How to improve your NonProfits Cyber-Security – Quickly, easily… and at low cost
You may be wondering why the NonProfit sector needs its own guide around Cyber Security. Afterall… shouldn’t Cyber Security be the same across all organisations?
Whilst this is broadly true, Not-for-Profit organisations have unique concerns around cyber-security that can leave them particularly vulnerable to Cyber Actors and so these concerns deserve to be addressed separately.
As a sector, NonProfits hold a tremendous amount of data on people of a personal, commercial, and financial nature, as well as having access to large funds of money (donations) that many cyber actors are incredibly interested in.
Now you may feel your NonProfit is both perfectly aware of these cyber threats and secure against the risks posed by cybercriminals (and it may well be you are) but the National Cyber Security Centre (NCSC) has, on several occasions, publicly stated that many charities, especially smaller ones, don’t realise how tempting a target they make to cyber scammers.
One of the problems facing the sector is that no-one’s quite sure of the scale of the problem.
Whilst some cyber crimes do get reported by NonProfits, many don’t for fear of the reputational damage it will cause amongst their donors and volunteers.
NonProfits have a duty to spend as much as they can on their chosen cause and malicious cyber activity can really impact their ability to do so, whether through Denial of Service attacks (DoS) or through more direct methods such as the theft of funds or even indirectly through damaging the reputation of the sector as a whole. After all, who’s going to be happy donating to a charity if they thought their money would just end up in the pocket of a cybercriminal?
As we’ve already said, charities hold both a lot of disposable funds and personal information on their donors and volunteers. Coupled with that they’re also vulnerable to other forms of attack (more on those in a minute) that could hurt their reputations with potential donors.
Now obviously the type of information about donors (or the amount of money in accounts) that’s held will vary widely from charity to charity, depending on their size, cause, structure or stated goals but all will still be vulnerable to attacks such as viruses, phishing emails, ransomware attacks, identity theft and Denial of Service.
cloudThing recently wrote an article on the different types of Cyber Criminals at work today (you can read it here>>) but the types of cyber-actors targeting charities might vary slightly.
Those targeting the charitable sector could very well be advanced ‘cybergangs’ but unfortunately they could also be small time individuals, operating from anywhere on the globe (making them much harder to track down after the fact).
This is why prevention has to be key.
The technical skills needed to commit a cyber-offence aren’t anywhere near what they used to be, with multiple tools available to make the job even easier, all available through criminal forums on the Dark Web.
These forums even offer out their services and tools under something known as Crimeware-As-A-Service with specific advice on how to target NonProfits.
Whoever attacks you though will have one thing in common with all other cybercriminals… they’ll be motivated by financial gain.
How they get that though will vary, from the outright theft of funds held by charities right through the gamut of online criminal activity to fraud, bribery and data theft.
This means, in todays day and age, the charity sector needs to be prepared for both organised gangs and individuals sat at home, in their bedrooms, possibly a continent or two away!
Whilst there’s a whole host of attacks that a NonProfit may be subjected to, the ones they’re especially vulnerable to tend to be…
Charities, much like other organisations, have a duty of care to safeguard their data and good security is a massive part of that.
That really falls under two categories though… Tech & Culture.
Surveys by the National Cyber Security Centre (NCSC) repeatedly show that NonProfits, as a sector, have a “broad lack of specialist staff with technical skills to cover cyber security, a low awareness of government support available and a low level of digital skills”.
Addressing that issue on a technological level is important as Cyber Actors will target organisations they deem as ‘weak’.
Something as similar as an up to date firewall can shift their attention away from you to a different target but… ultimately, all the security precautions in the world will be for naught if you don’t bring your staff and volunteers along on the journey (culture).
The best firewall on the planet won’t help you if Jeff from accounts keeps clicking on links in emails from the Sultan of Zimbabwe who needs his help transferring funds out of the country.
We ‘re obviously not being 100% serious there but you take our point.
Cyber Criminals are becoming increasingly sophisticated and your staff need to be aware of how they might be targeted so they can be on the look out for it.
There’s a huge gap in understanding the scale and scope of cyberthreats between different organisations in the NonProfit sector and that gap needs to close if trust in the sector as a whole is to continue.
Donors are unlikely to continue to support their chosen cause financially they begin to fear their donation may go astray.
Although it may seem like an uphill struggle, investment in Cyber-Security doesn’t have to be a huge investment in either money or time but in the end in the end, whatever resources are applied to the problem will always prove cheaper than repairing the damage after a successful cyber-attack.
Feel free to reach out to us if you're worried your NonProfit might be vulnerable to Cyber-attack