Just like all businesses, charities are increasingly reliant on digital technology in the smooth running of their operations. In turn, third sector organisations are open to the raft of threats that face their private and public-sector counterparts - threats that many charity organisations already know too well.
According to a 2018 government report, 73 per cent of charities with incomes of more than £5m have been victims of cybercrime in the past year. With data breaches to charity organisations on the rise, it’s clear there is no limit to the level cybercriminals are willing to sink for their own gain. Yet, despite the prevalence of incidents in the industry, a mere 21 per cent of all charities have a cyber security policy in place. What’s more, only 8 per cent have a tried and tested incident management process.
While many charities may not view themselves as potential targets for cyber-criminal activity, the financial and reputational consequences that can come from an incident of this nature can be disastrous for any third sector organisation. With the GDPR now in full force and the techniques of criminals growing in sophistication, investment in cybersecurity is no longer a nice-to-have.
So, just how prepared is your charity for a potential attack, and what steps should you take to mitigate the risk?
Understand the threat
The National Cyber Security Centre’s dedicated report on the UK charity sector revealed findings from a recent study in which thirty charities ranging in size admitted to experiencing various forms of cyber breaches in the last two years including phishing emails, ransomware attacks, identity theft, website takedowns, viruses and forms of online financial fraud. These attacks had reportedly resulted in loss of funds, theft of highly sensitive data and website control.
While the dataset used may have been small, the findings highlight the multitude of techniques used by malicious cyber-criminals and the ease at which they are able to gain access to the networks of third-sector organisations.
What’s more, the technical proficiency required to commit cyber-criminal offences is rapidly decreasing: now, the tools used by these groups and individuals can be purchased online; the availability of services-for-hire such as malware and distributed denial of service means it doesn’t take an expert to gain access to your network.
Keep ahead of the curve
In a bid to raise awareness of the growing cyber-threat throughout the third sector, the NCSC encourage charities to join the Cyber Information Sharing Platform, a joint industry and government initiative established for organisations of all types and sizes to share threat information in a confidential environment.
In joining the platform, charities can gain early warnings of potential cyber-security threats on the horizon, request access to bespoke network monitoring reports and learn from the experiences of likeminded professionals to improve their own cyber-security strategies. Of course, it isn’t enough to keep abreast of sector trends: if trustees are to improve the risk profile of their charity, they must put theory into practice.
It’s not just about training. Education around cyber-security is everyone’s responsibility, as is making sure you’re appropriately accredited when it comes to specifications like ISO 27001, which is a framework of policies and procedures that includes all legal, physical and technical controls, involved in your risk management process.
Deliver on-going training
While integrating the right security tools will help to mitigate the risk of an attack, the key element of a robust cyber-security strategy is on-going employee training. It isn’t enough for trustees alone to understand the risks and keep up to date with best practice.
Should an opportunistic cyber-criminal take advantage of this lack of awareness through a phishing scam; should an untrained employee open and respond to a seemingly legitimate email disguised as a recipient they trust, the entire network could be compromised in an instant.
It’s no use investing in new technologies such as analytics, blockchain or AI if you aren’t willing to pair it with an all-encompassing training programme that teaches staff of the common red flags to look out for. Beyond the IT team, employees at every level must be well-versed on best-practice for data protection, an area which will need constant revisiting and refreshing in order to give the charity the best chance at mitigating the ever-growing risk of cyber-attacks.
OJO solutions provide independent consultancy to charities and the private sector. To find out how we can help you prepare your charity, contact us or call 01225 220155.