Charities are falling victim to a range of malicious cyber activity, but the scale of this activity is unclear due to under-reporting. While some charities report breaches to the Charity Commission and/or law enforcement, other incidents may be only reported internally to trustees or IT providers and dealt with in-house. Incidents may not be reported externally for fear of reputational damage. So says the National Cyber Security Centre (NCSC) in a 14-page report on the sector.
Larger charities, especially those operating like major corporations are in a better position to allocate specific cyber security responsibilities and take a pro-active approach to cyber security. For smaller charities with resource constraints, and where individuals often perform multiple duties, this may not be deemed possible or necessary, the NCSC adds. It that many charities – particularly smaller ones – do not perceive themselves as targets. To download the report, visit the NCSC website: https://www.ncsc.gov.uk/guidance/cyber-threat-assessment-uk-charity-sector. See also a blog by the NCSC: ‘We’re trying to cure cancer, why would anyone attack us?’.
As the report points out, charities have a duty of care to safeguard their information. The General Data Protection Regulation (GDPR), which is due to come into force in May 2018, will impose increased penalties on organisations that fail to adequately protect their data, and makes breach notification mandatory in some situations. Good security is essential for GDPR compliance. We consider that some UK charities are unprepared for the introduction of this important legislation, and do not understand the link with robust cyber security.
Cyber incidents now often feature prominently in media reporting. There is a growing awareness amongst businesses of the potentially major consequences of a significant data breach and a recognition of the need to allocate specific responsibility and accountability for cyber security. For a charity, a cyber incident that renders funds or information inaccessible may ultimately affect its ability to deliver its services. The adverse publicity of a breach could affect the integrity and reputation of the particular charity and that of the sector in general. As charities compete for funds, a cyber incident may (at least in the short term) discourage donors, which could in the extreme pose an existential threat to a small charity.
As for where the threat comes from, the NCSC says that cyber criminals and other groups will continue to use tried-and-tested capabilities but will develop and refine methods in response to changes in defences. Spear-phishing will continue to be a highly effective infection tool: well-crafted bogus emails that enable social engineering and deliver malware will remain successful, despite measures to enhance employee awareness. Ransomware attacks will continue to target businesses and organisations, driven by the perception that such targets are likely to yield higher returns than the targeting of individuals.
Comments
David Emm, principal security researcher at cyber security firm Kaspersky Lab, said: “The threat of cyber-attacks is very real, and no business or individual is immune from online crime. Any organisation in today’s digital world is vulnerable and charities face the same risks as any other sector. Every charity with some form of online presence can be attacked – through a direct hack, ransomware, fraudulent e-mails and phishing attacks – which leaves the charity itself, its donors and other stakeholders at increased risk.
“Charities are a big target for cybercriminals because they have valuable data, including personal information, which is of huge value to attackers. It can also result in the loss of funds, affect a charity’s ability to help those in need and damage its reputation. It is important that charities realise they have a responsibility to implement procedures for recognising and responding to these threats, particularly because of the vast amount of personal and financial information that they hold. Charities need to do more to educate their staff and ensure they dedicate enough time and resources as any other organisation would to improve their cyber-security and protect their assets.”
And Sarah Armstrong-Smith, Head Continuity and Resilience at Fujitsu UK and Ireland said: “Indeed, charities are especially vulnerable to social engineering and phishing attacks as people typically see them as trustworthy, meaning they are more likely to give a donation (or series of donations) to causes they feel strongly about.
“While the NCSC assessment is focused on the charity sector specifically, all organisations in the public or private sector, no matter what shape or size, is vulnerable to a cyber-attack. Companies need not only be concerned with protecting their data, but the entire operation of a company itself. As we have seen in the past year, cyber-attacks can set out to completely paralyse organisations at a national and international scale, creating havoc, and resulting in a complete shutdown of services.
“Cyber criminals are becoming increasingly bold, finding new and creative ways to dupe people into revealing compromising sensitive financial and personal data. This means that “unusual behaviour” is getting harder to detect and might not seem unusual at all. While continued investment in technical and security controls is paramount, with employees on the front line of this battle upskilling staff and making them more cyber aware is one of the most cost effective ways of reducing the probability and impact of human error.
“With our latest report revealing a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, every single organisation has an obligation to make data protection as much of a priority as the public. After all, cybercrime is not a probability, it is an inevitability and it will be the way in which businesses prepare for it however, that can make all the difference.”
