How High is Cybersecurity on Your Nonprofit’s Agenda?
According to the 2019 Cyber Security Breaches Survey, two in ten UK charities report having cyber security breaches or attacks in the last 12 months.
Among this 22% of charities facing security breaches or attacks, the most common forms are:
- Phishing attacks (identified by 80% of these businesses and 81% of these charities)
- Others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities
- Viruses, spyware or malware, including ransomware attacks (27% of these businesses and 18% of these charities).
The internet is as convenient, exciting and lucrative, as it is dangerous and dark. The web has evolved through the years and so too have the criminals that are out to harm others. Cyberattacks are coming thick and fast and it only means information security, or cyber security as more widely known, should be high on the agenda for the nonprofit sector.
Cybercrime exists in several dimensions, leaving in its wake financial losses, data loss and reputational damage for the organisation that has been attacked. There is also a sense that, moving forward, the “cyber” label will change as a number of the crimes associated with ‘cyber’ now have a technology component. This is because some cyberattacks happen first through unlawful access of a victim’s device e.g. a mobile phone before sensitive personal data is then stolen.
Email is still the number one vector for malware while phishing continues to be a real pain for individuals and organisations.
The introduction of GDPR in May 2018 may have led to a new approach by charities to cybersecurity, but it is critically important to understand that people influence security more than anti-phishing solutions, technology or policy.
In other words, technical measures are important in stopping phishing attacks but the strongest link remains the people - staff, trustees and volunteers. It’s vital to help staff, trustees and volunteers understand their critical role in protecting the organisation and that they are given the information on how to be cautious in handling emails.
Mobile
Being able to access data whilst on the move is now a given for most organisations. Security on the move is a major issue particularly for organisations in which staff members use (or bring) their own devices (BYOD). From a security perspective, phishing is both different and more problematic on a mobile device for the following reasons:
- Mobile devices are connected outside traditional firewalls
- They typically lack endpoint security solutions
- Most devices regularly access a number of messaging platforms not used on desktops
- Attacks could happen outside office hours and therefore the user cannot contact the IT person or staff with responsibility for cybersecurity
- The mobile user interface does not have the depth of detail needed to identify phishing attacks, such as hovering over hyperlinks to show the destination. As a result, mobile users are three times more likely to fall for phishing scams, according to antivirus providers.
Messaging Apps
Many charities now use WhatsApp to stay connected with volunteers, trustees and service users. Since 2016, WhatsApp has enabled and implemented end-to-end encryption for privacy and security, but even at that, the app is not immune from criminal attacks going by events of the last few days. Hackers remotely installed surveillance software on phones and other devices using a major vulnerability in the WhatsApp. A fix was rolled out on Friday, 10 May and WhatsApp says all users should update the app as an added precaution immediately.
How do I update WhatsApp?
Android
- Open the Google Play store
- Tap the menu at the top left of the screen
- Tap My Apps & Games
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on Android is 2.19.134.
iOS
- Open the App Store
- At the bottom of the screen, tap Updates
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on iOS is 2.19.51.
WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor".
It promotes itself as a "secure" communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient's device. However, the surveillance software would have let an attacker read the messages on the target's device.
Signal, Wire, Telegram, Wickr & Pryvate are other popular messaging apps.
A totally secure, encrypted messaging service is the “Holy Grail” for many people and organisations, but messaging apps' assurances that they can truly achieve an unbeatable level of security usually collapse under scrutiny.
Strategic approaches to cybersecurity
- Investment in cyber security – a greater engagement with the topic is demanded. Charities must invest in increasing staff awareness and influence behaviours that support secure use of technology.
- Risk management – rules and controls must be implemented by an organisation to stay protected.
- Other cybersecurity essentials: a responsible staff for cyber security and governance, user education and training, regular simulations on phishing, cybersecurity policy, board-level engagement with cyber security, removable media (USB) controls, policy on email use as well as policy on home, mobile & remote working.
“There are two types of companies: those that have been hacked, and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”– Robert Mueller, FBI Director 2001-13
Don’t let your organisation be the one that will be hacked (or hacked again).
As always, knowledge is power when it comes to combatting cyber threats.
An Invitation
Join The Wheel’s Information Systems Officer, Femi Atoyebi on 14 June in a webinar on how you and your organisation can be cybersecurity conscious, reduce the capacity for error and stay protected.