Articles

In short, Cyber Risk is the risk all organizations face today from cyber criminals, opportunists or ‘bad actors’ when they are connected to the internet. Virtually every single organization today is connected to the internet in some way - even with just a website and the ability to send emails - hence every organization has some level of Cyber Risk exposure.

 

Whilst we will not delve into the technicalities of Cyber Risk here - it is an opportunity to provide some vital context and illustration of what the real world impacts could be on any Charity, as this is often the difference between simply knowing about an issue, and taking action.

 

When it comes to the Charities sector in particular, the need for Cyber Risk Management becomes critical.

 

Highly regarded InfoSec professional Glen Hymers - current Head of Data Privacy & Compliance and Information Assurance at The Cabinet Office and former Global CISO and Head of Data Protection at Save The Children – has this advice for Charities:

 

“Charities are reliant on funding from both individuals and potentially government sources. To ensure that the trust is maintained, Cyber Security is a key enabler.”

 

As a trusted partner to your donors, a vital provider of a whole range of support and services to those in need, and with often very limited budgets and a significant lack of Cyber expertise in house - Charities are in many ways the perfect target for Cyber Crime, so it is vital that your Trustees, Board Members, Senior Executives and all of your team members are aware of the risks, understand the potential impacts and are able to maintain constant vigilance.

 

Consider the following ‘Anatomy of an Attack’ - taken directly from a UK based Charity and an experience within the last 12 months:

 

1. A member of the Organizations Finance Team had (quite legitimately) signed up for a Newsletter to keep up to speed with developments in the Charity sector
2. The service that owned and operated the database of Subscribers to that Newsletter was breached during a Cyber Attack.
3. All credentials (including passwords and other Personally Identifiable Information) from the Subscriber Database were offered for sale on the Dark Web.
4. Those Breached Credentials files were bought by an attacker for the purposes of a Phishing attack.
5. A Phishing email goes out to every contact in that list - including the Finance Team Member at the Charity - who clicks on the link in the Phishing email.
6. That link takes the Finance Team Member to a fake, weaponised webpage which appears to be legitimate, but actually downloads Malware and a Beacon file to their machine. This simultaneously provides a backdoor for the attacker, and alerts the attacker that they now have access.
7. The attacker uses that access to monitor emails for several weeks to establish current and ongoing projects and upcoming financial transactions - identifying the Charities involvement in providing funds for solar panels to schools in Afghanistan.
8. The attacker is able to identify the key players in the transaction - including the Finance Director of the Charity, and the Head of the charitable organization helping the schools.
9. After monitoring emails continuously, the attacker inserts themselves into the email chain posing as the Finance Director of the UK based Charity (using a spoofed email that matches the real email address - complete with copied signature and footer), instructing the Finance Team Member to send funds to pay for the solar panels.
10. As far as the Finance Team Member is concerned, this is a legitimate instruction from the FD and they send the funds to the account details listed, which is actually an account controlled by the Attackers.
11. Several weeks later, when the real FD queries the payment of these funds - the attack is uncovered.
12. The resulting loss of funds for the Charity, the replacement payment of the actual funds to provide these much needed Solar panels and the increase in premiums due to claims on Insurance as a direct result of this attack ran close to a million pounds in total.

 

How would Cyber Risk Management prevent this?

 

This process is commonly referred to as Business Email Compromise, and is estimated to cost the global economy at least $43 billion since 2018. In reality this figure is likely far higher, as it relies on those that actually reported the incident to authorities – but goes to show that Cyber Risk is actually a whole spectrum or risks, not just ‘Hackers’ trying to gain access to a network.

 

The sobering truth is that 96% of successful Cyber incidents or Data Breaches now involve some form of Human intervention (Verizon Data Breach Report 2020), and attackers are targeting people as well as internet exposed assets.

 

A Cyber Risk Management program can help provide vital situational awareness in terms of your specific Charity’s actual exposure to Cyber Risks. It can help provide actionable intelligence – the information that is critical to actually doing something to reduce your risk exposure. It can educate your team members on what to look for in their communications and day to day activities which may contain ‘red flags’ that signify malicious activity. This can range from simple checking of spellings right through to implementing specific policies and the necessary checks and balances required for handling digital payments.

 

The Risk of compromise has been increasing exponentially in recent years, but exploded in 2020 during the CoVid-19 Pandemic and the rush to enable home working. For the vast majority of Charities, the focus has understandably been on maintaining productivity, not on security, and this has created a perfect storm for Attackers.

 

This constantly evolving threat, which has a real world adversary who is able to automate almost all of their attacks to achieve massive scale, means that Cyber Risk Management must be a similarly dynamic and evolving. Traditional, legacy approaches like classroom based Training or one off Penetration Tests are simply no longer sufficient. Therefore it is vital that Charities equip themselves with dynamic and above all continuous solutions to help them address this critical, constantly changing and rapidly increasing risk.

 

Given the lack of expertise and often limited budgets available, SaaS platforms that automate the monitoring, alerting and improvement of Cyber Risk Management across an organization are the most effective and affordable way for Charities to reduce Risk, and many Charities are beginning to see the value and the need for this.

 

 

 

)