Gone Phishing: charities and cyber-crime

27 Aug 2021 Nick Garbutt    Last updated: 27 Aug 2021

Pic: Unsplash

A disturbing new report reveals the vulnerability of charities and small businesses in Northern Ireland to cyber-crime.

The report was commissioned by the NI Cyber Security Centre (NICSC) which is part of the Department of Finance and was carried out by Ipsos MORI.

The NICSC wanted to understand the level of cyber awareness, activity and resilience that currently exists across Northern Ireland businesses and in the voluntary and community sector.

It cannot have derived much comfort from the findings. The only positive from the sector’s perspective is that charities are at least no worse than small businesses on cyber security.

Other than that it is X Certificate material and must act as a wake-up call to the sector before it’s too late.

Some of the findings include:

  • Just 48% of organisations regarding cyber security as a board level risk;
  • 46% not knowing what kind of checks to carry out on their cyber security;
  • Only 1% claiming to have met the government-backed Cyber Essentials standards;
  • 62% have done nothing in the past 12 months to identify cyber security risks to their organisation, despite the explosion of digital usage over the period due to pandemic.

Another finding – that just 6% have suffered a cyber-attack will doubtless be used by some to suggest that the threats are overblown. Yet the evidence suggests that this statistic is every bit as disturbing as the others. The report contrasts it with the equivalent figure for England – 26% of charities – suggesting that the discrepancy may be due to under-reporting of incidents, or worse still ignorance that they have taken place.

The report’s publication comes at a time when our government is still digesting the implications of the major ransomware attack on Ireland’s health service that forced closure of all its health IT systems. The attack in May was the most significant cyber-attack on the Irish state and other governments will be examining their vulnerabilities in its wake.

Given that so many charities derive their incomes from government contracts, and that cyber criminals are always likely to target the most vulnerable parts of any supply chain, it is imperative that the sector acts swiftly to protect its own security.

This is not a time for panic, much of what needs to be done is straightforward but it has to start with an organisational mindset that regards cyber security every bit as seriously as the physical security of buildings, equipment and service user records. Cyber security is not an option, it is imperative – and it is only a matter of time before being able to demonstrate effective protection will be existential.  

In terms of holding government contracts that’s likely to mean having Cyber Essentials, which 99% of charities in NI currently do not have.

Stephen Gray, Head of Information Services at NICVA says that the time has come for action. “People should not panic. Cyber security can be dealt with just like any other risk management issue.

“At the moment organisations seem to be in reactive mode – they only do something about it when there’s an incident. Others seem to regard it as a hypothetical threat and are reluctant to devote time, energy and resources to it. But this not going away, the challenges are accelerating as we do more and more things with technology at pace.”

“I think many in the sector are yet to integrate cyber security into our normal thinking about governance and risk. This needs to change.”

He says that given the importance of the sector to delivery of public services it is in the interests of government as well as charities to help make this happen, with smaller and medium sized charities  needing additional help and resources to meet the standards required.

The use and collection of data will continue to rise exponentially.

Stephen said: “We have a responsibility to secure this data and look after it properly. This is even more important than the crime aspect. Traditionally the sector has been very good indeed at protecting information, but moving to the digital sphere creates new challenges.

“We’re using new platforms all the time, ending up with a sprawl of repositories of data and information that if not protected properly can be compromised.

He said that auditing and checking the security of digital systems and data can seem like boring, background work and can get pushed to the back of priorities unless it is a board-level priority.

He added: "It may be challenging to divert resources to tackling the methodical work that needs to be done,  such as documenting information assets, systems and processes, but it is critical to improve the organisation’s cyber resilience in facing the increasing threats."

This emphasises why organisations should ensure that they have the necessary understanding of the importance of cyber security at board level. Charities would be wise to ensure that when recruiting new trustees they factor the need for digital expertise into selection criteria.  

Stephen said: “People can do this and it doesn’t necessarily cost a fortune.”

And he suggests a series of steps that can be taken immediately, today, and other measures that can be got underway to protect charities.

Do Now:

·         Make sure your email/organisation user accounts have two factor authentication switched on;

·         Have a strong password policy – longer passwords are stronger passwords. You don’t need to change them regularly, latest research suggests it doesn’t help. The National Cyber Security Council has recently published excellent, easy to follow advice on this. 

·         Check that your backups are working, so that if you do suffer an incident you can recover more quickly.

·         Share examples of phishing and dodgy emails that you receive to help raise awareness in the organisation about the threats. 

·         Apply updates – don’t ignore them

Do Soon

·         Make sure cyber security is on your board agenda.

·         Read advice from NICSC and NCSC and share links to the free online training they provide.

·         Examine your key information assets and consider vulnerabilities.  There’ll be more now as organisations have adapted to the pandemic

·         Talk with your IT support (if you have one) – make sure updates are being applied and that you’re making best use of any technical security measures that are available to you (for example Office 365 security settings).

·         Study the Cyber Essentials Readiness Tool which will help prepare you to do all that’s needed for Cyber Essentials certification.

 

 

Join the Conversation...

We'd love to know your thoughts on this article.
Join us on Twitter and join the conversation today.

Join Our Newsletter

Get the latest edition of ScopeNI delivered to your inbox.