You might argue that PCI DSS safeguards would now protect against this. However, as evidenced by the recent British Airways cyber-attack, you would be wrong! No one, no matter how charitable, wants to risk being punished for doing good by having their bank details stolen.
It was years before my friend would even consider giving to this charity again. Being able to make a simple, fast payment using her mobile phone almost motivated her to give. But not quite. My friend continues to quietly donate elsewhere.
Charities are not safe from cyber criminals. The UK government highlighted the threat to charities, with the then Digital Minister, Matt Hancock commenting: “Charities must do better to protect the sensitive data they hold …” GDPR has gone some way to improve the processes surrounding data protection and, according to the Information Commissioner, people’s confidence in organisations that hold their data has increased slightly. The British Airways attack may undermine this. The Information Commissioner will need to decide whether British Airways has conformed to the ‘data protection by design and by default’ requirement. This could be a landmark decision. The criminals who carried out the attack had set up specialist technology infrastructure that was tailored to exploit British Airways’ IT. If the Information Commissioner decides that British Airways should have considered this scenario and protected against it, then the bar for GDPR compliance will be raised significantly.
Charities are also not safe from insider threats. A study by Vanson Bourne on behalf of data security company Clearswift found that 74% of cyber incidents happen within organisations. The most common successful attack is through emails containing malware. Training people within your charities about how to spot these emails is essential.
Other vulnerabilities include; weak passwords, personal mobile phones being added to an organisation’s network with inadequate screening and performing confidential work on public wi-fi networks.
The whole philosophy of cyber-crime prevention has changed from building more complex defences to assuming attacks will come and making sure that organisations have the appropriate means of neutralising them or dealing with them quickly.
So, what can you do to protect your organisation?
The ICO provides a useful 10 step guide toward cyber security which includes:
- Understand and assess the threats and risks to your business
- Use Cyber Essentials 5 key defence tactics to implement a secure environment
- Boundary firewalls and internet gateways in good working order
- Secure configuration of hardware and software in use
- Manage access control of devices and data
- Ensure you have up to date Malware protection
- Patch management and software updates are part of an automated and audited process.
- Secure your data both in the office and whilst on the move
- Make sure data in the cloud is secure and that your cloud supplier has adequate security in place. Consider availability of critical data held in the cloud.
- Regular back-ups supported by formal disaster recovery policies that are fully tested.
- Train your staff to be aware and alert to cyber threats.
- Stay alert
- Ensure you have adequate service level agreements with third-party suppliers and internal providers of support.
Blue Saffron is a Managed IT provider that has been working with charities and not for profit organisations for over fourteen years. Actively playing a part in overcoming some of the biggest challenges the non-profit sector faces, we help charities deliver their services and missions better, faster and more cost-effectively. Blue Saffron is an accredited Cyber-Essentials assessor, meaning that we can help you to secure Cyber Essentials certification and make a great first step to protecting your charity.
To find out how the most successful charities are using IT to their advantage, take a look at our series of articles based on a major piece of research that 260 charity professionals contributed to. They provided us with over 30,000 data points that show what’s working, what isn’t and the frustrations they’d really like to get rid of. You can find these articles here.