Escalating cyber threats to charities
Nigel Thorpe, technical director at SecureAge looks at the increase in cyber attacks on charities/NGOs and suggests it’s time for a new approach
Ransomware and cybercrime is on the rise. Charities and NGOs are no stranger to this growing trend and are often the victims of attacks targeting critical yet vulnerable critical infrastructure such as health, water and food. Over 50% of NGOs report being targeted by cyber attacks, as a growing number of recent incidents illustrate.
NGOs involved in humanitarian and other actions are heavily dependent on mobile and digital technologies to coordinate and fulfil their missions. They often operate in regions with limited or unreliable infrastructure that can expose them and employees to acute risk of data interception, tracking, or unauthorized access with potentially lethal consequences for volunteers, beneficiaries and other stakeholders. NGOs may also be targets of malicious and politically motivated cyber attacks, from defacing websites to hijacking and misusing their identities and credentials to misdirect resources and volunteers and spread malicious misinformation.
The latest Cyber Security Breaches Survey, published by the Department for Digital, Culture, Media & Sport, says that 57 per cent of charities with incomes of more than £500,000 a year were affected by cyber attacks or breaches in the 12 months before the survey took place.
A fifth of charities affected by cyber breaches reported these incidents occurring at least once a week, according to the report.
In July 2020, The Charity Commission said that more than 30 UK charities had been affected by the Blackbaud ransomware attack, one of the largest providers of fundraising, financial management, and supporter management software to the UK charity sector. Charities affected included the national homelessness charity Crisis and mental health charity YoungMinds. The company apologised to customers and paid the ransom to ensure that data would not be made publicly available or shared elsewhere.
In the US in May 2021, Microsoft’s Threat Intelligence Center announced that Nobelium – a major cyber hacker group – had infiltrated the emailing platform of the US Agency for International Development (USAID), which leads the US Government’s international development and disaster assistance efforts.
The cyber criminals used this access to build an email phishing campaign to target over 150 organisations worldwide, including NGOs and civil society organisations (CSOs). These malicious emails aimed to trick recipients into believing that this was a legitimate contact from USAID. If they clicked on the email they could have handed over sensitive information or downloaded malware onto their systems.
In response to this increase in attacks, over 50% of NGOs have already partially developed cybersecurity frameworks and have introduced awareness training for their staff. But at the same time, lack of resources means that many organisations are unable to employ dedicated staff toward comprehensive cyber protection.
And here lies the problem. Like most organisations, NGOs have traditionally approached cyber security by trying to stop the cyber criminals and hackers getting in. Yet history tells us that it is impossible to stop every cybercriminal, all of the time. So, if we can’t keep the cyber criminals out nor trust the people around us, we must rethink the traditional ‘castle and moat’ methods of protection and adopt a data centric approach, where security is built into data itself.
Full disk encryption technology is often used to protect data when it is at rest on a hard disk or USB stick, which is great if you lose your laptop, but is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data therefore needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.
But this is no easy task. In a recent IBM and Ponemon report, 67% of respondents said discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. Data classification technology is often used to identify ‘important’ or ‘sensitive’ data, but the report found that 31% cited classifying which data to encrypt as difficult. Then there is the question of where you set the ‘importance bar’? Even seemingly trivial information can be useful to a cybercriminal, since they are adept at amalgamating small pieces of data to form a bigger picture, to build a spear phishing attack at an individual, for example.
A universal approach
So why is it that the accepted norm is to encrypt only the ‘most important’ or ‘sensitive’ data? The problem is that traditionally, encryption has been considered complex and costly and detrimental to performance and productivity. But with advances in the technology and fast processing speeds, seamless data encryption can now be used to protect all data – both structured and unstructured. This way, classification for data security purposes becomes irrelevant and stolen information remains protected and useless to cyber criminals.
This approach also works with legacy systems, which are outdated but still perform an essential job. Many legacy systems are still used by NGOs and were not designed to be exposed to public networks. But as staff, customers, supporters and suppliers need direct access to business processes, new online services have been built on top of this ageing technology. When connected to the outside world, legacy system data – such as customer details, operational data and sensitive information – becomes vulnerable. But by protecting the data itself, these risks are mitigated.
As hackers seem to have no problems or social conscience with targeting charities and NGOs with their cybercrime sprees and ransomware attacks, it’s time to take them on at their own game, by encrypting the data before they can get to it.