this you need to understand what data was accessed, modified, or stolen, who might be affected by this, and what the consequences of this are.
Common mistake to avoid: Don’t forget that you also need to understand what other actions the cyber criminals might have taken during their attack, including putting more malware on your systems. If the hackers installed keyloggers on your computers, for example, then as soon as your charity’s computers are reconnected to the internet the hackers will be able to monitor your activities and intercept passwords and other information that you type in.
After a cyber attack on your charity you should report the incident to Action Fraud by submitting an incident report. If the attack is still happening, or resumes after you thought it had stopped, you can call 0300 123 2040 and press 9 on your keypad. This will allow your call to be dealt with as a priority and your live incident will be triaged over the phone.
If your organisation has been the victim of a significant cyber attack, the NCSC recommends that you start by reporting the incident to them.
Things get more complicated if the cyber security attack has led to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. That’s because if (and only if) it is likely there will be “a risk to people’s rights and freedoms” then your charity is obliged to report the breach to the Information Commissioner’s Office (ICO). This should be done without undue delay, and in any case within 72 hours of discovery.
If you are not sure whether you need to report the incident, you can take the ICO’s online self-assessment.
If the breach poses a high risk to the rights and freedoms of the individuals (rather than a risk just being likely), the UK GDPR states that the individual must be informed as soon as possible. This could include employees, volunteers, donors, users of your charity’s services, and any other of your charity’s constituents.
Many experts recommend that you communicate with those affected as soon as possible in an open and sincere manner, and admit any mistakes that you have made. You should also provide full details of how the cyber criminals were able to attack your charity systems successfully (such as a failure to update software) and explain what you plan to do for any constituents that are affected by the data breach (such as offering them free credit rating monitoring).
Common mistake to avoid: If your charity has cyber security insurance, don’t forget to inform your insurers as soon as possible. Failure to do this, or to follow any additional steps that the insurer requires, may invalidate any claim you plan to make.
It almost goes without saying that the final step is to fix any vulnerabilities that the experts in the second step discover.
Common mistake to avoid: As well as fixing any vulnerabilities, don’t forget that it is vital to put processes in place to ensure that similar attacks cannot happen again. For example, if the cause of the attack was a failure to update a particular software package, then you need to put a system in place to ensure that in future all software is updated as soon as possible after new versions are released.