A new report by the NCSC (National Cyber Security Centre) outlines the growing threat that charities face, and how they can become resilient to cyber threats. We have summarised the key takeaways from the report below. Cyber-attacks affecting a charity’s services, funds, or compromising the sensitive data of donors can be devastating financially and reputationally, potentially putting vulnerable people at risk. Taking steps to ensure that charities are resilient is not an optional extra but a core part of good governance.
Why is the charity sector particularly vulnerable?
The charity sector faces the same cyber risks as private sector and government organisations but there are some reasons why charities could be particularly vulnerable to cyber-attack:
Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information, or to disrupt charities’ activities. There is a reluctancy to spend resources, money, oversight and staff effort on enhancing cyber security rather than on front line charitable work. Many charities have a high volume of staff who work part time, including volunteers, and so have less capacity to absorb security procedures.
The impact of any cyber-attack on a charity might be particularly high as charities often have limited funds, minimal insurance coverage and, by their very nature, are a supplier of last resort providing services where there is insufficient government or affordable private sector alternatives.
Like many other organisation, charities are increasingly reliant on IT, and cyber criminals make no distinction between charities and business. Even if a charity is not a direct target, organisations in their supply chain may be.
The main methods of cyber-attacks:
Motivated by financial gain, they may seek to steal funds held by charities or capitalise indirectly through fraud, extortion or data theft.
Cyber criminals vary from advanced, professional groups to small-scale fraudsters. The technical skill required to commit cyber offences varies depending on the goal of the attacker and some of the tools required are available through online criminal forums.
There is growing availability of criminal services for hire. This change has led to an increase in the scale of cyber crime and a less targeted approach to victims, rather than targeting organisations specifically, they will attack thousands of organisations using largely automated tools requiring little technical knowledge.
Nation states conduct cyber activities to further their own national agenda and prosperity, or to disrupt professionals working on issues the state disagrees with.
Hacktivist is a term used to describe computer hackers motivated by a specific cause, for example to further political or personal agendas or in reaction to events or actions they perceive as unjust. Hacktivists have successfully used distributed denial of service (DDoS) attacks to disrupt websites or have exploited weak security to deface them.
Insider threat is the deliberate or accidental threat to an organisation’s security from someone who has authorised access such as an employee, volunteer, contractor, or supplier.
Malicious insiders can pass on credentials to attackers or conduct activities such as stealing data. They may be motivated by a variety of reasons such as a grievance against the organisation, ethical concerns about its activity or have financial pressures leaving them vulnerable to coercion. However, insider threats are not always malicious. Employee breaches of security can stem from unclear or onerous processes, lack of training or simply mistakes.
Supply chain attacks
Cyber threats may not come from direct attacks on charities, but they could still be affected. It is common, especially for smaller charities, to outsource the responsibilities for running, maintaining, and securing their IT and data to specialist support companies.
‘Phishing’ is when criminals use scam emails, text messages or phone calls to trick their victims.
Phishing is often untargeted, in the form of a mass email, text or cold calling campaign. However an attacker may use more targeted information to make their messages more persuasive and realistic (sometimes known as ‘spear phishing’).
The outward facing nature of charities, culture of trust in the sector, reliance on volunteers, staff members using personal IT, and reluctance to spend limited funding on cyber security training and measures could make them particularly vulnerable to criminality.
Fake organisations and websites
Criminals can exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity, or they can set up fake charities or impersonate well-known charity names to add credibility in phishing campaigns. Although not directly targeting charities by cyber means, this activity has potential financial and reputational ramifications for genuine charities.
Ransomware is the most harmful cybercrime threat to the UK today. It is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption, while threatening to delete or leak the data they have stolen. The technique is now so evolved that criminal groups offer Ransomware as a Service (RaaS), whereby ransomware variants and commodity listings are available off the shelf for a one-off payment or a share of the profits.
How Can Charities Protect Themselves?
The NCSC Recommend that all charities:
- Read and Implement the NCSC’s guidance, specifically created for charities.
- Improve staff and volunteers cyber training and awareness.
- Consider using the NCSC’s Active Cyber Defence Service, providing a range of automated protections free of charge to charities.
- Ensure that the board understand their responsibility regarding cyber security.
- Achieve the Cyber Essentials accreditation. A government backed scheme that helps to ensure the minimum level of cyber security that all organisations should have in place.
You can read the full NCSC Report here.