Charities having affordable cybersecurity
The current cybersecurity threat landscape is extremely dangerous, with organisations from every sector being exposed to increased risk every day. Malicious threat actors and hacker groups are targeting the country’s leading organisations, from the Royal Mail to the NHS, and cyber-attacks on household name brands continue to become ever-more commonplace. However, it is not just the biggest names which are under threat. Organisations of all sizes and industries are being targeted in indiscriminate attacks, and the charity sector is no different.
Charities are currently going through one of their most tumultuous periods from a cybersecurity perspective, with charities a prime target for cybercriminals. Recent findings from the UK government’s Cyber Breaches Survey 2023 found that 24% of charities overall recall a breach or attack from the last 12 months, down from nearly a third (30%) of charities in 2022.
While at first glance this seems to be moving in the right direction, the drop is likely a bit of a smoke screen. In reality it is likely an indicator that the charity sector is not investing enough in the tools to spot attempts to compromise their networks and data, often due to the rapidly rising costs of security, coupled with increasingly stretched budgets.
Time is key
The government survey also revealed that over the last 12 months the approximate cost to a charity per breach is £530. And it’s likely that these numbers are much higher, especially if the affected charity doesn’t have the processes, practices and protections in place to remove the attacker and get back up and operating, quickly. When it comes to cybersecurity, time is key, and the longer disruption to services goes on, the more costly and catastrophic a breach will be.
The situation for charities is being worsened further by the monetisation of cybercrime, which continues to grow at an alarming rate. Experts estimate that the cost of cybercrime to businesses will reach $10.5tn by 2025, making it the third biggest economy after the US and China. The issue isn’t going away, and charities must adopt a new approach to ensure they are as protected as possible.
Unfortunately for charities, they often offer a lucrative target for malicious cyber groups due to the amount of valuable public data they hold. Criminals often consider them an easier target too, some with weaker security postures due to the challenge of balancing public funding against spiraling cybersecurity costs.
THE EXTENT TO WHICH CYBERSECURITY IS A PRIORITY FOR CHARITIES. The reality is that top of the range cybersecurity products simply aren’t attainable for many charities. With stripped back funding for areas such as cybersecurity, it is difficult for the charity to explore many security processes which have become commonplace in the private sector.
Within this year’s Cyber Breaches Survey, the government found that just 27% of charities have undertaken cyber security risk assessments in the last year, while less than a fifth (19%) have deployed security monitoring tools. On top of this, only 11% of charities say they review the risks posed by their immediate suppliers, and just a third of those surveyed have cyber insurance policies in place.
Board level awareness
Decisions about where funding is distributed within an organisation start at the board level, and having engaged, cyber-aware board members can make a huge difference for any organisation, especially charities. The Cyber Breaches Survey discovered that nearly three in ten charities (31%) have board members or trustees explicitly responsible for cybersecurity as part of their job role, while 9% of corporate annual reports across charities covered cyber risks.
These numbers are concerning, and highlight the lack of investment from charities into their cyber hygiene not only from a funding perspective, but also from a resources and focus point of view, with many seeming to operate on a “hopefully it won’t happen to me” mindset. And while this way of thinking is still commonplace among many sectors, and previously may have worked, today it is simply not enough to think this way.
Attacks are becoming ever-more sophisticated, malicious threat actors are becoming increasingly knowledgeable and experienced, and the cost of remaining secure continues to skyrocket. That’s why a pragmatic and appropriate cybersecurity strategy is absolutely crucial for charities.
WHAT CONSTITUTES A CYBERSECURITY STRATEGY AND ITS IMPORTANCE. In essence, a cybersecurity strategy is a plan set out by organisations to minimise their risk, improve their security stature, and to lay out the necessary steps to respond should an incident occur. A comprehensive cyber strategy should encompass Risk Assessment, Risk Prevention, Supplier Management, Data Visibility and Management, Testing, Validation, and Hardening.
In simpler terms, your cybersecurity strategy should take into account every possible eventuality. From risk assessments before an attack has taken place and risk management to cut off potential attack vectors, all the way to testing, patching, validation and hardening to ensure your security stature remains robust. A comprehensive incident response plan is a must which assigns each person a role to help mitigate the damage caused when an attack occurs.
Clear picture of vulnerabilities
The reason this strategy or plan is so critical is that without one, charities are fighting with a blindfold on and one arm behind their back. When a cybersecurity strategy is properly planned and executed, it gives you a clear picture of where your vulnerabilities lie, how to fix them, and what to do if one is targeted. This information gives you visibility of your environment and how it is operating, which is one of the most important aspects to remaining cyber secure.
Cybersecurity is all about ensuring an appropriate response to your risk. And unless you know exactly what your risk looks like, it is impossible to calculate the right response.
PROTECTING YOUR CHARITY WITHOUT OVERSPENDING. The fact remains that cybersecurity can be expensive, and the cost is continuing to rise every day. Hiscox’s 2022 Cyber Readiness Report discovered that the average spend from companies with 250 to 999 employees had doubled since the year previous. For organisations with more than 1,000 employees, this had risen by 65%. For the larger organisations, the spend had risen nearly fivefold in three years previous, to nearly $20m.
However, when looking at smaller firms a very different picture is being painted. For organisations with 10 to 49 employees, they have almost halved their cybersecurity spending, from $411,000 to $225,000, while those with less than ten employees had cut spending drastically from around $150,000 to $29,000.
These figures suggest suggests that the organisations which can afford best protection are spending more, but this isn’t smaller businesses and charities, who have been impacted in recent years by the pandemic and other strenuous factors.
HOW CHARITIES CAN BUILD A STRATEGY ON A BUDGET. The key for charities is to have a plan which is proportional to their risk, and this risk will look different for each individual charity. However, some things remain the same.
EMPLOY SOLUTIONS WHICH ARE LOW COST BUT EFFECTIVE. While many of the top level security protections have high prices associated with them, there are many extremely effective solutions which don’t require such a large investment.
Two factor authentication
One of these is two factor authentication (2FA), which requires users to provide two sets of information, often from different devices, in order to access data or accounts. This often costs little to nothing to implement, and makes it very difficult for malicious threat actors to breach environments using leaked passwords or other compromised credentials.
FOCUS ON STAFF TRAINING AND AWARENESS. It's often said that the biggest cybersecurity risk still sits between the keyboard and the chair, and it is true. According to a report by IBM published in 2022, human error accounted for 95% of cyber breaches. This is a massive statistic, and one that charities can lower with the right activity.
Ensure that employees are aware of your charity’s cyber safety practices and processes, and provide training and awareness so that they know how to spot an online scam. Phishing is one of the biggest attack vectors, and almost always targets someone working within an organisation. If staff are cyber aware, they can stop attacks before they’ve even begun.
PROCESSES OVER SOLUTIONS. If charities are operating on a very small budget, they shouldn’t feel pressured to invest in expensive, cutting-edge technologies that may or may not be proportionate to their level of risk. Instead, they should be looking at the basics, such as firewalls and anti-virus, and then investing time and resources into improving their processes.
Some of the best practices include segmenting your data and revoking permissions – meaning that people can only access the parts of your environment, data and assets that they need to complete their job. And so, if a user is compromised it contains the attack and protects the rest of the online environment from also being breached.
Cyber hygiene
As the latest government data shows, charities are challenged by the threat of cybercrime and staying safe online. They have become a lucrative target for malicious groups, and are able so readily able to secure the funding they need to ward them off consistently. So, what they must focus on is cyber hygiene; don’t make it easy for attackers. Remaining protected on a budget is possible, however it is something that the entire charity must buy into.
