Unfortunately, in today's world we need to be ever mindful of the risks we need to protect our organisations from. There's been a lot of talk over the years about cyber security, but there is still a huge amount of misunderstanding around what it is, what it means, how it works, or what we should do. But a successful cyber attack and/or a data breach can have a telling impact on organisation with both financial and reputational implications. We asked cyber security expert, Andy Larkum, to share his top three tips to improve the security of your charity.
What do the stats say?
The Department for Culture, Media and Sport (DCMS) delivers an
annual report: the Cyber Security Breaches Survey.
Their 2022 report stated that:
- 30% of charities report having some kind of cyber security breach or attack in the last 12 months
- 62% of high-income charities (those with £500,000 or more) and three-quarters with very high incomes (those with £5 million or more) were significantly more likely to record breaches or attacks.
From this we can draw two clear conclusions:
- Cyber security is certainly something that charities should be concerned with; and
- Smaller charities are less likely to have the technology or resources to identify attacks or breaches.
What is cyber security?
From the top - cyber security is the discipline of trying to secure data against the consequences of people interacting with technology and data. Those three things (people, technology and data) pose little risk in isolation, put them together and we have the potential for a whole world of pain!
Take a laptop as an example. Sat on a desk and left alone, a laptop is unlikely to present much of a risk. Put some sensitive data on the laptop and the risk increases, particularly if you connect that laptop to a network. Sit a person in front of that laptop and the potential for something going wrong with the data that it holds escalates dramatically.
A cyber attack is the generic name for a technology enabled security incident that involves data. The incident may involve the manipulation of people (we call that social engineering - more on this later), or a user error (someone did something wrong by accident).
However, when we talk about cyber security, we have to throw the net slightly wider. The description of a cyber attack above assumes that a ‘bad actor' is deliberately attacking us. Many cyber security incidents are caused by accidents, where an employee or other unfortunate individual does something that results in a data breach. We're trying to stop that too.
Like for instance?
Let's make it easy and consider something we've probably all done. Have you ever sent an email to the wrong person? Of course you have - we all have! So let's imagine that you attached to that email a spreadsheet full of personal data. It was supposed to be an internal email, but your email client helpfully swapped the internal email address for someone else with a similar name. The result is a reportable data breach (under the GDPR). This type of cyber security incident didn't involve a bad actor, but it was technology enabled and involved a person (or people) and data.
What's the biggest threat right now?
Right now, phishing is the most common form of cyber attack. Phishing is a version of email fraud that we've probably all encountered. One particular flavour of phishing email is ‘credential harvesting'. This is where the email contains a link to a site that looks a LOT like a legitimate website (like Paypal, or Microsoft, or Google…).
The victim clicks on the link, and then attempts to sign into the website, thereby handing over their login credentials to a bad actor. The bad actor can then access the real system using the victim's details.
Some phishing emails are genuinely terrible. Others, however, are incredibly sophisticated. In fact, the level of sophistication of phishing attacks is increasing year on year, with phishing tools able to apply social engineering data (for example, information learned about the target from social media) and automated machine learning to improve the levels of success.
Three practical improvements
There are usually some practical things that organisations can do to improve their security. Here are some quick wins:
Multi Factor Authentication (MFA)
MFA is where having entered your username and password, you then
need to enter a code that is either generated by an app on your
phone, some other kind of device, or sent by text message.MFA makes
life rather hard for a bad actor to hack you. With MFA enabled, not
only do they need to hack your password, they also need access to
your device.
MFA is, of course, an additional layer of inconvenience. That said, the improvement in security is substantial. It's our opinion that MFA should be enabled on all email accounts. Further, any administrator accounts, accounts that provide access to financial processing or personal data, should all be protected with MFA.
Access reviews
You would be amazed (or perhaps not!) how few organisations
conduct access reviews. As a result, it is not uncommon for
ex-employees to still have access to confidential information,
including personal data, or for the wrong employees to have
access.
Dormant accounts (of those who have left) are also not likely to be monitored. As a result, should the account be compromised, it is unlikely that anyone will notice for a while, increasing the opportunity for a bad actor to gain further access.
Improving processes to ensure the timely removal of access to information and systems (accounts or permissions) can reduce the opportunity for breaches.
Education and training
Understanding the ‘why' of information security can
result in much better results and less friction when we introduce
the ‘how' (technical controls) of security. All
employees should have some level of security training, relevant to
the type of information they have access to.
Don't become a victim
The risk of a cyber security attack and/or data breach is evidentially high. Failing to take steps to protect our organisation is likely to result in our becoming another victim, with our employees and benefactors ultimately paying the price. We must ensure that adequate security measures, both technical and physical, are in place and that we help our employees to understand why security is in place and how to work with it, rather than against it.
But what happens if the worst does happen and your charity suffers a fraud or cyber crime? We find that we are talking to our clients about incidences of attempted or actual fraud – particularly cyber or online – with increasing regularity. We share some tips on page 16 of our Charity and NFP Outlook about what to if you do discover a fraud.
Download our 2023/24 Charity and NFP Outlook
Andy Larkum has over 18 years' experience in the IT industry. In recent years, he has specialised in cyber security and the GDPR and provides seminars on the same. His ability to explain IT technical things to his listeners make his talks not only informative, but also interesting and engaging. He has also delivered consultancy support for the GDPR, ISO27001 and/or Cyber Essentials to a range of industry sectors including accountants, financial software developers, schools, construction and social and medical research companies.
Andy is a regular presenter for 2020 Innovation Training Limited, including on their Risk & Regulation webinar series; https://www.the2020group.com/webinar-products/risk-and-regulation-2023/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
