Today marks the start of Charity Fraud Awareness Week, a week specifically set up to provide charities with valuable advice on how they can protect themselves from the threat of fraud and cybercrime.
With a total annual income of over 69 billion, charities are hugely vulnerable to attack and are proving to be a lucrative target for cybercriminals. They have access to sensitive data, receive huge amounts in donations, and will typically have a lower level of cyber security than larger organisations.
If hackers manage to gain access to this sensitive data, the results can be devastating. Just one data breach could damage a charity’s reputation and discourage people from donating money. It could also have more serious ramifications if confidential patient data is leaked.
Cybercriminals don’t care about the good causes that charities support, they simply view them as soft targets with lots of attractive weak points to exploit.
According to the Cyber Security Breaches Survey 2020, over a quarter of charities (26%) experienced a cyber attack in the last 12 months. The most common attack method was phishing (85%), followed by impersonation (39%) and then viruses or other malware (22%).
Ransomware was only responsible for 10% of these breaches; however, it continues to prove a successful attack vector as evidenced by the recent attack on cloud computing firm Blackbaud.
Blackbaud is one of the largest providers of fundraising, financial management, and supporter management software to the UK charity sector. In May 2020, the company was hit with a sophisticated ransomware attack that affected over 30 UK charities.
The company said that no credit card or payment data was compromised in the attack, but they opted to pay the ransom to ensure the data was not made publicly available or shared elsewhere.
Due to the vast amount of personal and financial information that charities retain, they must look at ways of strengthening their systems to prevent opportunistic criminals from launching attacks.
How can charities protect themselves?
To protect their data, assets, and reputation, charities will need to identify the key areas that could be exploited by cybercriminals and implement a layered approach to defend their organisation from attack.
Preventative measures include:
- Staff awareness and education
It’s easy to assume that the majority of all cyber attacks are as a result of hackers breaching security systems, but more often than not, they are a direct result of an employee clicking on a malicious link. Educating staff on evolving cyber threats is one of the most important preventative measures that a charity can take.
- Regular back up of data
Charities have access to valuable data so it’s vital they make regular back-ups of important files using an external hard drive or an online storage provider. This will ensure that in the event of a cyber attack, charities can retain their critical data.
- Restrict access to sensitive data
In order to secure critical data, charities should have a tiered structure in place that differentiates between sensitive and non-sensitive data. This will restrict access to sensitive data and ensure that only employees with the highest level of clearance can access this valuable information.
- Anti-virus software
Charities operate on tight budgets but it’s important they invest in the latest anti-virus software to detect any threats and block unauthorised users from gaining access. Software should be updated on a regular basis to prevent hackers from gaining access to systems through vulnerabilities in older and outdated programs.
- Strong passwords
Creating a unique password is one of the easiest ways to avoid being hacked. A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols. For further defence, users can create a passphrase. The first letter of each word will form the basis of the password and letters can be substituted with numbers. A passphrase is typically longer than a password and a lot harder to crack.
- Manage use of portable media
As the use of portable media devices has increased, so has the associated security risks. A seemingly harmless portable media device has the potential to trigger a massive cyber attack, even when the targeted computer system is isolated and protected from the outside. Human error remains the number one cause of all cyber attacks, so staff should ensure they are following the correct procedures when handling removable media devices outside of the office.