Cyber Security – Is your charity prepared for a cyber attack?

With this quick guide to the key terms in cyber security, we hope to facilitate the conversation with charities and their leaders and trustee boards around the risks from cyber attacks.

Chloe Green | 13th Nov 19
Cyber security

Do you really know where your charity stands against cyber attacks? Under GDPR it’s more crucial than ever to be in the know about the risks to charity data, and being a non-technical person is no longer considered an excuse under the law – it’s a core responsibility of charity leadership to make sure that proper cyber security protocols are in place.

We’ve recently put charity cyber security in the spotlight in our series of educational webinars in collaboration with the NCSC (National Cyber Security Centre), the UK government’s cyber security advisory centre.

Because it’s an issue that isn’t going away, we’re concluding the series this week by looking at how to talk to charity leadership and trustees about cyber security in your organisation, and the importance of getting buy-in on steps you may need to take – you can sign up for this Thursday’s lunchtime webinar here.

To help with this conversation, we’ve put together a quick, no-nonsense guide to some of the key cyber security terms below:

 

Cyber crime

In 2019, cyber crime is sadly a lucrative, thriving economy with vast amounts of investment being pumped into it. Cyber crime is estimated to be worth trillions, and represents an increasingly low-risk and attractive career choice for opportunists with the right skills. Whether or not you are aware of it, someone, somewhere can profit from your organisation’s data.

 

Cyber attack

A cyber attack is an attempt to expose, disable, destroy, steal or gain unauthorised access to a system or data. It might be a targeted assault against a specific organisation, or more commonly, a scatter-gun approach.

There are many different types of cyber attack, but some of the most common ones include:

 

Phishing

Phishing, and its close cousin spearphishing,work by what’s called ‘social engineering’, or attacking the weaknesses in people’s critical thinking. Staff click links in bogus emails that then lead to them unwittingly giving away information such as bank details or passwords.

Phishing involves casting the net wider to see what bites, whereas spearphishing (as the name suggests) is a more targeted approach. The Charity Commission has warned against phishing attacks that have seen criminals impersonating charity CEOs to swindle money from unsuspected charity bank accounts.

 

Drive-by attack

These common type of attacks occur when users visit a website or download an app that a criminal can use to infect a computer with malware, taking advantage of security flaws in an app, operating system or site. This malware is usually installed and run in the background without the user noticing.

We recently covered the importance of charities keeping their systems and software up to date with the latest security defences.

 

Malware

Malware, or malicious software, is any programme designed to be harmful to a device. There are many different types and criminals have myriad cunning methods of spreading it such as the attack types explained above.

Ransomware is a particularly dangerous type of malware that locks down a users computer system until they pay a hefty fee to access it again. A recent large-scale ransomware attack ended up costing the NHS £92m by blocking access to essential patient data.

 

Breach

The ultimate aim of most cyber attacks, where victims lose data or assets that are stolen or ransomed by criminals. According to the government’s latest Cyber Security Breaches Survey, the average cost to charities after a breach is £9,470.

A breach is an organisation’s worst-case scenario. Under GDPR, breaches of personal data must be promptly reported to the ICO and the individuals concerned. There are also staggering fines for those caught without adequate protections in place, should their sensitive data be breached – and non-profit organisations are not exempt.