Charities and cyber crime - what needs to be done

This week UK Digital Minister Matthew Hancock warned charities that they need to do more to protect themselves from cyber attack: "Charities must do better to protect the sensitive data that they hold.”

The authorities are so worried about the vulnerabilities of organisations that no less than the director of GCHQ has intervened.

In a forward to a document outlining how to protect organisations from attack Ian Lobban wrote: “About 80 per cent of known attacks would be defeated by embedding basic information security practices for your people, processes and technology.

“My organisation, GCHQ, now sees real and credible threats to cyber security of an unprecedented scale, diversity and complexity.”

The government has introduced a Cyber Essentials framework designed to help small and medium sized organisations to protect themselves .

Given the devastating consequences of being hacked and the widespread publicity that has surrounded recent incidents it seems remarkable that so many charities seem oblivious to the dangers and ignorant of the measures that need to be taken.

A government-funded report also published this week provides important insight into why so many charities are so far off the pace. Cyber Security Among Charities is a UK-wide in-depth qualitative survey of awareness, attitude and experience of cyber security among charities.

Its findings suggest that many charities are very exposed to a threat that they do not understand and do not believe is relevant to them.  Several believed it was important to businesses, but not charities and they would be unlikely to be targeted.

One important issue which will be especially relevant in Northern Ireland, given the size of most charities here, is that many organisations do not have specialist IT expertise on the payroll. Ultimate responsibility often resides with the CEO or the finance department, with the work outsourced to IT consultants.

In many instances this means that cyber security is either a low priority or beneath the radar, with total reliance on the external IT providers.

This tends to translate into a situation whereby organisations are only well protected where key staff or one of the trustees has relevant specialist knowledge

Exacerbating that is a widespread reluctance to call in the consultants for help, as this will inevitably incur a cost and a general tendency to award contracts to the lowest bidder and a lack of internal expertise to assess the competence of IT providers.

This, of course, is a recipe for disaster. If senior management not only don’t know what security measures are in place, if any, are not aware of the risks, have not utilised information, available at no cost for government, and have not put appropriate measures in place, it is hard to see that they are doing enough. Insurance against attack appears rare because organisations think it will be too expensive or else don’t perceive themselves to be at risk.

In addition, where charities are aware of the danger they tend to concentrate on the security of financial or else confidential data relating to clients or donors. The risk to business continuity is rarely front of mind despite the potentially catastrophic consequences.

It is not difficult to see how and why this has come about. Charities across the UK are hard pressed. Many are very small, there are competing priorities. Few can afford to have IT resources in-house. There will be a reluctance in investing in training, or to spend more with IT suppliers at a time when budgets are so tightly squeezed.

There is also the mistaken belief that charities will not be targeted. This demonstrates a fundamental misunderstanding of how most cyber attacks work.

Charities in Northern Ireland are facing real dangers. In December of last year a Northern Ireland-based charity was the victim of a sophisticated fraud which involved hacking the account of its chief executive and changing the bank details on a legitimate five figure payment to a third party. The money was never recovered and the charity was not insured against cyber crime. At the time PSNI warned that charities were being targeted in this kind of scam. There is a full case study of what happened here

So what can and should charities do to protect themselves against cyber attack?

The other good news is that protecting a charity against risk is nothing like as time consuming, difficult or expensive as some might think.

The information required is already out there.

NICVA recommends securing the government-backed Cyber Essentials certification.  It is already compulsory to have this for those receiving government funds, and it is highly likely that other funders will also insist on it.

The cost is £300 which includes free cyber-crime insurance to the value of £25,000.

It is important to understand that protection is vital for all organisations, none are too small. Cyber breaches can be terminal: destroying your reputation, costing you money, and in many cases leading to the collapse of the organisation. It is one more process to follow for hard-pressed charities, but one nobody can afford to ignore.