Protecting the digital heart of charities
It’s an unfortunate reality that the charity sector is an attractive target for cyber attacks. Criminals are unscrupulous in choosing their targets and can all too easily take advantage of charities, and their supporters, for their own gain.
There is a huge black market in user credentials - login details and other personal information – which are bought and sold online. Cybercriminals can get their hands on this information in a number of ways. This includes stealing directly from the charity or a partner, or using credentials leaked from third party sites which are then reused to attack a charity or its supporters.
The fact that people often reuse usernames and passwords, across multiple systems, makes matters particularly easy for criminals.
To protect themselves and their data, charities must monitor the internet for any potential threats, even before they happen. The ability to detect leaks of personal details it holds on donors, volunteers, beneficiaries, or employees, appearing outside its own network should be a priority, as well as uncovering the tell-tale signs that an attack on their organisation could be imminent. Finally, charities must also monitor their own networks and practise good cyber hygiene that could deny cybercriminals entry.
Why criminals target charities
The average cybercriminal is primarily focussed on making money and will look to target assets that achieve this goal. They might directly try to steal funds or hold a charity to ransom, crippling services and only restoring them upon payment of a large sum of money. What’s most likely to be their main target is the Personally Identifiable Information (PII) of supporters which they can access by targeting the employees. Charities are a goldmine of this data, holding the PII of thousands, if not millions of individuals. This can be used by cybercriminals in a number of ways to make money.
Once they have the financial details of donors, the fraudsters can use these to steal cash directly from their bank accounts. Another method they use is to imitate the charity and email the donor directly, using the stolen information, to request more funds, known as phishing.
This can be very effective as the person targeted has already shown an interest in the charity and a willingness to donate, so asking for more money won’t seem unusual and is likely to produce results. Criminals are skilled at using techniques which prey on the trust and goodwill of donors and compel them to make emotional decisions by clicking on links that look genuine.
The emails are made to look very convincing, often using the same branding and messaging and, through the use of a technique called typo squatting, they set up fake sites which are made to look like the legitimate charity. For instance, if the actual domain is anycharity.org.uk they might use anycharity.com or anycharitydonations.org.uk.
This is particularly pertinent over the coronavirus crisis, which has seen people more willing to help out good causes. For instance, criminals were found by the FBI to be masquerading as collecting donations for the American Red Cross but were in fact lining their own pockets. According to DomainTools, which scores a domain on how likely it is to be malicious, 150,000 suspicious coronavirus-related domains have been registered since the start of the pandemic.
Staff working for charities can be a particular target for phishing attacks, which attempt to trick employees into clicking on links. This is in order to obtain their personal information, or gain access to the staff member’s email account. They can send emails from them which appear legitimate convincing others to send money to new accounts or to commit other types of fraud.
Cybercriminals often target charity workers for their credentials so that they can access charity databases rich in donor data. Recent research shows that more than 8 out of 10 charities have reported that their staff have been targeted in phishing attacks.
Finally, they could sell the information online to other cybercriminals. Once they have their hands on this valuable data, they will try to sell it where they can. These are likely to be on forums on the Open and Dark Web, as well as websites like Pastebin that allow users to post information anonymously in plain text. The Dark Web is the hidden part of the internet, not indexed by conventional search engines such as Google or Bing, which cybercriminals use to get around law enforcement to buy and sell personal data.
Charities also need to look out for employees reusing the same – or similar - corporate login credentials to access other third party sites. If these sites are breached, then the staff member may have inadvertently given the hackers all they need to break into the charity’s own IT network.
Need to protect data
Suffering a data breach is serious for any organisation. Yet for charities, whose success is built upon their reputations and the goodwill of supporters, the loss of any sensitive information can be devastating. Many charities provide services for vulnerable individuals, where leaks of data could result in serious physical or emotional harm. Any organisation is at risk - often it’s simply down to hackers taking a chance and testing out credentials from another unrelated breach, and discovering they can be used to target a charity.
This opens charities up to the risks of phishing attacks, identity theft and even having funds taken directly from their accounts. As such, trust in their brand will undoubtedly be damaged if data is found to have been traded by cybercriminals online. This is likely to have a knock-on effect for the charity’s funding as research from The Charity Commission has found that people are nine times less likely to donate to a charity they deem untrustworthy.
There is also the consideration that any data breach could land a charity in trouble with the regulators. The EU’s GDPR stipulates that organisations must have appropriate mechanisms in place to protect any PII in its possession. Failure to do so could result in the organisation having to pay a large fine.
These issues are made worse by the fact that time and resources are in limited supply and volunteers are often relied upon to help deliver services. This can add to the risk exposure, and so requires making sure that helpers and temporary workers, as well as permanent staff, are all up to date with the latest data privacy regulations and have regular training on how to keep information safe. This can be a huge task.
The Covid-19 crisis has without doubt made the situation worse. Charities are also facing a funding crisis never seen before. Those wanting to survive are likely to cut back where they can, which could mean IT security is reduced. This will also be made worse by trained professionals being furloughed, or those who are still working having to do so remotely with varying degrees of cybersecurity.
Protecting your charity
Any organisation needs to make the best use of resources and charities, in particular, have to be careful to get the best possible value from cyber protection. To help them out, the UK Government has created a guide which outlines five key areas that charities must focus on to keep their data safe. These are: backing up data; protecting against malware; keeping connected devices safe; using passwords to protect data; and avoiding phishing attacks.
Much of this advice focuses on simple actions charities can take using protection they already have access to or putting in place procedures to protect information. This includes basics such as turning on firewalls and anti-virus software, as well as changing default passwords. Having a unique password for every user and for every protected asset they use is a cyber security fundamental. A good way to secure credentials is through a password manager, which will generate and store uncrackable passwords.
Another simple step charities can take is to regularly download and install the latest updates for all their operating systems and applications. These will provide security patches for any vulnerabilities in the software that could be exploited by threat actors.
Early warning systems
Taking steps to prevent a data breach, or limit the impact of one, needs to be a priority for charities if they want to avoid damaging repercussions. The key to this is monitoring.
Monitoring the internet for early warning signs of an attack will help charities focus their defences. This monitoring should include detecting if there has been any chatter on social media sites or forums used by cybercriminals that might indicate an attack is imminent. There is also the need to identify stolen information that might appear on the Open and Dark Web. However, accessing sites that are exclusively the domain of cybercriminals requires specialist help.
Charities need to be certain whether any information which appears online is theirs so that they can take swift and decisive action if necessary. This can be difficult as there could be thousands or even millions of credentials to examine. To this end, the use of “synthetic” identities and watermarking data will help to pinpoint whether any information has leaked outside the organisation.
The idea is to mix in specifically created fake credentials, including emails, with real data. If these synthetic identities appear anywhere they shouldn’t, a charity will know with absolute certainty that there has been a data breach.
The consequences of a cyber incident can be costly and far reaching. Criminals are capitalising on global events to make financial gain, yet there are ways to minimise risk and close security gaps.
By keeping a watchful eye on their own data and putting systems in place which can forewarn of potential attacks, charities can prevent the goodwill of their supporters from being exploited.