This event report is written by the NetSquared London team, including Ellie Hale, Matt Moorut, Kate White, and Siddharth Bannerjee.
Although charities too often ignore the risks, stats compiled by the government on cyber threats speak for themselves: 50% of all organisations (not just charities) have experienced a cyberattack in the last year. What’s more, of the companies that suffer cyberattacks, roughly 60% go bankrupt.
The avenues of attack are growing all the time. Whether through malware or full-on spear phishing, the risks are more prevalent than you might think, and potential damage can be crippling for charities.
Why are charities being targeted?
At NetSquared London’s recent meetup on cybersecurity in charities, Nick Denning, CTO at security firm CySure Limited explained that charities are notoriously bad at protecting themselves, making them easy targets for unscrupulous hackers.
Unfortunately, small charities in particular are the most at risk from ransomware and phishing scams as they seldom have policies and processes in place to help their network and users stay secure.
If this sounds familiar, there are steps you can take, and they needn’t be too onerous.
One of the most straightforward measures for charities of all sizes to implement is
Cyber Essentials, the government-backed scheme to help organisations protect themselves against common threats, according to Phil Anthony, founder of CoopSys.
Email: Email is the biggest access point for viruses and malware, with smaller organisations the most vulnerable. Mailshell donations available to charities can help charities not using Office 365 or Gmail, while staff education and active policies are important.
Devices: Anything added to an IT system can be leaked or stolen – be that a server or a memory stick. Sensible limits should be set on employees’ ability to save files offline, and devices should always be encrypted in some way in case of theft.
Inductions: Have an induction process for new staff and volunteers who want to use their own devices. Add them to your secure network and ensure that they understand what can and can’t access on/added to the network.
Encryption: Use FileVault if you’re using an Apple device running MacOS or turn on Bitlocker if you’re using Windows 10.
Ellie Hale, Digital Fellowship & Communities Lead at CAST, has written more detailed advice shared at the NetSquared London meetup, which were delivered by Nick Denning, Cysure Limited, and Phil Anthony, founder of Coopsys, both of whom spoke at the event:
Back-up policies can cover a multitude of sins! Regular backups to disk let recover your data properly. If you move to cloud services like Office 365 for Non-Profits or G-Suite for Nonprofits, a lot of these problems disappear. You can also use ‘snapshots’, which is where you take a mirror copy of the disk.
Malware through email
Crypto-locker is common ransomware where individuals receive a credible (but rogue) email that they click through, which then downloads malware that locks up all your drives. Victims often need to pay in bitcoin to unlock systems and even then, can’t guarantee getting all data back. Around 2% of the charities that CoopSys deal with have had this happen to them.
In Office 365, emails are pre-screened, but on-premises Microsoft Exchange potentially involves more at risk. This can be mitigated through programmes like Mailshell and through sensible admin controls. Gmail is different in that Google controls the account safeguards – not admin users, although Google evidence high standards of smart, AI-based pre-filtering.
Anthony recommends getting your own email servers up and in the cloud with everyone having their own account.
If you are attacked, you’ll need to know how it happened so that it doesn’t happen again, so don’t just throw your compromised kit away.
Password managers can be helpful as users then only have to remember one master password to keep all others secure.
Still, password security can be tricky to balance, as high-level security and authentication software that ends up slowing down your workflow will often lead to people circumventing them altogether.
Everyone has resource constraints, so the key is spending money wisely. Denning suggests aiming to cover all bases to a basic level before investing heavily in one particular area. Your security is only as strong as the weakest link.
Following Cyber Essentials mitigates most risks, according to Denning. Becoming accredited with Cyber Essentials actually grants a small amount of cyber insurance cover as it means you can demonstrate to your insurance company that you’re doing the right thing by having the right policies. It’s usually more beneficial to put any additional money that would be spent on insurance into better protection, thus mitigating recurring risk.
People, processes and technology
People are always the hardest part of cyber security, because essential security controls often slow down daily work.
Establish a process for setting rules of what the right thing to do is, and also for checking the right things are being done.
For micro-charities or individuals who think they might have been targeted or compromised, Google the suspicious message you’ve been sent and see if it’s been reported as a phishing scam.
When completing a risk assessment, think of the potential reputational damage as well as financial. Consider what you have of value in your charity. What do you store that could be stolen?
There are services online that allow you to assess your vulnerability for a modest cost, while some tools are free and can show if staff members’ emails have been compromised.
Prepare for the best, but plan for the worst. Think about what would happen if all your IT didn’t work - would your organisation still be able to operate? What is your Plan B?
Taking time out to consider your contingencies will pay off if anything does happen.
Cyber Essentials alignment and certification
Some government funding may become reliant on Cyber Essentials compliance, making this more pressing for charities. Depending on how much you work with government, there may be additional criteria you need to pass.
Accreditation does come at a cost, however, and incurs an ongoing cost each year - even if you only go down the alignment route. The hard thing is keeping it up and staying updated. CoopSys spends about £5k a year on staff time to ensure compliance - they’d like to spend this elsewhere, but judge the alternative as potentially more costly.
Who to trust
A lot of this may seem like common sense, but many people don’t understand the questions they should be asking and need help navigating this field. Due diligence before adopting a new security companies or consultant is essential.
A good IT person should understand the language of cybersecurity and be able to translate the jargon and help you do your risk analysis. They may not understand the best cyber defences but at least they understand the scope of the problem.
Where to go to for more help and information
Charities can keep their systems up-to-date and secure cheaply by using Tech Trust’s services.
A range of security software is available through their IT donation programme, including:
For operational processes, a first port of call should be reading up on Cyber Essentials. You can also keep an eye out for future events on this topic where you can find out about the issues other people have faced and learn from them.
Look for charities who are doing roughly the same thing as you in the same context and learn from them. And be generous in sharing your own knowledge and learnings!
Finally, Charity Digital News publishes news of any new digital threats, particularly where relevant to the charity sector. As well as news, the site contains deeper pieces on security, such as this one.