Charities having adequate IT security
Thinking about the vulnerability of charities to malicious IT disruption, how is it that so many organisations were caught unprepared for the recent major ransomware attack? Is it that they all had the latest security, but the criminals were one step ahead? Or perhaps the organisations affected had not implemented the appropriate levels of security?
Charities were really lucky not to have been hit by the ransomware attack particularly as so many do have an interface with the NHS and it could have taken just one infected email from a trusted NHS source to have caused havoc. Ransomware and other malicious attacks affecting charity IT systems, whether deliberately targeted or as a result of secondary infection, must be regarded by charity managements as key risks which have to be addressed
It goes without saying that there is the fundamental risk of a charity's systems becoming inoperable with a dramatic impact on the charity's ability to carry out its activities. Then there is the threat to the security of the charity's funds. Financial systems are at risk of manipulation resulting in theft.
Also there is the risk to the security of personal data which, if breaches do occur, can lead to the involvement of the Information Commissioner and heavy fines. As numerous fines have demonstrated, just because an organisation is a charity doesn't mean the Information Commissioner is any more forgiving. Plus there is the overarching requirement of the Charity SORP for charities of a certain size to have adequate systems in place and the need for the others to follow best practice.
So the recent ransomware attack is an ear-shattering wake up call to all charities to review their IT security. Thus if the reason for the unpreparedness of organisations to cope with a ransomware attack was due to not implementing the appropriate levels of security why on earth would any organisation, charities included, large or small, not ensure the most recent protections are in place on their computer systems?
While without doubt many organisations had indeed simply failed to focus on implementing adequate security, there are understandable reasons why organisations may have felt deterred from undertaking security. So the situation is not a simple as it may seem. There are any number of reasons why simply implementing the latest security products and procedures are not the most attractive of propositions. For example:
Security patch and update releases are frequent and numerous, often released with "bugs" or difficult characteristics that can cause significant "damage" to existing systems and software – frequently causing equal levels of disruption and pain.
Replacing old but working solutions can be expensive and difficult to justify, particularly during times of budget constraint.
The logistics of implementation and roll-out can introduce huge levels of disruption and often far greater cost than the purchasing of the solution.
Compatibility with core business critical software solutions isn’t guaranteed.
Whilst utilising the most up to date protections available is always the preferred process, for some organisations, it isn’t always as simple as desired. For that reason, it is important to consider the possible impact and and ensure that the appropriate levels of professional expertise are employed. For charities, perhaps outsourcing the entire IT apparatus to an experienced provider might be the simplest way to tackle cyber security and also save money.
Just as no one would attempt to climb Mount Everest without a professional guide, cyber security is the Mount Everest of technology; use only the best guide!
What exactly is ransomware? And how does it differ from other forms of cyber attack?
Below is list of some of the most commonly heard terms, what they mean and how to recognise them.
Malware is an abbreviation of the term “malicious software”. It’s a blanket term used to cover all aspects of cyber attack. Any software that is designed to harm your computer or steal data can be considered malware.
Viruses, like their biological namesake, sweep through your systems, from one PC to another, causing damage as they go. They are usually attached to executable files, and can delete or corrupt your files, with some viruses able to destroy your computer system entirely.
While many people mistake worms for viruses, a worm actually starts off as a single instance, but works by sending copies of itself through a network or internet connection, infecting other networks or PCs. Worms tend to exploit security holes, which are hastily patched by software providers, but often the patch comes too late, the damage already having been done.
Like a Trojan Horse, the trojan is a piece of software that looks like something else, but hides the malware inside itself. In this case, the trojan opens a back door to a computer system, to allow access, either to pre-written malicious software, or directly to the developer who has written the malware.
Then there is spyware software, which installs itself onto a computer system in secret, not directly affecting files, but with a hidden agenda. Usually, that is to send data back to the creator. It could be in the form of key-logging to see passwords or gaining other information such as credit card numbers.
Scareware, as you can guess from its name, is a piece of software designed to scare users into opening up their system to it. They’re tricked with a fake message, often saying their computer has a virus. The message includes a link to download anti virus software from. Users downloads fake software, and the app then tells them that their computer is infected with hundreds of viruses, and these can only be removed if you purchase a full licence. This is also a form of ransomware.
Ransomware, put simply, is a type of malware that holds systems to ransom. Users are blocked from accessing their systems and files, and are only given access back if they pay the ransom demanded by the creator of the software. If they don’t pay the ransom, they don’t get the access back or their system is effectively destroyed. (Obviously, don't ever pay the ransom. Apart from anything else, it is in the nature of the blackmailer to keep on demanding payments. You can never trust a blackmailer.)
With all forms of malware, the best defence should be comprehensive and robust. Antivirus software is a must, and if you use any form of network, either hosted or self-managed, the protection needs to be on both the network and the local computers.
There are many big names in the world of virus protection, so, when choosing, you should make sure that the provider you are looking at is accredited well, has good reviews and a proven record.
Malware is constantly changing, and your antivirus software needs to keep up with the new malware being released. A good antivirus program will update regularly, and preferably automatically, ensuring the system is always protected against the latest malicious software.
Always ensure your systems have adequate backup. If you are handling some systems direct and outsourcing others to a third party, make sure your directly handled systems are adequately backed up by yourselves (which includes ensuring backup mechanisms are constantly refreshed to avoid seizing up) and that you are completely satisfied with the backup arrangements operated by third party systems for your work.
If you’re at all unsure about the security of your systems, you should ask an IT expert. If your IT is dealt with in-house it is worth getting an outside opinion or audit. If your IT department insists it is able to deal with any worries you may have at the very least ask it to produce a formal risk management report.
If you use a hosted service, or an external IT provider, they should be able to show you how your systems are safeguarded, and point you in the right direction if you have any concerns. If you are thinking of using a particular service or provider for the first time, always ask them about security in the early part of the conversation, and if you are nearing a deal, tell them that you will need details of their security arrangements for your own risk management report should you decide to go ahead.
IT security has a governance dimension, and trustees should be able to record their assessment and approval of IT security and backup.
The burden of a charity’s data and cyber security can be outsourced as easily as buying any household utility. Without question, stretched human and technical resources can be an issue in the charity sector where charities handle all their IT aspects, leaving computer systems exposed in a number of ways. See above!
If the security is outsourced, enterprise-grade cyber security tools and measures should be implemented and the outsourcer will also manage all backups – and data restoration and business continuity, should it ever be required. But, as mentioned above, you have to satisfy yourself as to the adequacy of the outsourcer's services here. Outsourcers are not always perfect...
Charities can help themselves, to a degree, by training their staff and volunteers in good online and email practice, to help prevent them going onto risk-laden websites and opening suspicious-looking email attachments in “phishing emails”.
That’s a good early line of defence to adopt and is useful even where security has been outsourced – especially where volunteers work away from a charity’s office and thus face additional risks caused by malware and risky online practices, including the use of their computer by friends, relatives or other parties.
Charities can also help themselves by ensuring they have the latest security patches for their version of Windows, if they use Windows.
If hosted desktops are used by a charity staff and volunteers, they will reduce risks by a significant factor. Even theft of hosted desktop access devices - tablets, smartphones, laptops, thin clients or traditional desktops - won’t be an issue, because the charity’s software applications and work files will be held on a server in a data centre, not on those devices.
You should insert into any agreement you have with any kind of supplier to or partner of your charity, not just in the IT field, a requirement for them to inform you of any attack on their systems which could affect you - and that they should inform you via a safe channel, if necessary by phone!
END OF ARTICLE