Sikov - stock.adobe.com

What charities should know about ransomware and reputational threats

The NCSC recently called for charities to elevate their cyber security practice. Find out why charities are a soft target for cyber criminals, and what they can do to fight back

Last March, the email and phone systems at the Scottish Association for Mental Health suddenly stopped working. A possible sign of a cyber attack, confirmed when the cyber criminal gang RansomEXX uploaded sensitive data belonging to donors and volunteers to the dark web including: names, home addresses, emails, and passport scans.

Understandably, SAMH’s reputation took a major hit.

Charities are seen as ‘soft’ targets for cyber criminals. Nearly one in three of them were victims of cyber crime in 2022, and the threat is higher among high-income charities, of which over half were attacked.

Why charities are targeted

Charities are either playing catch up by not prioritising risks, or they are simply unaware of the threats they face. Their online operations such as engaging supporters, raising funds, and coordinating essential responses around the world, leave charities vulnerable to cyber attacks.

Targeting a charity is appealing to an attacker – charities often have limited IT budgets and little or no in-house cyber security expertise, while being goldmines of valuable financial, personal, and commercial data.

Charities are typically easy targets

Many charities also have much wider (and less well policed) attack surfaces – increasing the possible entry and exit points for unauthorised personnel.

Why is this the case? The third sector relies more heavily on BYOD (Bring Your Own Device), with 64% of charities reporting staff using their own devices regularly, compared to 45% of commercial businesses. As a result, their network is larger which makes performing cyber security updates and monitoring more difficult. This leaves charities more susceptible to cyber security breaches.

Criminals are also aware that risks are much less likely to be assessed and responded to at board and senior management level among charities. One in four charities do not have a board member who is accountable for cyber security, nor do they update their senior management when a cyber security action is taken.

This leaves even the biggest charities vulnerable. Last year, the Red Cross was hit by a devastating attack that put operations and fundraising on hold and impacted its ability to disseminate blood.

A charity’s reputation is only as strong as the federation’s weakest link

Smaller charities – often affiliates or those that receive funding from national charity organisations – are just as susceptible to attack as larger known third sector entities because they are less likely to have the resources for addressing cyber security threats.

Read more about security for the third sector

Many charities in the UK, including Carers Trust, Mind, and the YMCA, operate with a federated structure where a network of smaller, independent local charities is overseen by a national charity. Such smaller organisations offer an easy route in for hackers. If a bad actor ends up succeeding in breaching an affiliate’s system, the reputational damage affects the whole charity federation. Being the victim of a cyberattack can potentially result in supporters thinking twice about donating and sharing their sensitive details.

What charities can do to mitigate cyber threats and reputational risks

In January 2023, the UK National Cyber Security Centre published new guidance for the charity sector that named ransomware as “the most harmful cybercrime threat to the UK today.” The threat of sophisticated malware and ransomware is best prevented by robust preparation and constant monitoring of an organisation’s network and devices.

At a time when charities are facing both an expansive attack surface and a weak cyber security focus from senior managers, there are three highly effective solutions:

  1. Reduce reputational risk by hiring a Virtual CISO (Chief Information Security Officer), an outsourced security expert (or team of security experts), to guide and direct cyber security priorities and protection. vCISOs typically work alongside existing internal IT teams on a part-time basis, acting as in-house, impartial and trusted advisors, driving the cyber strategy forward through deep collaboration.
  2. Invest in MDR (Managed Detection and Response), a service that combines cyber security analysts and specialist tools to monitor an entire IT estate for anomalies, hunt for and respond to cyber threats in real-time. MDR also has the capability to identify threats in an organisation’s third-party network. This makes it ideal for dispersed networks, like that of a charity with a BOYD policy, as it enables visibility of any activity anywhere.
  3. Test your defences. For medium and large-size charities, the NCSC guidelines recommend using third-party services including penetration testing. Penetration or pen tests are simulated attacks carried out by a team of ethical hackers who employ the same techniques that attackers use to discover vulnerabilities by testing whether systems or applications can withstand hostile attacks.

Outsourcing cyber defences is a charity’s best bet

Charities are on cyber criminals’ radars, even the large, well-known charities are vulnerable. The impact of a large-scale attack can be devastating– particularly the downtime and damage to the brand and supporter trust.

The investment of time and money into the right cyber security strategy and services, from specialists that understand the challenges of the sector, will always outweigh the long – and reputationally damaging – road to recovery from a successful attack.

Rob Shapland is an ethical hacker and head of cyber innovation at Falanx Cyber, a specialist MDR provider. He is a frequent commentator on security issues and a regular contributor to TechTarget Security and Computer Weekly. Adam Monks is chief executive of Smartdesc, a specialist managed services provider (MSP) working with charities and non-profits.

Read more on Hackers and cybercrime prevention