Charity IT latest

In the perfect world the “bad guys” or hackers as we’ve come to know them, wouldn’t go after charities. They’d stick to rich corporations with vast IT teams and Teflon-coated firewalls, but as we all know, the world isn’t perfect, and charities are seen as low hanging fruit for those very reasons.

UNDERSTAFFED, UNDERFUNDED AND UNDER PROTECTED. Cyber criminals often think that charities operate on shoe-string budgets, that their computers are old and, so it would follow, that their cyber security practices may be too. They think that staff are working so hard to put food in mouths, shoes on feet or roofs over heads that installing the latest operating system on their laptop often gets overlooked, making charities an easy target.

Key statistics from the Financial Conduct Authority (FCA) show: cybercrime is a bigger threat than nuclear war; hackers attack every 39 seconds, on average 2,244 times a day; a 480% rise in data breaches reported to the FCA; 279 days is the average time to identify and contain a breach.

So that’s the bad news. The GOOD news is that there is a relatively simple, two-pronged approach EVERY charity can take, to help themselves, starting right now, today – cyber safety and cyber insurance.

Step 1

UPDATE YOUR OPERATING SYSTEM. When you turn on your computer in the morning and it says, “We have two updates to make, shall we do it now or later?” DO IT NOW! These are “patches” that Apple or Windows have made to protect you from an attack. As new “holes” appear in their systems that leave you vulnerable to attack, they make new patches. If you don’t install them, you aren’t even beginning to help yourself.

(Did you know that the 2017 WannaCry NHS ransomware attack was due entirely to departments failing to update their operating systems, despite repeated urgent requests from NHS Digital?) Yes, it really was that simple.)

USE FIREWALLS AND INSTALL ANTI-VIRUS PROTECTION. These really should be standard on every computer system by now. Make sure yours are up to date. It’s easy for subscriptions to lapse. You want to be protected against viruses, malware and have a firewall.

ESTABLISH TWO-STEP VERIFICATION ON ALL DIGITAL ACCOUNTS. This will instantly let you know if someone else is trying to access one of your accounts. So many attacks happen without charities even knowing, giving the hackers plenty of time to run riot in your system, divert emails, set up new accounts, all under your very nose. Stop them at source.

ENSURE PASSWORDS ARE STRONG ENOUGH. Choose a phrase then add a bunch of numbers and symbols. Do NOT use a password twice. The dark web is full of lists of previously used and stolen passwords. If you use “Rover123” on 15 different accounts, you’ve just given the bad guys 15 entry points. See the fascinating image below which explains how long it would take a hacker to break your password based on length and content.

EDUCATE YOUR STAFF. Regular cyber training is essential. New methods of attack are coming up all the time, and you can’t expect your staff to be aware of them simply because you’re “pretty sure they know what to look for”. Keep them up to date – regularly.

CALL-BACKS. Adopt formal call-back procedures to ensure added protection when making funds transfer. One careless click can cost tens of thousands of pounds. Teach staff how to verify an email BEFORE they click on it. It may sound basic but, that’s because … it is.

Step 2

The second thing you need to do is protect yourself with a robust insurance policy, so that should the worst happen, you won’t lose out financially. Here are the specific risks which should be covered by cyber insurance:

DATA BREACHES (GDPR FINES). Charities often accept donations via card payments made on their websites. They will collect personal data (such as donor names, addresses and payment card information) which could result in a costly liability if these data were to be breached by a hacker.

FUNDS TRANSFER FRAUD. As many charities make frequent electronic payments to the partner organisations they support, such as research labs and care providers, they must also be alert to cyber criminals trying to steal those funds as they are transferred out of your organisation. According to CFC Underwriting, a major cyber insurer, charities are far more likely to face a loss through this form of cybercrime than because of a data privacy breach.

STEPS WHICH AN INSURER WOULD REQUIRE THE CHARITY TO UNDERTAKE TO PROTECT ITS EQUIPMENT AND DATA. Cyber insurers expect the organisations they insure to take reasonable steps to protect their networks and data in the same way you might protect your physical assets such as buildings and contents with an intruder alarm or fire detection system.

THE SORT OF EXCLUSIONS CHARITIES SHOULD BE BOTH AWARE AND WARY OF. Due to the nature of their activities, charities are at particular risk when it comes to cybercrime, such as funds transfer fraud. Charity insurance buyers must be alert to any insurance policy conditions that limit or exclude coverage for this form of crime. Indeed, any cyber insurance they establish should assertively cover this type of loss.

While it’s important to ensure any insurance policy meets these exposures, charities must also contend with cyber extortion, malware and ransomware attacks. Cyber attacks can also lead to formal regulatory investigations and even fines, so insurance buyers must seek out cyber insurance policies that address these risks too.

EXCLUSIONS CHECKLIST. Ensure you are covered for:

• Funds transfer fraud.
• Cyber extortion.
• Malware attacks.
• Ransomware attacks.
• GDPR/regulatory body fines.

THE DIFFERENCE BETWEEN AN AVERAGE SET OF CYBER INSURANCE COVERS AND A PREMIUM SET. There’s little standardisation between insurers in terms of the scope of coverage, pricing or terminology used. Some policies will exclude or limit the degree of protection for certain types of cyber attack, so it pays to use a specialist insurance adviser who understands the landscape and who can navigate the charity to the most appropriate solution.

Thorough analysis

Because no two charities are identical, this should start with a thorough analysis of cyber risk – an in-depth review of the specific cyber threats to which the charity is exposed. A good adviser will be able to provide this degree of scrutiny, to help build an insurance solution that’s tailored to the charity’s specific needs. This needn’t be expensive; annual insurance premiums can start from as little as £600.

THE PITFALLS TO WATCH OUT FOR AND COMMON MISTAKES BY CHARITIES. Charities would be mistaken in assuming that their exposure starts and ends with lawsuits for a data privacy breach. Charities are at particular risk from social engineering style attacks (e.g. phishing attacks). Thinking that you’re protected because you use third party providers or spend heavily on IT are common myths.

Not purchasing a cyber policy because you have “good IT security” is like suggesting that you don’t need theft insurance on a property policy because you have high quality locks on your doors. It’s also dangerous to believe that cyber attacks only affect big business. As previously stated, cyber criminals see smaller organisations as low hanging fruit, because they perceive they lack the resources to properly protect themselves. Cyber criminals target the most vulnerable organisations, not just the most valuable.

In summary, a good specialist cyber insurance adviser should be able to:

• Help you to identify what cyber risk looks like – both within the charity sector as a whole and also in relation to your charity’s own domain or network.
• Work with you to provide a risk management service, from staff cyber awareness training to system/process controls – all with the aim of improving your exposure to risk.
• Build a tailored insurance solution that addresses your specific risk profile.
• Provide a robust breach response service should the worst still happen.

It’s an unfortunate reality that the charity sector is an attractive target for cyber attacks. Criminals are unscrupulous in choosing their targets and can all too easily take advantage of charities, and their supporters, for their own gain.

To protect themselves and their data, charities must monitor the internet for any potential threats, even before they happen. The ability to detect leaks of personal details it holds on donors, volunteers, beneficiaries, or employees, appearing outside its own network should be a priority, as well as uncovering the tell-tale signs that an attack on their organisation could be imminent. Finally, charities must also monitor their own networks and practise good cyber hygiene that could deny cybercriminals entry.

Why criminals target charities

The average cybercriminal is primarily focussed on making money and will look to target assets that achieve this goal. They might directly try to steal funds or hold a charity to ransom, crippling services and only restoring them upon payment of a large sum of money. What’s most likely to be their main target is the Personally Identifiable Information (PII) of supporters which they can access by targeting the employees. Charities are a goldmine of this data, holding the PII of thousands, if not millions of individuals. This can be used by cybercriminals in a number of ways to make money.

Once they have the financial details of donors, the fraudsters can use these to steal cash directly from their bank accounts. Another method they use is to imitate the charity and email the donor directly, using the stolen information, to request more funds, known as phishing.

This can be very effective as the person targeted has already shown an interest in the charity and a willingness to donate, so asking for more money won’t seem unusual and is likely to produce results. Criminals are skilled at using techniques which prey on the trust and goodwill of donors and compel them to make emotional decisions by clicking on links that look genuine.

The emails are made to look very convincing, often using the same branding and messaging and, through the use of a technique called typo squatting, they set up fake sites which are made to look like the legitimate charity. For instance, if the actual domain is anycharity.org.uk they might use anycharity.com or anycharitydonations.org.uk.

Coronavirus crisis

This is particularly pertinent over the coronavirus crisis, which has seen people more willing to help out good causes. For instance, criminals were found by the FBI to be masquerading as collecting donations for the American Red Cross but were in fact lining their own pockets. According to DomainTools, which scores a domain on how likely it is to be malicious, 150,000 suspicious coronavirus-related domains have been registered since the start of the pandemic.

Staff working for charities can be a particular target for phishing attacks, which attempt to trick employees into clicking on links. This is in order to obtain their personal information, or gain access to the staff member’s email account. They can send emails from them which appear legitimate convincing others to send money to new accounts or to commit other types of fraud.

Cybercriminals often target charity workers for their credentials so that they can access charity databases rich in donor data. Recent research shows that more than 8 out of 10 charities have reported that their staff have been targeted in phishing attacks.

Finally, they could sell the information online to other cybercriminals. Once they have their hands on this valuable data, they will try to sell it where they can. These are likely to be on forums on the Open and Dark Web, as well as websites like Pastebin that allow users to post information anonymously in plain text. The Dark Web is the hidden part of the internet, not indexed by conventional search engines such as Google or Bing, which cybercriminals use to get around law enforcement to buy and sell personal data.

Charities also need to look out for employees reusing the same – or similar - corporate login credentials to access other third party sites. If these sites are breached, then the staff member may have inadvertently given the hackers all they need to break into the charity’s own IT network.

Need to protect data

Suffering a data breach is serious for any organisation. Yet for charities, whose success is built upon their reputations and the goodwill of supporters, the loss of any sensitive information can be devastating. Many charities provide services for vulnerable individuals, where leaks of data could result in serious physical or emotional harm. Any organisation is at risk - often it’s simply down to hackers taking a chance and testing out credentials from another unrelated breach, and discovering they can be used to target a charity.

This opens charities up to the risks of phishing attacks, identity theft and even having funds taken directly from their accounts. As such, trust in their brand will undoubtedly be damaged if data is found to have been traded by cybercriminals online. This is likely to have a knock-on effect for the charity’s funding as research from The Charity Commission has found that people are nine times less likely to donate to a charity they deem untrustworthy.

There is also the consideration that any data breach could land a charity in trouble with the regulators. The EU’s GDPR stipulates that organisations must have appropriate mechanisms in place to protect any PII in its possession. Failure to do so could result in the organisation having to pay a large fine.

These issues are made worse by the fact that time and resources are in limited supply and volunteers are often relied upon to help deliver services. This can add to the risk exposure, and so requires making sure that helpers and temporary workers, as well as permanent staff, are all up to date with the latest data privacy regulations and have regular training on how to keep information safe. This can be a huge task.

The Covid-19 crisis has without doubt made the situation worse. Charities are also facing a funding crisis never seen before. Those wanting to survive are likely to cut back where they can, which could mean IT security is reduced. This will also be made worse by trained professionals being furloughed, or those who are still working having to do so remotely with varying degrees of cybersecurity.

Protecting your charity

Any organisation needs to make the best use of resources and charities, in particular, have to be careful to get the best possible value from cyber protection. To help them out, the UK Government has created a guide which outlines five key areas that charities must focus on to keep their data safe. These are: backing up data; protecting against malware; keeping connected devices safe; using passwords to protect data; and avoiding phishing attacks.

Much of this advice focuses on simple actions charities can take using protection they already have access to or putting in place procedures to protect information. This includes basics such as turning on firewalls and anti-virus software, as well as changing default passwords. Having a unique password for every user and for every protected asset they use is a cyber security fundamental. A good way to secure credentials is through a password manager, which will generate and store uncrackable passwords.

Another simple step charities can take is to regularly download and install the latest updates for all their operating systems and applications. These will provide security patches for any vulnerabilities in the software that could be exploited by threat actors.

Early warning systems

Taking steps to prevent a data breach, or limit the impact of one, needs to be a priority for charities if they want to avoid damaging repercussions. The key to this is monitoring.

Monitoring the internet for early warning signs of an attack will help charities focus their defences. This monitoring should include detecting if there has been any chatter on social media sites or forums used by cybercriminals that might indicate an attack is imminent. There is also the need to identify stolen information that might appear on the Open and Dark Web. However, accessing sites that are exclusively the domain of cybercriminals requires specialist help.

Charities need to be certain whether any information which appears online is theirs so that they can take swift and decisive action if necessary. This can be difficult as there could be thousands or even millions of credentials to examine. To this end, the use of “synthetic” identities and watermarking data will help to pinpoint whether any information has leaked outside the organisation.

The idea is to mix in specifically created fake credentials, including emails, with real data. If these synthetic identities appear anywhere they shouldn’t, a charity will know with absolute certainty that there has been a data breach.

The consequences of a cyber incident can be costly and far reaching. Criminals are capitalising on global events to make financial gain, yet there are ways to minimise risk and close security gaps.

By keeping a watchful eye on their own data and putting systems in place which can forewarn of potential attacks, charities can prevent the goodwill of their supporters from being exploited.

We all know how important it is to demonstrate impact to donors. This can be achieved in terms of the number of projects funded and various measures of change delivered. But what about productivity? How do you and your donors know that your charity is working in the most efficient way, and trust that time is not being wasted either knowingly or unknowingly?

“So what?” I hear you ask.

Much time lost

Last year, UK market research specialists Sapio looked at the impact of digital content on marketing teams of all sizes. The survey found that an average of 13 days per team member is lost every year due to hunting for digital assets and filing content. From images and graphics, to videos, presentations, documents, spreadsheets and design files – charity teams have to handle an ever-increasing volume of digital assets.

Typically charities have small marketing teams, but have to manage a huge volume of visuals. For example, photographs and clips are regularly sent in from all over the country or around the world. Keeping on top of this, and being able to find all these files quickly at a later date has become burdensome.

It’s typical for teams to use shared servers or Dropbox-style services and content is often not centralised to be contributed to or accessed by staff in multiple locations. It can also be a struggle to share the right assets with the press, as well as important donors. And how can you keep a live log of who has downloaded these without increasing admin?

Digital asset management’s role

The importance of being able to demonstrate impact to donors is critical for a charity. I speak from personal experience here as I previously worked in procurement for the RSPCA. Impact consistently had a bearing on our decision-making criteria.

Adopting software – especially that which has already been popularised in the commercial world – can help you to demonstrate you are forward-thinking and investing for long term gain and support recruitment of new talent who expect these tools in the workplace. Furthermore, it can have an immediate positive impact on performance, contributing toward the enhanced output of a team for all to see.

Digital asset management (DAM) does this. It is dedicated software to help you consistently store digital assets online, so they can easily be found and shared. It makes life much easier for internal teams and enables fast, secure access for outside parties too. This could include volunteers and partners, as well as suppliers and venues.

Working in the same way

Managing files in this way requires everybody within the charity, and even your outside partners, to work in the same way so that the security, organisation and searchability of digital assets is consistent. It empowers everyone to quickly find what they’re looking for, saving long searches and the distraction of colleagues, meaning more time is spent focused on what really matters.

As a result, a wide range of charities are currently adopting DAM. These range from youth-focused organisations such as the Scouts, through to research organisations like the Institute for Cancer Research. No matter whether you’re the World Health Organisation or a community-based charity, today’s DAM can help unleash your team’s full potential.

Cost viability for a charity

While digital asset management (DAM) software has been around in different guises for many years, its shift from on-premise installation to the cloud has opened up use to many more organisations including charities. The evolution to web browser-based SaaS (Software-as-a-Service) means you no longer have to host the software on your own server, nor bear responsibility for infrastructure and updates.

But hold on – what on earth does this mean for the untechnical majority of us? Well in the past, DAM was very much the preserve of big corporate organisations which could afford to implement such software across their staff computers. It required an on-site IT team to install and then update this on a continual basis. Smaller and cost-sensitive organisations faced a huge barrier.

New cloud-based DAM changes the game – now any charity can benefit from state-of-the-art DAM functionality at an operationally viable price point.

There is no need for IT support, nor any requirement to make latest security or version updates. All your files are secure and accessible online and it’s very simple to use without the need for training to get started.

Anyone can download the software and be granted appropriate access to save, search and share files. Being a web browser-based tool makes it far more accessible, particularly for charities with dispersed teams or fundraisers using their own computers, and it relieves pressure on your own IT network.

A benefit of SaaS is that it’s often subscription-based and pricing is dependent on several factors, including how many users will benefit from the tool. This makes it a viable solution for charities of any size. Another advantage of SaaS is that as new features and functionality are regularly added, users have immediate access to these.

Advantages of DAM for charities

FAST SETUP. A typical barrier to introducing new software is the internal education process needed to ensure successful adoption. Modern digital asset management offers an intuitive user interface meaning most can use it right away with little or no training. With easy importing you can easily move content from a shared server into your DAM library in minutes.

GET EVERYONE WORKING IN THE SAME WAY. No more saving to desktops, shared servers or bulging Dropbox and Google Drive accounts. DAM software requires everyone to save files in the same secure way, to be discoverable by others. And when new staff or volunteers join, it immediately supports knowledge sharing. Existing assets can easily be found by new joiners, avoiding duplication of effort. Everybody can see the latest versions of files in real-time to assist version control and avoid duplication of files.

PROVIDE SECURE ACCESS TO THIRD PARTIES. You may work with agencies, freelancers and volunteers. And you may at times scale up your team thanks to funding injections from significant donations or grants, and therefore bring in temporary staff to provide extra resource or expertise. Sharing the correct files these people need can be time-consuming. It may not be appropriate to grant full access to a shared drive or folder, but neither is it desirable to have to regularly split files into multiple folders.

Approved access only

With DAM, admins can allow an approved individual or team access to only the assets you require them to have. Not only is this quick, it helps maintain the security of assets, especially around campaign launches or private fundraising activities.

INTEGRATED TECHNOLOGIES. Searching for files and filtering results has been revolutionised by using tags, keywords, custom fields and metadata. Being able to search by file size and other factors – for example, by which photographer, designer or document creator – also speeds up searches. Facial recognition technology means you can, for example, find every picture featuring a particular ambassador in an instant, no matter how many different locations these were originally saved in.

Google Chrome and Microsoft Office plugins let your users search your media library without leaving their browser-based email, document or presentation. Integration with design programmes, including Adobe Photoshop and InDesign, allows faster editing. File saves are synced with the centralised DAM storage system, so everyone else immediately has access to the latest version. Daily workflow time-saving quickly adds up.

WHITE LABELLING. Customising the appearance of your DAM platform with your charity’s own branding is very popular. This means your files reside in what appears to be a natural extension of your internal intranet or external website, rather than being hosted by a third party such as Google, Dropbox or WeTransfer. Furthermore, charities can easily create branded portals for media and supporters to download campaign materials.

Software easy to introduce

You can be up and running with a DAM solution in hours. Easy importing allows you to effortlessly upload content from your shared server and other locations into your new online DAM library. A good setup example is facial recognition. You can tag one photograph with the individual’s name, and then be amazed as the technology does the work and instantly finds all photography featuring that person.

A common concern is the time it can take to train staff to use new software, but the best DAM providers offer an intuitive user interface, meaning most people can use it right away with little or no training.

DAM software is hosted on the likes of Amazon Web Services. This not only ensures excellent security and reliability, but means storage capacity can grow with your business requirements. Once DAM is introduced into a charity it’s often adopted widely once the benefits are clear for all to see.

Seamless to integrate

As you consider what new technology and software will make the greatest difference to the performance of your team, consider: what will be seamless to integrate; what can be used immediately by all; and what can naturally scale with your operations? The more productive your team can be, the more effective both your fundraising and subsequent delivery – and ultimately, the greater the impact on your cause. If donors see the results of greater productivity for themselves they’ll know the charity they support is a very well managed one.