Advice to thwart ‘devastating’ cyber attacks on small charities

2 Mar 2018 11:46 AM

The NCSC launches its first cyber security guidance for the charity sector.

National Cyber Security Centre publishes cyber threat assessment for charity sector
Culture of openness makes small charities more vulnerable to cyber fraud and extortion
Charities falling victim to a range of attacks with potentially devastating consequences
Accompanying guidance will help protect charities from common types of cyber crime

DEVIOUS tricks to defraud small charities through online attacks have been exposed in the first ever threat assessment for the sector, along with guidance about how to defend against possible risks.

The work by the National Cyber Security Centre (NCSC), a part of GCHQ, will give the sector more help than ever before to defend itself from the most common cyber attacks.

There are almost 200,000 charities registered in the UK and the NCSC’s Cyber Threat Assessment reveals how their valuable funds, supporter details and information on beneficiaries is being targeted.

Alongside the assessment, the NCSC has also published the Small Charity Guide to outline easy and low-cost steps to protect from attacks. It includes expert advice that is particularly useful for small organisations on backing-up data, using strong passwords, protecting against malware, keeping devices safe and avoiding phishing attacks.

Alison Whitney, Director for Engagement at the NCSC, said:

“The National Cyber Security Centre is committed to supporting charities and we strongly encourage the sector to implement the advice outlined in our guide.

“Cyber attacks can be devastating both financially and reputationally, but many charities may not realise how vulnerable they are to the threat.

“That’s why we have created these quick and easy steps that will help charities protect themselves to protect their data, assets, and reputation.”

Writing in the foreword to the Small Charity Guide, NCSC CEO Ciaran Martin said:

“I am extremely proud to present this cyber security guide for charities, who are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity.

“The National Cyber Security Centre aims to make the UK the safest place to live and work online.

“We are committed to supporting the charity sector and we encourage you all to implement the quick and easy steps outlined in this guide.”

The report finds that cyber criminals motivated by financial gain are likely to pose the most serious threat, which could have a paralysing effect on a small charity’s ability to deliver their services. One example listed details how a UK charity lost £13,000 after its CEO’s emails were hacked to send a fraudulent message instructing their financial manager to release the funds.

The assessment notes that the scale of cyber attacks against charities is unclear due to under-reporting and charities are being urged to report such crimes to Action Fraud and the Charity Commission.

Charities have also been encouraged to join the NCSC’s free Cyber Information Sharing Platform (CiSP) to exchange threat information in a secure and confidential environment.

The assessment and report have been well received by the sector, with heads of influential bodies praising the NCSC’s work.

Helen Stephenson Chief Executive of the Charity Commission for England and Wales, said:

“Charities play a vital role in our society and so the diversion of charitable funds or assets via cyber crime for criminal purposes or personal gain is particularly damaging and shocking.

“The threat assessment confirms what we often see in our casework - unfortunately charities are not immune to fraud and cyber crime, and there are factors that can sometimes increase their vulnerability such as a lack of digital expertise, limited resources and culture of trust.

“We fully endorse the National Cyber Security Centre’s guide on cyber security for charities. This will be a valuable resource to help charities protect their work, beneficiaries, funds and reputations from harm and we encourage charities of all sizes to make use of it.”

Pauline Broomhead CBE – CEO, Foundation for Social Improvement, said:

“This guide will give leaders in smaller charities confidence that they are taking the necessary steps to protect their charity. It is an excellent guide and we intend to make sure our members are fully aware of the valuable information it contains.”

Sir Stuart Etherington – CEO, National Council of Voluntary Organisations (NCVO), said:

“Awareness and knowledge about cyber security continue to differ among charities, but it is important that all charities protect the data they hold from cyber crime. That is why this guide for charities is so welcome - it will help trustees and those working in charities understand what the threats are, and what steps they need to take to minimise the risk of a cyber attack.”

Mandy Johnson, CEO of the Small Charities Coalition, said:

“The Small Charities Coalition welcomes this initiative by the National Cyber Security Centre. As a Coalition we are proactively encouraging small charities to make more use of digital technology, so the timing of this guidance is especially helpful.”

The UK Government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. Its behavioural change campaign for cyber security, Cyber Aware, promotes simple measures to stay more secure online.

The Cyber Aware Perceptions Gap Report was also published today, demonstrating common misconceptions that are preventing people from protecting their online security.

You can see the NCSC’s Cyber Threat Assessment here, the Small Charity Guide here and the Cyber Aware Perceptions Gap Report here.

Notes to editors

If you believe that you or your charity has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cyber crime reporting centre. You should also report it as a serious incident to the Charity Commission via RSI@charitycommission.gsi.gov.uk.

The five steps the NCSC Small Charity Guide suggests charities follow include:

Backing up your data:
Protecting your organisation from malware
Keeping your smartphones (and tablets) safe
Using passwords to protect your data
Avoiding phishing attacks

Who might target the charity sector, and why?

Cyber criminals

Cyber criminals are primarily motivated by financial gain. They may seek to directly steal funds held by charities used for running costs or to supply grants and enable frontline activity.
They may seek to capitalise indirectly through fraud, extortion or data theft. Datasets containing personal details and financial information are an attractive target and are sold in online criminal forums to enable fraudulent activity using those details.
Ransomware and extortion techniques are often central to cyber crime malware campaigns, typically deceiving end users into clicking on malware-infected links in (often plausible and well-crafted) phishing emails or visiting compromised websites. Attackers may steal and threaten to release data unless a payment is made (or another demand is met).

Hacktivists

Hacktivist is a term used to describe hackers motivated by a specific cause, for example to further political or personal agendas or in reaction to events or actions they perceive as unjust.
Hacktivists have successfully used DDoS attacks to disrupt websites, or have exploited weak security to access and deface them.
The NCSC considers that the charity sector is not a priority target for hacktivists, but even a limited website takedown or defacement, could have financial, operational or reputational implications.

Insiders

An insider is someone who exploits, or intends to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.
Insiders can pass on credentials to attackers (they may have been recruited by other actors, such as criminals or states; role responsibilities are often available online through social networking sites) or conduct activities such as stealing data.
Insiders may include disgruntled current or former staff who have left an organisation but retained access to their former employers’ computer systems.

Nation states

Threat actors associated with nation states employ cyber capabilities to further their own national agenda and prosperity.
Some charities operate through local partner organisations in the UK or overseas. Others play a role in helping formulate and deliver UK domestic and foreign policy.
The NCSC assesses this makes them potentially attractive targets for state actors who oppose or mistrust their activity.

Terrorist use of cyber

For terrorist groups such as Daesh (ISIS), Al Qaeda and affiliates, website defacement and ‘doxing’ (publishing the personal details of victims online) are cyber methods most likely to be used. On most occasions, the data released through doxing is already publicly available.

Indirect attacks: suppliers and third parties

Threats may not come from direct attacks on charities. It is common, especially for smaller charities, to outsource the responsibilities for running, maintaining and securing their IT and data to specialist support companies.
Charities may also share data with external organisations such as marketing companies. Cyber criminals and other groups may be able to gain access to charities’ networks and/or information through these companies.
Threat actors may be able to access UK-based charity systems through linked branches or projects in other countries where the security culture may be less stringent than in the UK.

Full quotes

Helen Stephenson Chief Executive of the Charity Commission for England and Wales, said:

“Charities play a vital role in our society and so the diversion of charitable funds or assets via cyber crime for criminal purposes or personal gain is particularly damaging and shocking.

Sir Stuart Etherington – CEO, National Council of Voluntary Organisations (NCVO)

“It’s great to see that the National Cyber Security Centre are taking into account the needs of smaller charities and have produced what we believe to be a really useful and most importantly tailored Cyber Security Guide for smaller charities.

“It’s concise and set’s out in clear language the steps we, as smaller charities can take, to protect ourselves against a cyber attack on our critical data, including information about our beneficiaries, supporters and volunteers.

“This guide will give leaders in smaller charities confidence that they are taking the necessary steps to protect their charity. Excellent guide and we intend to make sure our members are fully aware of the valuable information it contains.”

Pauline Broomhead CBE – CEO, Foundation for Social Improvement (FSI)

“The Small Charities Coalition welcomes this initiative by the National Cyber Security Centre.

“It will be of great value to small charities to have an easily accessible guide that covers all the key areas.

“As a Coalition we are proactively encouraging small charities to make more use of digital technology. So the timing of this guidance is especially helpful.”

Background information

The NCSC provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. GCHQ is the parent body for the Centre, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities.
The government’s Cyber Aware campaign recommends simple ways SMEs can protect themselves online, including installing the latest software and app updates and using a strong, separate password for email.
As of June 2017 there were 166,963 charities registered to the Charity Commission for England and Wales and 24,078 charities registered to the Scottish Charity Regulator. The Charity Commission for Northern Ireland is the independent Regulator for Northern Ireland charities and process of formally registering the estimated 7,000 plus charitable organisations in Northern Ireland is underway.