How cybercrime impacts the charity sector [Q&A]
Charities handle billions in funds every year and hold financial and personal information that cybercriminals increasingly see as a tempting target. Yet, according to the UK's Charity Commission only 58 percent of charities think they are at risk from cybercrime.
But for a sector, whose success is built on its reputation and the goodwill of its supporters, the loss of any sensitive information or fraud through phishing attempts can be devastating.
We spoke to Jeremy Hendy, CEO at digital risk protection company Skurio and Jonathan Chevallier at charity software specialist Charity Digital to find out why the sector is especially vulnerable and how it can protect itself.
BN: Why are charities particularly vulnerable to cybercrime?
JC: I think there are two reasons why charities are especially vulnerable. There are two ways to try and penetrate them, the standard kind of scam that someone might try on on any business. But then there's also trying to get hold of donor data and then trying to persuade the donor to donate to the scammer rather than to the charity.
I guess somebody gives to charity because they feel positively inclined to that charity so that’s going to make them less suspicious of something they think comes from a charity, not realizing it's a scam. The same applies to people who work in charities, because they have a more positive frame of mind that causes them to maybe look a little bit more on the positive side and be less suspicious of scams.
JH: At Skurio we've been working with charity customers for the last three or four years. Talking to some charities in the past a lot of the staff or volunteers are well intentioned but not necessarily the most tech savvy. Similarly at the top, a lot of the trustees tend to be a little bit older and again maybe not quite so technically aware.
There are also supply chain problems where we see quite a lot of charities have had things like compromised credentials exposed in third party breaches on sites and forums, so it's quite easy to get hold of a list of email addresses and passwords for people that work in charities.
BN: Is that partly because the sector is more reluctant to spend on cybersecurity than commercial businesses?
JC: The charity sector is very expenditure conscious, that money should be channeled towards beneficiaries, which leads to a natural reluctance to spend, I think. We have to be a little bit careful not to generalize too much, some are very good, but unfortunately there are probably too many who would just take the view that we're not much of a target, why would anybody bother having a go with us because we're not a corporation with large assets. They don't understand there's some value in the data
We work very closely with the National Cybersecurity Centre, because we're very keen to make sure that charities do understand this risk and that they do spend a sensible amount of money on appropriate protection.
BN: Is it particularly damaging for charities if they do suffer a data breach?
JC: I think they're perhaps even more sensitive to reputation management than a consumer brand because a charity exists on reputation and trust. So you have to spend -- we're not talking about large sums of money -- but you have to spend to protect that reputation by emphasizing security.
BN: Would that mean a move towards more automation to make effective use of security budgets?
JH: If you can automate you should be automating because it can be difficult for charities to retain skill sets like security. There are things you can automate at very low cost which is helpful but also means you're not reliant on having specific expertise in the building at the right time.
Skurio has a lot of automated threat monitoring built in. The largest charities have the level of expertise to run with that directly themselves, as you move down the size scale into what we call 'kind of large' -- but not a big organization in commercial terms -- then they've maybe got small amount of IT but they won't be specialists. And then there are the very small ones who need a very simplistic service, which is a free service as well.
BN: Is the maybe scope for greater partnership with businesses that do have the security skills?
JH: As a managed service provider, it's difficult to put a lot of people cost in for free. I think because our solution is very automated then it is something we are able to do to deliver those technical services. In some cases that might cost, but you do need some people behind it. I think it's just like any other business in the sense that smaller organizations that, generally, can't justify having a full time IT security team in-house can access that through either a managed service, or in the case of charities through Charity Digital.
BN: Obviously, the world has changed a bit in recent months, we now have a lot more people working remotely. How has the sector responded to that new challenge?
JC: Just like other sectors charities responded in different ways but in many ways maybe behind some other sectors. Because there's quite a lot focused on more traditional approaches to business, so a lot of charities weren't set up to support remote working which meant there was a bit of a scramble to do that. And the positive side was people responded really well. The services were slightly interrupted but things did carry on.
But I think the downside to that was, and evidence from surveys points to this, is there's probably quite a lot of home kit, essentially bring your own because you've got it. And that kit may not therefore have the same level of protection that you might have had on a piece of equipment that was supplied by the organization in the first place. It's also likely to be used for accessing a wider variety of websites and services. We've been encouraging charities to make sure that they're aware of these risks and undertake some simple, basic steps to protect themselves.
BN: Is that an educational challenge as much as a technology one?
JC: Yeah, a lot of what we do digitally is around education. We publish updates on cybersecurity every month, we run regular webinars, podcasts and other content as well just to, I guess, keep the subject in the spotlight, to make sure that people who haven't engaged before start to engage and think about it and make the sector safer overall.
JH: I'd echo those comments, I think a lot of organizations have still been stuck in the world of cybersecurity being about defending the perimeter of the building and the organization. In building a remote working strategy you have to recognize you have devices -- even if it's a corporate device -- at home working on an un-trusted Wi-Fi network with all the other IoT devices that could easily be compromised.
BN: Are we seeing the same shift to SaaS in the charity sector that we've seen elsewhere?
JC: Yes, I think it's been a little bit slower than in the commercial sector. But again, changing processes have actually accelerated that. Because the charities that are already using SaaS -- whether it's Google Suite for example or Office 365 -- they found the whole WFH process much simpler because core office productivity systems are already in the cloud.
I think it's really shone a light on the benefits for people and for those who were maybe cynical and reluctant to push them along that line. We certainly saw a lot more traffic coming through. We know charities take advantage of things like Office 365 that has special charging rates, but they have to be validated by Microsoft. We saw a spike in validations that actually came through around March, April, May time and it was significantly up on previous months.