“Do you think cyber-security is a risk for charities?” This wasn't an idle question over coffee. It was posed by the chair of the risk management committee at a prominent charity. The answer should be a resounding “yes” and recent high profile events should serve only to underline the fact that information security, or cyber-security as it's recently become more widely known, should be high on the agenda for all charity trustees, chief execs, and board members. After all, it's ultimately their responsibility to keep information safe.
To underline the fact that the third sector is as much at risk from cyber-attacks as any other sector, the Charities Commission recently issued an alert containing regulatory advice under section 15(2) of the Charities Act 2011 following the WannaCry ransomware attack that crippled many organisations worldwide and, notably, large parts of the NHS in the UK.
In a recent conversation with ‘Malwaretech', the researcher who stopped the WannaCry ransomware attack dead in its tracks, he revealed “I was just doing my job.” Being as diligent as him at ‘just doing the job' will go a long way to ensuring that the information your charity is entrusted with will remain safe and secure.
Of the many organisations that were affected by this incident, most fell foul of the attack because they were using unsupported or unpatched operating systems, and no doubt found themselves in that predicament because of under-investment in cyber-security basics.
We're not just talking money here. Patch, update, and protect is a simple mantra for IT folks to follow but can often be ignored until ‘business as usual' comes to a grinding halt when the information systems fail.
To protect and serve....
It has become imperative to find out who is taking the lead on cyber-security. It may be that you have a CISO (chief information security officer), or an ISO, or an IT guy, or a Risk Manager, or maybe a Data Protection Officer. The glib answer is that everyone is responsible for information security and it's up to the board to know the answers to some basic questions.
Start simply by assessing the value of your information assets and look at what you should be protecting. Charities have always relied on supporters, donors, philanthropists, even government funding, and it's unlikely that charities would have the money to continue to fulfil their charitable objects if the personal information about their supporters or their beneficiaries is hacked, leaked, or generally abused by cyber-criminals.
Charities are often ‘cash rich'. They're good at shaking collecting tins to garner loose change, they're also very good at taking online payment cards donations in return for not much more than a warm fuzzy feeling. The bad guys know this and aren't averse to skimming off a percentage of the take by spamming a generous public with phishing emails purporting to be from a charity. Nor are they averse to setting up bogus websites in the wake of tragedies to rake off well-intentioned donations from an unsuspecting public. If your supporters get taken for ride by believing they're donating to your cause, they make think twice when you ask them for real.
This time it's personal...
Increasingly though the attraction is not the money, after all credit card details can be bought from the depths of the web for next to nothing. The big money is in personal information and around three quarters of all charities hold personal information in their systems. The donor database, the membership system, records of beneficiaries, even internal phone directories and address books are all valuable targets for hackers and scammers who will use this information to launch attacks against those individuals.
Snaffling your data on purpose requires a little more ingenuity than relying on mistaken identities and misplaced trust - not that that doesn't help. With many information systems accessible via the web, the internet is a happy hunting ground for those intent on helping themselves to your data. A technique known as SQL Injection has been, and remains, the hacker's favourite attack on databases and can simply syphon data out of a web application that has been poorly designed and badly written. The databases serving up information to the application may be vulnerable to maliciously crafted SQL (Structured Query Language) statements that are innocently executed by the application. It's easy enough to prevent with careful and professional coding but is often ignored making it the single most common attack on corporate data. The Open Web Application Security Project website, or OWASP for short, is a goldmine of advice on this and other web application attacks.
It's tempting to think that no-one would purposefully target a charity but campaigning for a cause or raising funds to further a noble ideal may attract the attentions of opponents, rivals, and even state actors. So called hacktivists may take down or deface your public website to discredit your charity or silence your voice. The tools to do this are readily available and require little technical knowledge. A distributed denial of service attack (DDoS) that clogs up your network can easily be launched from the kitchen table, directing an army of zombie bots at your website, your remote access service, your client portal, or anything else you have on the web. These robot networks, or botnets, made up of infected PCs or other internet connected devices are readily available for hire.
It's not always personal...
Putting your systems ‘beyond use' is also the goal of ransomware. From home users to large organisations, ransomware is the latest scourge and like many other types of malware, often infects devices via the internet but can just as easily find its way onto your computers from a USB drive or an inadvertent click on a malicious attachment in email. Having established itself with a cozy home on a laptop or PC, ransomware will studiously set about encrypting every file it can get sight of, and at an amazing speed. In the aftermath of a recent attack more than 100,000 files were found to have been scrambled by the Zeus virus in under an hour.
Frustratingly, your files are still there, staring you in the face, as is the demand from the perpetrators for payment. In return for which they'll promise to give you the key to decrypt your files after paying a ransom usually paid in the crypto-currency, bitcoin. Rather than pay the money, the remedy is to restore from backups which may be a lengthy process and it's likely that some of your most recent data will have been lost. Either way your operations will have been severely disrupted.
The extent of the loss in these incidents can be limited with good user access controls. Giving every user account full admin rights is a sure way to guarantee that the ransomware has full and free access to every file. It is best to follow the principle of least privilege when granting user access to ensure that a user can only access the files and systems that they need to do their job.
Users are critical when thinking about defending your organisation. Clicking on attachments, downloading dodgy files, cruising infected websites makes them part of the problem and since they are on the inside of your perimeter defences it's highly likely that users have the access to valuable information assets which is rightly denied to those outside the organisation.
Phishing emails are a common way to ensnare people into being an unwitting accomplice. And it doesn't always need a malicious attachment to launch an attack. Simply including a link to a bogus website in an email with a request to ‘click here' will often do the trick. Once faced with a website with a clear instruction to comply all manner of information can be gleaned including usernames, passwords and payment card numbers.
It's better to make sure that staff are aware of just what perils can and will befall them. A good information security awareness induction has become a must and can prepare employees and volunteers for the scams, cons, and social engineering that they are likely to face in cyberspace. Encouraging people to report anything that doesn't seem right can often head off attempts to compromise and defraud the organisation. Furthermore, it helps everyone to report such incidents to the police via the Action Fraud website. A search of its website will highlight a number of charity frauds and scams and provide useful insight.
Occasionally things get a bit closer to home and it's not unknown for information to be spirited away on purpose. The so-called ‘insider threat' shouldn't be taken lightly. Employees making off with the company's information is far from a new phenomenon. Donor data, for example, should be safe and sound in your supporter database and not being carried out of the front door on a USB drive.
Making things clear and unambiguous is a good way to ensure that staff know what's acceptable and what's not. Good policies are the cornerstone of information security and the user access policy should be at the top of the list. Enacted by standard procedures, it's something that can be easily checked and audited for compliance. An account for each and every user coupled with password complexity and expiry rules goes a long way to establishing the basis of a secure organisation.
With the tightening of data protections laws in the EU's incoming General Data Protection Regulation (GDPR) it doesn't pay to let personal information be leaked, either from malicious actions or inadvertent disclosure. It's all too easy for employees, volunteers, or even chief execs, to accidentally email all and sundry with information that should have been treated as confidential. Charities are not above the law and this type of incident alone will attract censure and hefty fines from the Information Commissioner's Office (ICO). It will be wise to ensure that a request for that spreadsheet of personal data is legitimate and, better still to ensure that it never gets mailed to anyone as an attachment. Once it has left the safety of your servers it's difficult to protect data in transit as it wings its way across the internet.
It could be argued that everyone knows how to use computers, but do they know how they are expected to use them at work? Everyone uses email and social media is a breeze but it's doubtful, even though they may have every bit of consumer tech available, that they are aware of the systems, procedures, policies, and good practice that is demanded of professional organisations. An IT induction, preferably delivered online and prior to starting the job, can ensure that staff become well versed in what's expected before they get the keys to the crown jewels. It's not about IT competency, the purpose of good IT induction is to inform and educate not only on the appropriate use and governance of internal services but also on the external regulation, compliance, and risks.
Bring your own...
Increasingly employees expect to use their own tech. A well thought-out ‘bring your own device' (BYOD) programme could indeed deliver benefits but it's rarely as simple as letting staff connect whatever they want to the corporate network. The same information security principles apply only more so, and enforcing password policies, device encryption, and secure data networks requires buy-in from all parties.
Mobile working is perhaps the natural successor to ‘remote working' but the thought of staff using their own laptop to connect to your corporate systems via the unsecured internet in a local coffee shop should give pause for thought. In that scenario it's relatively easy to harvest data, and even login credentials. A ‘man in the middle' attack could route data in transit via a fake hotspot straight into the hands of the bad guys.
Connecting to a well-secured and internet-accessible gateway is of course entirely feasible, and bolstering the authentication process with, for example, two factor authentication will do much to ensure that the person logging on has the permission to do so. Confirmation of that permission with an additional credential by perhaps a code sent by text, or a secure token as adopted by many internet banking services, will provide a secondary authentication factor on top of the user's password.
The proliferation of cloud services has facilitated access to organisational information by requiring little more than an internet connection, but has compounded the access problem for users potentially having to remember multiple logins and passwords for each service. There is an answer to this, it's another cloud service providing a ‘single sign on' (SSO) service so that users only have to authenticate once to access the multiplicity of systems at their disposal. However SSO may not be the ultimate panacea and it's worth remembering that user credentials are some of the most valuable data an organisation possesses. They are the keys to the corporate data door and it may be better to keep them close.
With many services now being deployed in the cloud there comes a complacency nurtured by an ‘out of sight and out of mind' attitude. Whether corporate data resides in servers ‘on premise' or ‘in the cloud' there are still questions to answer about who's taking care of the data. Any adoption of a proposed cloud service should be preceded with a few simple questions such as “where exactly is my data?”, “how do I get my data back?”, and “who can access my data?” Same questions, but maybe different answers.
The Cyber Essentials and Cyber Essentials Plus schemes are a government initiative to ensure that any organisation, including charities, can embrace a practical stance on information security. Covering five basic technical controls, the scheme provides a framework to assess the requirements that an organisation must meet in order to assure a minimum adequate approach to cyber-security.
Step by step, the framework spells out the objectives and controls that need to be implemented covering firewalls, secure configurations, user access controls, malware protection, and patch management. Meeting the requirements for each of these areas will go a long way to ensuring an organisation can demonstrate a responsible approach to cyber-security. It's a reasonably straightforward task and it's acceptable to make a self-assessment if there is someone up for the job.
So for example, the requirements for firewalls cover not only the firewall that delineates the boundary between the internal networks and the external network that is the internet, but also the routers and switches that make up those internal networks, and the local firewalls on computers and laptops that connect to those networks. To comply the organisation must ensure that default passwords are changed, ensure that no-one can access the device via an administrative interface, that firewall rules are approved and documented, and that devices using untrusted networks such as wifi hotspots, are protected by local firewalls. When it comes to patch management, the requirements are equally simple: To ensure that all software is licensed and, perhaps more importantly, supported, and that it is patched when updates are released, especially when the patch fixes a critical vulnerability.
Finding the technical assurances to complete a self-assessment of the Cyber Essentials requirements may take some time and will require the co-operation of the IT team. Alternatively, it may be more prudent to engage an accredited body to make the assessment bringing the additional benefit of an impartial review to the charities defences.
It's a benefit to the charity sector that there are many people able and willing to help with the assessment process and often able to share their own experience to guide the process. The Charities Security Forum, which uniquely represents information security professionals working exclusively in charities and not-for-profits, is a good place to start and its members will often freely offer advice and support.
Achieving a successful assessment will entitle an organisation to the Cyber Essential accreditation. A Cyber Essentials badge displayed on corporate communications proclaims that the organisation has addressed the essential security controls and evidences to supporters, beneficiaries, and partners that cyber-security is taken seriously.
It should be clear that charities are not immune to cyber-security threats and that the risk to their operations is as real as the recent attacks on banks, on governments, and on public sector institutions. It's highly likely that some charities will suffer collateral damage from cyber-security incidents even they may not have been directly targeted. In the eyes of the public there may be no discernible difference and it is prudent to deal with the risks sooner rather than later. In documenting some of the risks and remedies there is a great deal of advice and assistance available. Cyber-security for charities is much higher up the board agenda than it ever used to be - and if it isn't at your charity then it's time it was.
Here's a list of organisations that might be able to help...
Charities Commission: https://www.gov.uk/government/news/ransomware-threat-keep-your-charity-safe
Get Safe Online: https://www.getsafeonline.org/articles/charitycommission/
NCSC Cyber Essentials: https://www.ncsc.gov.uk/scheme/cyber-essentials
NCSC Cyber Essentials Requirements: https://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme
Charities Against Fraud: http://charitiesagainstfraud.org.uk
IT Induction and Information Security Awareness: https://www.itgovernance.co.uk/shop/product/it-induction-and-information-security-awareness
Open Web Application Security Project (OWASP): https://www.owasp.org/index.php/SQL_Injection
Information Commissioner's Office (ICO): https://ico.org.uk
Information Commissioner's Office GDPR: https://ico.org.uk/for-organisations/data-protection-reform/
The IASME Consortium: https://www.iasme.co.uk
Charities Security Forum: http://charitiessecurityforum.org.uk
and of course, SC Media: https://www.scmagazineuk.com