Recent high-profile attacks against non-profit organisations reinforce the fact that no industry is immune to the rise in cyber crime. Charities should not fall for the bait!
Cyber criminals don’t discriminate in their efforts to secure the biggest pay-out possible. Cancer Research UK was targeted by the same hackers that stole the data of 400,000 customers from both British Airways and Ticketmaster.
81% of charities reported being targeted by a phishing attack in 2019. Therefore, it’s no surprise that three-quarters of charities say that cyber security is a high priority for their organisation’s senior management, according to the Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media & Sport (DCMS).
As with most modern organisations, the way in which charities operate on a daily basis has been affected by a wave of digital transformation. Trends such as BYOD (bring your own device) may have advantages for productivity and connectivity, but organisations are simultaneously making themselves more vulnerable – and the stakes for non-profits are increasingly high.
For charities, the average cost of a breach was £9,470 in 2019 and there is also the challenge of complying with GDPR laws, that threaten heavy fines for mishandling data.
Aside from the financial penalties, breaches and cyberattacks can put vulnerable beneficiaries at risk, disrupt operations – and leave reputations in tatters.
Phishing for a solution
Phishing is a good example of cyber attack that has become increasingly sophisticated. The crude mass-email with a compromised link or attachment has fallen out of vogue, and now criminals are opting to send extremely specific, customised emails to catch employees or volunteers out. These attacks target individuals who have access to high value information, often use email addresses that are almost identical to a colleague or family member, and contain content that, on the surface, is not suspicious at all.
One such tactic is referred to as CEO Fraud, a form of impersonation attack, where hackers pose as the CEO of a company in order to dupe a more junior employee into sharing sensitive information, making a purchase or payment. These attacks are much harder for traditional email security tools to catch and employees also often struggle to keep up with what to look out for. All it takes is one individual to fall for a phishing email, and a whole organisation can be compromised to catastrophic effect.
When it comes to fighting off these phishing attacks, ongoing education about the modern techniques that cyber criminals employ should be regularly carried out at all levels of an organisation. Employees and volunteers need to remain cautious and vigilant, by avoiding emails from unknown contacts, and not clicking on attachments and links in emails whether or not the sender appears to be a legitimate organisation or individual.
Unfortunately, education is simply not enough. The cyber skills gap is exacerbating issues and affecting businesses and charities alike. Only 37% of charities believe that that their cyber security professionals have the right skills and knowledge to keep their organisation protected effectively. Yet, there is already far too much pressure on these IT professionals, who are overwhelmed by the diverse range of responsibilities in their role and tactics that hackers have at their disposal.
For far too long, the scales have been tipped in favour of the criminals. The onus falls on the leaders of non-profits to invest in technology that will prevent employees from being exposed to these malicious links and phishing emails in the first instance.
Evolving threats require evolving security
Traditional email security tools work by using pattern-based approaches, looking at messages for elements that had already been observed in a live spam run, or previous spam run. Although this approach is still valuable, it is fairly rudimentary and not enough to identify the new, customised methods of modern hackers.
To keep up with the latest threats, non-profit organisations should be deploying email security that uses algorithmic analysis to identify suspicious emails, as well as traditional pattern matching. As threats have evolved email security tools have had to as well. Rather than looking at email content, algorithmic analysis breaks down the email into its core characteristics and attributes and assigns each email a weighted score on how suspicious it is based on those attributes. Using this far more sophisticated analysis, alongside pattern analysis, organisations can go a long way to halting incoming attacks before they reach the
Threat intelligence is also becoming increasingly important in many aspects of email security. For example, domain-based threat intel will provide a high risk rating if the registrant has a criminal track record of registering domains and using them to launch
attacks, or distribute malware.
As charities continue to modernise and adapt to flexible and digital working environments, it is also important to recognise that phishing campaigns are far from the only form of cyber attack that they will face. The rise of cloud applications and the increasingly mobile workforce continue to multiply the number of vulnerable points for organisations, and this range of potential threat vectors should not be dealt with by volunteers and employees alone.
Employee education needs to be combined with the deployment of multi-layered security, which offers full-spectrum threat protection for organisations and users – across email, web and cloud applications – no matter where they are. As the tactics of hackers evolve, so too must the approach and solutions used to tackle them.
Ed Macnair is CEO of Censornet. He has 30 years of expertise in the technology and IT security industry, with a proven entrepreneurial track record of successfully developing and leading companies. He was previously founder and CEO of SaaSID, a UK-based single sign-on and application security vendor, and Marshal, a global web and email security company. Macnair has held management positions at MessageLabs, Symantec, IBM and Xerox.