When your charity faces a cyber attack

Imagine waking up tomorrow and finding that every single one of your charity’s files had been encrypted and cyber attackers were demanding a ransom to decrypt them. Or that sensitive data about your beneficiaries had been leaked and the bank details of your supporters were being auctioned online.

Cyber attacks can be nothing short of catastrophic for an organisation, and for those about whom it holds sensitive information, and every charity is a potential target for attackers with financial motivations.

One in five charities have been attacked in the last year

The results of a government survey published last week should be sobering reading. Nearly one in five charities reported having had a cyber security attack or breach in the last year, rising to nearly three-quarters of larger charities (over £500,000/year income). They were just as likely as businesses to have faced a cyber attack.

Spread such a risk over several years and it’s clear that no matter what size your organisation, a cyber attack is a near certainty.

On the positive side, we saw that most larger charities have measures in place and have carried out audits to identify risks. But a substantial minority had not, and among smaller charities many had not.

There’s a lot you can do to lower an attacker’s chances of getting into your charity’s data.

Three Ts for good security

Good security means having the right systems, processes, and training.

• Technical measures: making sure that software is up to date, that viruses and malware are being scanned for, that users can’t run unknown programmes, and that data is encrypted and backed up.
• Training people: making sure that all your staff and volunteers are aware of the risks, use strong passwords, know to treat unexpected emails with suspicion and never to divulge login details.
• Testing it: conducting regular security assessments and checking that processes are being followed.

Humans are the weak link

You can and should have the right software and systems in place to prevent an attack, but no matter how many technical precautions you’ve taken, humans will be the weak link in any security. Approaches that rely on tricking humans rather than defeating technical security measures are known as ‘social engineering’.

The survey showed that fraudulent emails were by far the most commonly experienced attack.

All it takes is one person in your charity to open a malicious attachment in an email, or click on a bad link, and you could find your whole organisation compromised.

Even knowledgeable staff and volunteers can be vulnerable. An email purporting to come from a trusted colleague or senior manager, with an attachment they say they need you to look at urgently, could easily catch out even the most IT literate of us if we’re distracted or in a hurry.

Are you confident none of your staff or volunteers would make these mistakes? It’s a high bar to set, so it’s best to regularly remind colleagues about the risks involved. We put together a set of tips for spotting malicious emails which you may want to circulate.

Stay up to date

Ensuring that software is up to date is a crucial component of preventing attacks. Up-to-date software significantly reduces the chance of falling victim, as attackers search for older versions with known vulnerabilities. Updates for Windows are issued on at least a monthly basis so this is no mean task in itself and it requires staff to take time to make sure you’re on track.

The survey also revealed that charities were more likely than businesses to allow staff to use their own computers or smartphones on their networks, leading to an increased vulnerability from insecure software. It’s important you think about how you manage the risk if you let staff or volunteers use their own devices on your network and take advice if necessary.

Good security management is good governance

At NCVO we’ve just achieved a cyber security accreditation. This involved undergoing simulated attacks on our systems to make sure they are secure. We’re going to maintain the accreditation, which means that our systems and people will be put through their paces on a regular basis, with tests for both technical flaws and social engineering vulnerability.

It’s challenging but achievable, and we’d recommend it to all charities. It helps provide our board with assurance that we are managing these risks appropriately.

Being able to do things online has likely meant great time and cost savings for you, your donors and beneficiaries, but it’s crucial to reinvest some of those savings in security to make sure you’re doing all you can to protect both them and your organisation.

Resources and advice

We have more detailed advice on security on NCVO’s KnowHow NonProfit site.

NCVO’s trusted suppliers Phoenix Software, Pugh and Academia offer discounts to NCVO members on security software to ensure your organisation is protected against attacks.