The latest ‘Cyber Security Among Charities’ report was issued in August 2017, and with it has brought a clear indication that charities are under as much threat from cyber-attack as any other business.
The majority of the charities interviewed in the report assume that cyber security is more of an issue for businesses than charities, based on the assumption that cyber attackers are going after those that they would believe to have more cash in the bank. This opinion can be extremely detrimental to charities, as it potentially contributes to making the industry more of a ‘soft target’ for these sorts of attacks.
The following case study demonstrates the consequences of a large charity having their email hacked:
“The CEO of a large charity that delivered music lessons and events in their local community had their email hacked. It sent out a fraudulent message to the charity’s financial manager, instructing them to release funds to pay for new equipment. The financial manager used Faster Payments to transfer the funds.
The breach was identified the next day, when another fraudulent email was sent asking for the release of more funds. The charity could not recover the funds and ultimately lost £13,000. As a result of the breach the charity revised their policies on authorising payments, with at least two members of staff and the CEO subsequently having to sign off any payments. "Because it’s the CEO, you think, 'oh he must know what he's doing,' and if he's told you to do something you do it, you're less likely to question it.”
There’s a common misconception that cyber security only requires ‘common sense,’ and is a ‘non-priority’ issue, leading to most organisations not being appropriately prepared when attack happens. It seems that many organisations are unwilling to put the necessary time into a cyber security strategy, with the report uncovering that charities with the most effective cyber security strategies were those that had already suffered an attack, stressing the importance of implementing a successful strategy before it’s too late.
A further risk to charities can be the belief that finances are the only thing cyber attackers are after – the non-personal data the charity holds can be just as important to the day to day running of the organisation, and the detrimental effect that losing these could have should not be underestimated. This includes day to day files and all non-personal data.
Imagine trying to run your charity after all of your files went missing – how many days work would you lose trying to reconfigure all your lost information?
What can we do?
There’s a few straightforward steps your organisation can take initially to protect your information from attack: