Charities protecting against cybercrime
In the perfect world the “bad guys” or hackers as we’ve come to know them, wouldn’t go after charities. They’d stick to rich corporations with vast IT teams and Teflon-coated firewalls, but as we all know, the world isn’t perfect, and charities are seen as low hanging fruit for those very reasons.
UNDERSTAFFED, UNDERFUNDED AND UNDER PROTECTED. Cyber criminals often think that charities operate on shoe-string budgets, that their computers are old and, so it would follow, that their cyber security practices may be too. They think that staff are working so hard to put food in mouths, shoes on feet or roofs over heads that installing the latest operating system on their laptop often gets overlooked, making charities an easy target.
Key statistics from the Financial Conduct Authority (FCA) show: cybercrime is a bigger threat than nuclear war; hackers attack every 39 seconds, on average 2,244 times a day; a 480% rise in data breaches reported to the FCA; 279 days is the average time to identify and contain a breach.
So that’s the bad news. The GOOD news is that there is a relatively simple, two-pronged approach EVERY charity can take, to help themselves, starting right now, today – cyber safety and cyber insurance.
Step 1
UPDATE YOUR OPERATING SYSTEM. When you turn on your computer in the morning and it says, “We have two updates to make, shall we do it now or later?” DO IT NOW! These are “patches” that Apple or Windows have made to protect you from an attack. As new “holes” appear in their systems that leave you vulnerable to attack, they make new patches. If you don’t install them, you aren’t even beginning to help yourself.
(Did you know that the 2017 WannaCry NHS ransomware attack was due entirely to departments failing to update their operating systems, despite repeated urgent requests from NHS Digital?) Yes, it really was that simple.)
USE FIREWALLS AND INSTALL ANTI-VIRUS PROTECTION. These really should be standard on every computer system by now. Make sure yours are up to date. It’s easy for subscriptions to lapse. You want to be protected against viruses, malware and have a firewall.
ESTABLISH TWO-STEP VERIFICATION ON ALL DIGITAL ACCOUNTS. This will instantly let you know if someone else is trying to access one of your accounts. So many attacks happen without charities even knowing, giving the hackers plenty of time to run riot in your system, divert emails, set up new accounts, all under your very nose. Stop them at source.
ENSURE PASSWORDS ARE STRONG ENOUGH. Choose a phrase then add a bunch of numbers and symbols. Do NOT use a password twice. The dark web is full of lists of previously used and stolen passwords. If you use “Rover123” on 15 different accounts, you’ve just given the bad guys 15 entry points.
See the fascinating image below which explains how long it would take a hacker to break your password based on length and content.
EDUCATE YOUR STAFF. Regular cyber training is essential. New methods of attack are coming up all the time, and you can’t expect your staff to be aware of them simply because you’re “pretty sure they know what to look for”. Keep them up to date – regularly.
CALL-BACKS. Adopt formal call-back procedures to ensure added protection when making funds transfer. One careless click can cost tens of thousands of pounds. Teach staff how to verify an email BEFORE they click on it. It may sound basic but, that’s because … it is.
Step 2
The second thing you need to do is protect yourself with a robust insurance policy, so that should the worst happen, you won’t lose out financially. Here are the specific risks which should be covered by cyber insurance:
DATA BREACHES (GDPR FINES). Charities often accept donations via card payments made on their websites. They will collect personal data (such as donor names, addresses and payment card information) which could result in a costly liability if these data were to be breached by a hacker.
FUNDS TRANSFER FRAUD. As many charities make frequent electronic payments to the partner organisations they support, such as research labs and care providers, they must also be alert to cyber criminals trying to steal those funds as they are transferred out of your organisation. According to CFC Underwriting, a major cyber insurer, charities are far more likely to face a loss through this form of cybercrime than because of a data privacy breach.
STEPS WHICH AN INSURER WOULD REQUIRE THE CHARITY TO UNDERTAKE TO PROTECT ITS EQUIPMENT AND DATA. Cyber insurers expect the organisations they insure to take reasonable steps to protect their networks and data in the same way you might protect your physical assets such as buildings and contents with an intruder alarm or fire detection system.
THE SORT OF EXCLUSIONS CHARITIES SHOULD BE BOTH AWARE AND WARY OF. Due to the nature of their activities, charities are at particular risk when it comes to cybercrime, such as funds transfer fraud. Charity insurance buyers must be alert to any insurance policy conditions that limit or exclude coverage for this form of crime. Indeed, any cyber insurance they establish should assertively cover this type of loss.
While it’s important to ensure any insurance policy meets these exposures, charities must also contend with cyber extortion, malware and ransomware attacks. Cyber attacks can also lead to formal regulatory investigations and even fines, so insurance buyers must seek out cyber insurance policies that address these risks too.
EXCLUSIONS CHECKLIST. Ensure you are covered for:
- Funds transfer fraud.
- Cyber extortion.
- Malware attacks.
- Ransomware attacks.
- GDPR/regulatory body fines.
THE DIFFERENCE BETWEEN AN AVERAGE SET OF CYBER INSURANCE COVERS AND A PREMIUM SET. There’s little standardisation between insurers in terms of the scope of coverage, pricing or terminology used. Some policies will exclude or limit the degree of protection for certain types of cyber attack, so it pays to use a specialist insurance adviser who understands the landscape and who can navigate the charity to the most appropriate solution.
Thorough analysis
Because no two charities are identical, this should start with a thorough analysis of cyber risk – an in-depth review of the specific cyber threats to which the charity is exposed. A good adviser will be able to provide this degree of scrutiny, to help build an insurance solution that’s tailored to the charity’s specific needs. This needn’t be expensive; annual insurance premiums can start from as little as £600.
THE PITFALLS TO WATCH OUT FOR AND COMMON MISTAKES BY CHARITIES. Charities would be mistaken in assuming that their exposure starts and ends with lawsuits for a data privacy breach. Charities are at particular risk from social engineering style attacks (e.g. phishing attacks). Thinking that you’re protected because you use third party providers or spend heavily on IT are common myths.
Not purchasing a cyber policy because you have “good IT security” is like suggesting that you don’t need theft insurance on a property policy because you have high quality locks on your doors. It’s also dangerous to believe that cyber attacks only affect big business. As previously stated, cyber criminals see smaller organisations as low hanging fruit, because they perceive they lack the resources to properly protect themselves. Cyber criminals target the most vulnerable organisations, not just the most valuable.
In summary, a good specialist cyber insurance adviser should be able to:
- Help you to identify what cyber risk looks like – both within the charity sector as a whole and also in relation to your charity’s own domain or network.
- Work with you to provide a risk management service, from staff cyber awareness training to system/process controls – all with the aim of improving your exposure to risk.
- Build a tailored insurance solution that addresses your specific risk profile.
- Provide a robust breach response service should the worst still happen.
