Charities & Not for profit

Digital risk management - cybercrime update

Mike Harris Mike Harris

Cybercrime poses increasing risks globally and across Ireland, with daily reports of attacks on a broad range of organisations. Cyber criminals do not distinguish between their victims, they simply exploit whatever they can with the intent to steal funds, information or to cause disruption. Charities are no exception. Like any other organisations, charities have become increasingly reliant on IT and technology to carry out day-to-day activities. Given the countless reports of cybercrime of varying scale, organisations are finally coming around to accepting that a cyber-attack is no longer a case of ‘if’ but ‘when’.

Suffering a cyber-attack, be it falling victim to phishing or ransomware, and as a result losing access to technology and data, experiencing a data breach or financial loss can be devastating, both financially and reputational. Particularly in the charities sector, financially motivated cyber criminals are likely to pose the most serious threat. The sensitivity of data held by Charities is another factor that cyber criminals will seek to exploit and once systems are compromised the cyber criminals will seek to monetise their efforts by seeking payment.

The good news is that investment in cyber security does not necessarily mean a large financial outlay or a strain on time and resources. Charities can begin to take practical steps and promote simple measures to protect their data, assets and reputation. This has the added benefit of demonstrating to your supporters, donors and beneficiaries that you take cyber security seriously.

Your charity’s information is valuable to cyber criminals, so don’t let them use it against you.

Practical steps to better security:

  • conduct regular awareness training (e.g. phishing and malicious links) to foster security-focused behaviour and culture across the entire organisation;
  • enforce the use of strong passphrases and two-factor authentication for important user accounts;
  • manage user accounts to prevent staff from accessing information they do not need to carry out their work;
  • regularly back up your important data to a secure location and test restore to ensure that you can restore in the event of loss or damage in the event of a ransomware attack;
  • protect your laptops, smartphones, tablets and servers with continually updated anti-malware software on every device;
  • keep mobile devices safe through the use of password/fingerprint recognition and encryption/destruction mechanisms. This provides protection in the event of device being lost or stolen;
  • control the use of removable media (e.g. SD cards, USBs) by disabling ports or limiting access, as these are common vectors for malware;
  • keep all IT hardware and software up to date through regular patching;
  • enable firewall protection to create a buffer zone between your network and the internet;
  • know what data you have stored in systems and ensure GDPR compliance in well underway; and
  • rehearse incident response to data breach with board / executive management.