Cyber attacks are expected to skyrocket in the coming years according to Statista, and charities and non-profit organisations are no exception. Here we examine: Who is behind cyber attacks on charities? Why are charities being targeted? And How do cyber criminals breach the defences of non-profit organisations?
Vulnerabilities of the Charity Sector
In the event of a cyber attack, charities are less prepared than commercial businesses and more likely to suffer financial consequences. They are managing limited funds so are less likely to have cyber security insurance – only 5% have a specific policy, and 22% have cyber security cover included in another policy.
Charities may be focused on front-line charitable work and less emphasis may be placed on back-end areas such as cyber security. Charities are less likely than commercial businesses to have technical cyber controls.
Charity employees are more likely to use personal IT devices, which are less secure (65% compared to 45% of commercial businesses).
Charities have more part-time staff and volunteers – who may be less well-trained in security awareness.
Who is Targeting Charities and Why?
Charities often hold sensitive information, which makes them vulnerable to an attack. Attackers may also seek to disrupt activities for political reasons, or a common motive is financial gain.
Cyber criminals may seek to steal a charity's funds, to commit fraud, extortion, or data theft. Cyber attackers can be lone operators with access to ‘off-the-shelf’ software from criminal groups, or they can be large, sophisticated cyber gangs
Nation-states such as Russia, Iran, and North Korea have all used criminal gangs to raise funds, cause disruption, or steal IP (a risk for science or technology charities). While charities may not be the prime target of nation-states, the hostile activity can be indiscriminate and broadly targeted, meaning charities and other organisations in their supply chain may be impacted. Charities that operate through local overseas partners are most at risk.
‘Hacktivists’ are hackers motivated by a political or personal agenda. So charities that support contentious issues could be at risk of attack.
Charities may be vulnerable to insider threats due to a high volume of volunteers, high turnover of workers, limited staff training, or weak security monitoring.
Charities often use third-party suppliers for IT, transactions, marketing, and data management, which may provide an entry route for attackers to access charities networks. Only 4% of charities have addressed supply chain risks. However, this should not be overlooked. As the BBC reported in April 2023, data was stolen from 140 organisations in Ireland in an attack on a Londonderry-based IT company. The victims included charity groups that work with victims of sexual crime. Theft of this kind of sensitive data is not only devastating for the parties and individuals involved, but it can also pose risks of GDPR fines.
How are Charities Attacked?
A very common route of attack is via phishing emails, texts, or calls. Business email compromise (BEC) involves phishing to trick someone into transferring funds or providing access to sensitive data. A business email compromise cost a West Midlands hospice £17,000 when a worker engaged with a phishing email to change their password.
Ransomware is one of the most harmful threats facing UK charities. Once a device has been accessed and encrypted, gangs demand huge ransoms along with threats to delete or leak stolen data. It cost the Edinburgh Fringe Festival £95.000 to recover from a cyber attack, and only £25,000 of this was covered by insurance.
In September 2023, Save the Children were attacked by a ransomware group that gained unauthorised access to their network. A hacker gang called BianLian claimed to have stolen 6.8TB of data from Save the Children, including personal information and financial data.
The Impact of Cyber Attacks on Charities
The consequences of a cyber attack on a charity can be devastating. Beyond the immediate financial cost, there are several ways that a charity can be impacted:
Financial Loss: The immediate cost of a cyber attack can be substantial. There are direct costs related to an incident, such as hiring cyber security experts or paying ransoms. There may also be indirect costs, such as lost revenue due to operational downtime or decreased donations due to loss of public trust.
Reputational Damage: Trust is integral to a charity's relationship with its donors and beneficiaries. A cyber attack can significantly harm this trust, leading to decreased support and potential public backlash.
Operational Impact: Cyber attacks can disrupt vital services provided by charities. For instance, if ransomware locks access to critical data or a DoS attack takes down a charity's website, it could impede its ability to deliver services.
In severe cases, charities may also face legal penalties under regulations such as the General Data Protection Regulation (GDPR). Fines imposed can reach up to 4% of annual turnover or €20 million, which could potentially lead to insolvency for smaller organisations.
Cyber Security Advice for Charities
Charities can take defensive and preventative action against cyber threats.
Backups and Storage - Ensure your essential data and work is backed up in an off-site, secure location. Consider storing back-ups in the cloud – Mcats IT provides cloud storage for just £5.99 per TB per month.
Smaller charities can protect against Malware – the cyber security solutions provided by Mcats IT include endpoint security. Larger charities with more complex IT systems may benefit from additional cyber security resilience. The Managed SOC and XDR solution is recommended for large charities.
Consider multi-factor authentication because passwords are easily hacked.
Prevent phishing attacks – train your workforce with Security Awareness Training so they to recognise phishing emails and websites as the first line of defence against attacks.
Get your charity Cyber Essentials Certified (only 6% of charities have Cyber Essentials Certification). If your charity has revenues of less than £20million, you will be eligible for free cyber liability insurance.
Further advice for smaller charities has been published by the NCSC and is available here.
Comments