In light of Charity Fraud Prevention Week, Deryck Mitchelson, Field CISO at cybersecurity company Check Point, provides practical steps to help charities prevent themselves falling victim to cybercrime.
Recently, the Charity Commission warned against the risk of online fraud after its new survey found that around one in eight charities had experienced cybercrime over the last 12 months. Unfortunately, many have little to no basic cyber hygiene measures in place, let alone preventative solutions. This is likely due to dwindling resources and prioritising spending in other areas. As hackers become increasingly ruthless, this is now a matter of survival. A successful cyberattack could have devastating effects and in some cases shut down a charity, regardless of their size.
According to Check Point Research, UK organisations have faced an average of 790 weekly cyberattacks in the last six months. Cyberattacks continue to increase for all sectors, and charities are no exception. The Scottish Association of Mental Health was hit by a crippling ransomware attack in March 2022, claimed by threat actors, RansomEXX. The Red Cross also suffered a breach in January 2022 which resulted in the data of more than 515,000 highly vulnerable people being compromised.
With a new report carried out on behalf of the UK Department for Digital, Culture, Media and Sport, finding that less than half (42%) of UK charities feel confident in their ability to deal with an attack, Deryck Mitchelson provides three practical steps to help support charities in their cybersecurity efforts:
- Limit access: Charities often rely on multiple volunteers, whether that is on a full-time basis or to help during a specific fundraiser or busy period. As a result, every individual brings with them their own device that they use to access the wider network, and they often retain these permissions after they have left. This makes the threat landscape even wider and harder to control. If just one volunteer accidentally clicks on a malicious link or scam text, it can make the charity itself vulnerable. To combat this, it is important that charities remove inactive accounts and tier access permissions based on the role of the volunteer within the organisation.
- Educate staff and volunteers of the risk of phishing scams: Cybercriminals cast the net far and wide with mass phishing attacks, typically via emails, texts and direct messages, hoping to catch someone at a busy moment and enticing them to make an ill-judged decision. This social engineering tactic involves a hacker imitating a known contact or trusted brand to create a false sense of security, resulting in a handover of credentials or malware being deployed. As a result, charities may fall victim due to an untargeted attack, with one of its staff members or volunteers caught in the crosshairs of a widespread phishing campaign. It is imperative to educate all users on how to identify an attack – look out for messages with bad spelling or grammar, any urgent requests for information and never click on suspicious looking links or attachments.
- Prevention, prevention, prevention: With many charities looking to minimise costs to better maximise funding for their causes, it is understandable why cybersecurity may be overlooked. However, a successful cyberattack could result in a large financial hit, whether that’s because cybercriminals gain access to funds or because organisations are forced to pay substantial amounts of money to regain control of confidential documents. It’s not always about having the most expensive software but rather addressing the basic principles to prevent an incident in the first place. Many successful breaches, even in larger enterprises, are not overly complex which is why implementing preventative measures such as creating offline backups, implementing multi-factor authentication and a solid understanding of the risks can have the biggest impact.
Mitchelson commented: “Charities are often unprepared for the devastating consequences that cyber fraud brings such as loss of revenue, loss of reputation, loss of productivity and the unplanned costs of recovering from a breach. Attacks on charities are rarely targeted, rather they get caught up in mass phishing attacks that contain dangerous website links or an attempt to solicit sensitive information. There is a false narrative that cybercriminals will not attack charities on the principles of ethics, but unfortunately hackers view their targets as a business, and the business of cybercrime is ruthless.
“It is essential that charities work on the basic principles of cyber hygiene as a minimum including prioritising multi-factor authentication, making offline backups and ideally installing anti-ransomware protection across all devices including mobiles.”