Hackers use a range of methods to access data, but updating software, setting unique passwords and being aware of security are some of the ways companies can minimise risk.
Earlier this year the Women’s Resource Centre became the latest charity to suffer at the hands of cyber-criminals, after its website was hacked and replaced with pro-Isis messages. The British Pregnancy Advisory Service fell victim back in 2014, resulting in a £200,000 fine by the Information Commissioner’s Office (ICO) after a hacker broke into the charity’s website and stole personal details of thousands of women who had sought advice.
The ways in which hackers can attack
The first thing is to understand the range of methods that hackers may employ. Some are very technical - hackers may identify vulnerabilities in (often out-of-date) software which allow them access to your system. Without your knowledge they install software that records the buttons you press on your keyboard, allowing them to find out your passwords and access your system and files.
Other more technical approaches involve the use of programs known as viruses, worms and Trojan horses. Viruses are malicious programs which when clicked, replicate themselves into other programs, data files or areas of the hard drive. Worms can spread themselves between computers and across a computer network without even being clicked. Trojan horses trick people into installing them by appearing as something routine or useful like a form or a warning message.
However, other methods are more simple – hackers may set up spoof websites that trick people into giving their details, they may guess user passwords, or simply talk people into revealing information on the phone or in person (known as social engineering).
How to minimise the threat
When it comes to fighting back, Charity Security Forum chair Brian Shorten offers a six-point plan for preventing hacking:
- Review your security. “I would use ISO 27001 as a guide – it’s really simple, but it sets out where you should be across the various areas of information security management.”
- Encrypt your data
- Keep your software up to date
- Change default passwords on all your devices. “Online, hackers can find lists of default passwords which allow remote access to everything from routers to servers.”
- Raise awareness of security issues among staff
- Build a support network via the Charity Security Forum.
Shorten draws particular attention to the fifth point, as he believes charities can benefit greatly from a joined up approach including both technological protections and proper staff training to ensure they understand how to minimise cyber security risks. He adds that the most effective way to do this is through an engaging, practical approach.
“We tend to talk about ‘education and training’,” he says, “but that’s like going back to school. I prefer ‘raising awareness’, where you talk to people about the consequences of doing things or not doing things. That’s preferable to running through a checklist.”
Responding to a breach
If all these measures fail, you may find that you do get hacked. In this scenario, you need to recognise the warning signs. If you suffer a denial of service attack, where an attacker is trying to stop your systems from functioning, you may find you are unable to access your email or your website. Alternatively, if someone has accessed your confidential data, they may call up demanding a large sum of money for its safe return. Or, in the case of many of the threats outlined in this article, you may simply notice unusual activity on your network or unusual files and folders on your servers.
http://www.theguardian.com/voluntary-sector-network-zurich-partner-zone/interactive/how-to-protect-your-data-risk-management
In these situations, you need to have a strong business continuity plan in place, according to Chris Greaves, senior strategic risk consultant at Zurich Insurance. “These are vital for ensuring prevention measures are in place and for providing an action plan if a problem occurs. Defined triggers need to be in place so it is clear when a breach has occurred, along with control mechanisms such as communication plans and procedures to close systems down. All of this needs to be tested in practice so that the plan can be modified as necessary.”
Who to speak to
If the breach includes the loss of sensitive data, it is particularly important to consider who should be informed. “If a large number of people are affected or there are very serious consequences, the ICO will expect to be notified. It will want a description of how and when the breach occurred, what data was involved, what security measures were in place and what has been done in response. In cases of illegal activity, the police also need to be informed.”
Fortunately, cases of hacking in the charity sector are still fairly rare. There isn’t a hacker hiding around every corner. Yet the consequences of failing to protect yourself can be extremely serious, so now is the time to review both your technological protections and your procedures for raising staff awareness.
Learn more on how charities can manage risks with our free guides:
- Future proof: ensuring the sustainability of your charity
- Charity regulation and what it means for your organisation
- A fresh look at reputation risks for charities
- Understanding the impact of cyber and information risk
How can Zurich help your charity? Email us at info@zurichmunicipal.com or call us on 0800 232 1901.
Content on this page is paid for and provided by Zurich Insurance sponsor of the Guardian Voluntary Sector Network’s Charity Leadership hub.
