Cyber-attacks targeted against charities are growing at an alarming rate as cybercriminals take advantage of the huge datasets many non-profits have on file.
Charitable organizations often hold sensitive personal data about their supporters and staff, sometimes including financial information.
Preventing cyber-attacks against charities isn’t always easy, though, due to constraints around time, money, or technical know-how.
However, even the smallest of charitable organizations can help protect their digital assets free of charge, thanks to several free-to-use resources available online.
But to understand what your charity needs, first you need to understand why the sector is being disproportionately targeted.
Charity case
Possibly the biggest security issue charities face is the ever-looming threat of a data breach.
Earlier this year, Oxfam Australia announced it had suffered a data breach after a malicious third party gained unauthorized access to the charity’s database.
Oxfam has not yet confirmed the number of individuals potentially affected, but it did announce that leaked data included names, addresses, dates of birth, emails, phone numbers, gender, and in some cases historical donation records.
Even the most security conscious organizations can still fall victim to a data leak due to the risk of third-party failures.
A high-profile ransomware attack at fundraising database service Blackbaud in 2020 impacted multiple charities and non-profits that used the platform to collect information on their supporters.
Blackbaud said the attacker “removed a copy of a subset of data from our self-hosted (private cloud) environment”, adding that it paid a ransom to have these datasets removed – a practice that is largely frowned upon by infosec experts.
Charities often hold a wealth of sensitive user data
‘Sad reality’
David Cummins is vice president of EMEA at Tenable, a US-based cybersecurity company that works with a number of large charities, including a worldwide aid organization.
“The sad reality is that cybercriminals are just as likely to target the third sector as any other,” Cummins told The Daily Swig.
“A report from the UK Department for Digital, Culture, Media and Sport found that 26% of charities had experienced a cyber breach or attack in 2020.
“From Tenable’s own analysis of cyber breaches in 2020, known vulnerabilities continue to be the favorite methodology for attackers.
“This is why the guidance we offer to our customers, including a number of charitable organizations, is that getting the basics right will thwart the vast majority of cyber threats.”
Cummins cited user awareness, malware detection, and system backups as key defenses against cybercriminals, though he noted that the “most effective method” is to establish basic cyber hygiene practices that all staff can follow.
“This requires organizations to take a holistic view of their infrastructure, identify those assets and systems that are critical to function, determine which vulnerabilities exist within these core areas that are being actively exploited, and update these systems to fix those flaws first,” Cummins added.
“In tandem, focus must also be placed on securing accounts – employees, service contractors, temporary workers, systems accounts, and others – and their access to, and permissions across, systems.”
Invest in training
The Cyber Helpline is a UK-based charity run by volunteers who advise citizens on security issues ranging from phishing attacks to cyber stalking.
To ensure the charity can deliver the best advice, and protect itself from attacks, its director told The Daily Swig that it invested in an e-learning platform to deliver up-to-date training/ It also holds regular talks with cybersecurity experts to provide real-life examples of what a security incident can look like.
Mark Belgrove, head of cyber consultancy at Exponential‐e and founder and director of the Cyber Helpline told The Daily Swig that it is vital that volunteers have the necessary incident response training.
He said: “In other words, ensuring that they understand the technical nuances of the digital threat landscape. Once they have this knowledge in place, they will be able to provide the highest standard of support to the victims we work with.”
Belgrove added: “This way, our volunteers develop a well-rounded view of the latest developments across the threat landscape as they happen.”
Oxfam Australia fell victim to a data breach earlier this year
In recent years, government security agencies around the world have released free resources for charities and small businesses that contain practical advice on preventing, and responding to, cyber-attacks.
For US-based charities, US-CERT has an extensive guide on its website that offers security tips for non-technical users.
Top tips for improving a charity’s security posture
The Daily Swig reached out to infosec experts with experience in the charity field and asked them what advice they had to help non-profits secure their data.
Javvad Malik, security awareness advocate at KnowBe4, said: “The first and perhaps most important tip would be from a non-technical perspective, which is to look at the organizational culture. This involves investing in security awareness so that people can make better risk decisions, even if the most sophisticated tools aren’t always available.
“The second tip would be to manage credentials. This can involve implementing multi-factor authentication, managing privilege access, or providing employees with password managers.
“The third tip would be to stay on top of critical patching, particularly for public-facing and accessible systems.”
Brian Higgins, security specialist at Comparitech, who has served as a charity trustee, said: “Add cybersecurity to your charity’s risk register as soon as possible and make it a standing item on the board agenda. This will ensure that the subject is regularly discussed at a senior, decision making and resource allocation level.
“Implement a regular and risk-appropriate data backup protocol. Ransomware is one of the most popular criminal methodologies these days, so it’s vital to be able to maintain operations should your network fall victim.
“Train all of your staff in security awareness. It’s no good making sure the managers understand phishing if the cleaners don’t know how dangerous it is to plug in a USB they find on the floor!”
Niamh Muldoon, global data protection officer at OneLogin, said it is important to understand the risks the charity is facing by keeping track of its assets, who has access to them, and how they are monitored.
In order to protect charities from attacks and breaches, Muldoon offered the following list of best practices:Run an audit of the total number of devices and systems managedSecurely dispose of unused and/or old devicesRestrict access to others on a need-to-know basisDisable Bluetooth and GPS whenever possibleApply all updates and patches as they become available
“Know what you have, know where it is, know what it’s worth, and determine how to protect it,” she said.