Charities underestimate cyber threat at their peril

05 April 2018

Issuing new guidance, the UK’s National Cyber Security Centre (NCSC) has warned that charities are increasingly targeted by cyber attacks.

The NCSC issued a reminder to charities that they are not immune to cyber crime. In fact, charities and voluntary organisations of all sizes are falling victim to a range of attacks, and the consequences can be devastating, it said in a recent update.

In January 2018, the UK’s Information Commissioner’s Office (ICO) opened an investigation into Age UK following two unrelated data breaches that resulted in the loss of employee personal data. The incident followed a security breach at the Royal National Institute of Blind People that revealed the payment card details of customers at its shops.

The ICO investigated a total of 110 data security incidents involving charities in 2017, with a 41% increase in reported incidents in the fourth quarter. The ICO also fined 11 charities in the spring of 2017 for misusing donors’ personal data.

EXPOSURES

Charities are an attractive target for cyber criminals. They are exposed to many of the same risks seen in other sectors, not least the personal data they hold on donors and employees. Many also accept online or telephone donations, making them susceptible to credit card payment fraud and theft.

Charities are also open to ransomware and extortion, as well as cyber-enabled fraud, such as phishing attacks or social engineering aimed at stealing funds, passwords and data. Charities have also been hit by distributed denial-of-service (DDoS) attacks for extortion or politically motivated attacks by nation states.

According to the NCSC, charities have additional vulnerabilities to certain types of cyber crime due to the trusting nature of the sector. For example, charity staff may be more susceptible to being socially engineered into clicking on “dodgy links” within an email, which can then infect the computer with a virus.

Many charities are small organisations and any loss of money or disruption could be very damaging. Whether large or small, a cyber incident (such as a ransomware attack) could affect the ability of a charity to carry out its day-to-day work, and could potentially undermine donors’ trust.

NATION STATES

Non-government organisations (NGOs), lobby groups and think-tanks are also vulnerable. Earlier this year, cyber security firm Crowdstrike revealed that a number of think-tanks have been hacked by China. The firm found that an attack group linked to the Chinese state targeted UK think-tanks specialising in international security and China.

Cyber security firm FireEye noted that international and non-profit organisations face a threat from hacktivists and advanced persistent threat groups looking to monitor their activities or to conduct espionage. FireEye said hackers stole some 17,000 data files from a western NGO operating in China, while a separate Chinese hacker group breached security at another non-profit research organisation, hijacking its website to target the site’s visitors.

Digital campaign group Access has previously warned that NGOs – including those that campaign for human rights, consumer rights and civil liberties - were increasingly at risk of cyber attacks. It said that NGOs had not put the same energy and capability into cyber defences as other organisations facing similar threats.

UNDER-PREPARED

Despite an increasing reliance on technology, cyber security at charities and NGOs is not always a high priority. A 2017 survey of non-profit and NGOs by the Institute for Critical Infrastructure Technology found that only half have a formal cyber security function or framework. An earlier survey by US accounting firm CohnReznick found that around half of the non-profit organisations they surveyed said they had not completed a cyber-risk assessment in the past year.

Charities face their own specific challenges when it comes to cyber security. For example, cost control is particularly relevant for charities, and cyber security is seen as expensive. Charities also typically lack in-house IT and cyber security skills and resources.

The UK’s Department for Digital, Culture, Media and Sport (DCMS) said there is a need to raise basic awareness of cyber security among charities. Charities are most concerned with loss of personal data and funds, but their increasing dependency on technology means that they also need to consider the loss of non-personal data that could impact their ability to function, the DCMS said.

The DCMS found examples of charities that had incurred cyber security breaches where non-personal data was lost, and where organisations spent considerable time getting their data restored. There were also examples where charities had incurred a sizable financial cost from a cyber security breach.

As a result, the NCSC has created a Cyber Security: Small Charity Guide, which contains simple steps that will help protect organisations from the most common types of cyber crime. The advice contains five areas for charities and voluntary organisations of any size to focus on.

GDPR

Like other sectors, charities will face increased data protection requirements and potentially higher fines under new EU privacy rules, the General Data Protection Regulation (GDPR), which is implemented in May 2018. However, many charities are unaware of the rules or have underestimated its impact.

A survey carried out by specialist charity insurer Ecclesiastical found that more than a third of smaller charities do not know that the GDPR will be enforced from May 2018. Last year’s DCMS survey also found that awareness of GDPR was low, reflecting that many had not looked into the upcoming regulatory changes. At most, some participants had read up on the topic but had not taken any action to adhere to GDPR, it said.

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.